[meta] All extensions disabled due to expiration of intermediate signing cert
Categories
(Toolkit :: Add-ons Manager, defect, P1, blocker)
Tracking
()
People
(Reporter: braiamp, Unassigned)
References
Details
(Keywords: dogfood, meta, Whiteboard: cert2019)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
Wait until it's past midnight on 2019-05-04 UTC.
Actual results:
All addons got disabled due not having valid signature.
Expected results:
If the signature was due to expire, it should have been renewed weeks ago. Not all extensions were disabled. Fakespot and Google Scholar Button were left in their disabled state.
Some reports on reddit 1 says that they had their clocks a day forward, but they may be just early canaries for the actual widespread issue.
Going backwards in time allows installation from AMO but do not remove the unsupported mark from the add ons already installed.
List of affected add-ons:
Activate Reader View 0.1.0 true @activatereaderview
Netflix 1080p 1.8 true {89d04aec-e93f-4f56-b77c-f2295051c13e}
Amazon Assistant for Firefox 10.1904.10.11834 false abb@amazon.com
Amazon SMILE! 1.4.5 false {1417a6e0-be73-4358-912c-5dce719b5791}
CanvasBlocker 0.5.8 false CanvasBlocker@kkapsner.de
Check4Change 2.2.3 false check4change-owner@mozdev.org
Facebook Container 1.6.5 false @contain-facebook
Fakespot - Analyze Fake Amazon Reviews 0.3.1 false contact@fakespot.com
Firefox Multi-Account Containers 6.1.0 false @testpilot-containers
Ghostery – Privacy Ad Blocker 8.3.3 false firefox@ghostery.com
Google Scholar Button 2.0 false button@scholar.google.com
Greasemonkey 4.7 false {e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Honey 11.1.0 false jid1-93CWPmRbVPjRQA@jetpack
HTTPS Everywhere 2019.5.2.1 false https-everywhere@eff.org
InvisibleHand 6.6 false canitbecheaper@trafficbroker.co.uk
Kee - Password Manager 3.1.21 false keefox@chris.tomlinson
Laboratory 3.0.5 false 1b2383b324c8520974ee097e46301d5ca4e076de387c02886f1c6b1503671586@pokeinthe.io
MEGA 3.57.9 false firefox@mega.co.nz
NflxMultiSubs (Netflix Multi. Subtitles) 1.6.7 false {e7ca39ec-6668-455e-9768-db28c364e4d2}
NoScript 10.6.1 false {73a6fe31-595d-460b-a920-fcc0f8843232}
ReviewMeta.com Review Analyzer 2.5 false FirefoxExtension@ReviewMeta.com
Substital 2.1.0 false jid1-Cn7LiNrWh4k6RA@jetpack
uBlock Origin 1.18.16 false uBlock0@raymondhill.net
User-Agent Switcher 1.2.11 false user-agent-switcher@ninetailed.ninja
Note, only Activate Reader View and Netflix 1080p were tested to check possible workarounds. I would leave those disabled for now. Also Firefox own Multi-Account Containers was blocked.
|
||
Comment 2•6 months ago
|
||
|
||
Updated•6 months ago
|
|
||
Comment 4•6 months ago
|
||
TREES ARE CLOSED FOR THIS.
|
||
Comment 9•6 months ago
•
|
||
(In reply to Andreea Pavel [:apavel] from comment #4)
TREES ARE CLOSED FOR THIS.
To clarify, XPCShell signing tests are failing because of the expired cert.
|
Reporter | |
Comment 11•6 months ago
|
||
Should other bug reports be opened about the empty error message that the browser console shows and related symptoms to help people know what it's going on? Or should that be implemented in a post-morten?
|
||
Comment 12•6 months ago
|
||
In case it's not understood I'm seeing a rash of reports of this across mozilla and freenode IRC networks as well as reddit.
Many people are very angry and it seems to be growing.
We don't yet know how broadly affected the user base is.
This seems like an urgent matter we want to get fixed as quickly as possible, at a high cost if necessary.
|
|
||
Updated•6 months ago
|
|
|
||
Comment 13•6 months ago
|
||
(In reply to Caspy7 from comment #12)
We don't yet know how broadly affected the user base is.
We do. All users with add-ons and remotely accurate system clocks are affected, with the possible exception of nightly/dev edition users with signing disabled.
|
||
Comment 15•6 months ago
|
||
CloudOps is taking a look at this
|
||
Comment 16•6 months ago
|
||
Can somehow signing be disabled?
|
||
Comment 17•6 months ago
|
||
Confirming that add-ons were also disabled here on 66.0.3 (Win 10) at approx 9pm ET.
|
|
Reporter | |
Comment 18•6 months ago
|
||
(In reply to Milos from comment #16)
Can somehow signing be disabled?
Only on dev, nightly versions as :kmag noted.
|
||
Comment 19•6 months ago
|
||
(In reply to Milos from comment #16)
Can somehow signing be disabled?
I don't think so if you are using Firefox 48+ on PC: https://wiki.mozilla.org/Add-ons/Extension_Signing#Timeline
However, on Firefox for Android (at least up to 66.0.2), you can set xpinstall.signatures.required to false and bypass this problem.
| Comment hidden (me-too) |
| Comment hidden (off-topic) |
|
||
Comment 22•6 months ago
|
||
We have confirmed this issue. Extra comments about this being broken will not advance this bug to being fixed.
|
||
Updated•6 months ago
|
|
||
Comment 36•6 months ago
|
||
If you want to watch somewhere for user-facing updates on this issue, it looks like https://twitter.com/mozamo is the place to watch.
|
|
||
Comment 37•6 months ago
|
||
caitmuenster has also said this page will receive official updates/statuses on the issue:
https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
||
Comment 47•6 months ago
|
||
The dates on the cert in question were:
Not Before: May 4 00:09:46 2017 GMT
Not After : May 4 00:09:46 2019 GMT
|
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
|
||
Comment 53•6 months ago
|
||
For all the CC folks: we are making progress
|
||
Comment 57•6 months ago
|
||
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
|
||
Updated•6 months ago
|
|
||
Comment 58•6 months ago
•
|
||
See Also: -> https://webcompat.com/issues/30516, https://webcompat.com/issues/30483, https://webcompat.com/issues/30515, https://webcompat.com/issues/30511, https://webcompat.com/issues/30510, https://webcompat.com/issues/30507, https://webcompat.com/issues/30506, https://webcompat.com/issues/30500, https://webcompat.com/issues/30499, https://webcompat.com/issues/30487
|
|
||
Updated•6 months ago
|
|
||
Comment 59•6 months ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #57)
[...] Users who have Normandy on should see their add-ons start working over the next few hours. [...]
Will we need to take any action, e.g. quit and restart, or check for add-on updates, or will it just start working?
|
|
||
Comment 60•6 months ago
|
||
For everyone's info: we don't need to so anything if ""studies" is enabled (Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies).
Thanks Eddi for the tip.
|
||
Updated•6 months ago
|
|
|
||
Comment 70•6 months ago
|
||
|
||
Comment 72•6 months ago
|
||
|
|
||
Updated•6 months ago
|
|
|
||
Comment 78•6 months ago
|
||
See Also: → https://webcompat.com/issues/30556, https://webcompat.com/issues/30561, https://webcompat.com/issues/30562, https://webcompat.com/issues/30563, https://webcompat.com/issues/30564, https://webcompat.com/issues/30565, https://webcompat.com/issues/30566, https://webcompat.com/issues/30571, https://webcompat.com/issues/30572
| Comment hidden (Intermittent Failures Robot) |
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Comment 89•6 months ago
|
||
See Also: → https://webcompat.com/issues/30576, https://webcompat.com/issues/30578, https://webcompat.com/issues/30584, https://webcompat.com/issues/30588, https://webcompat.com/issues/30600, https://webcompat.com/issues/30603, https://webcompat.com/issues/30637, https://webcompat.com/issues/30638, https://webcompat.com/issues/30643, https://webcompat.com/issues/30645
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 92•6 months ago
|
||
| https | ||
(When) can http://ftp.mozilla.org/pub/firefox/candidates/ be opened again?
|
||
Comment 93•6 months ago
|
||
Please document here the root cause of this issue and what is being done to ensure that it does not happen again, or if that has already been documented elsewhere, please post a link to that documentation here. I've reviewed all the comments on this bug as well as the other information sources to which it links, and I don't see an explanation of the root cause or of steps being taken to prevent recurrence.
|
||
Comment 94•6 months ago
|
||
Please see https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox for current solutions and workarounds.
Status updates are posted here: https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
|
||
Updated•6 months ago
|
|
||
Comment 97•6 months ago
|
||
is the part
"[first mitigation completed, working on a second one]"
in the bug title meanigful in any way?
|
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
|
||
Updated•5 months ago
|
|
||
Updated•21 days ago
|
Description
•