Closed Bug 1548973 (armagadd-on-2.0) Opened 7 months ago Closed 5 months ago

[meta] All extensions disabled due to expiration of intermediate signing cert

Categories

(Toolkit :: Add-ons Manager, defect, P1, blocker)

66 Branch
defect

Tracking

()

RESOLVED FIXED
Tracking Status
relnote-firefox --- 66+
firefox-esr60 --- fixed
firefox-esr68 --- fixed
firefox66 --- fixed
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: braiamp, Unassigned)

References

Details

(Keywords: dogfood, meta, Whiteboard: cert2019)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Wait until it's past midnight on 2019-05-04 UTC.

Actual results:

All addons got disabled due not having valid signature.

Expected results:

If the signature was due to expire, it should have been renewed weeks ago. Not all extensions were disabled. Fakespot and Google Scholar Button were left in their disabled state.

Some reports on reddit 1 says that they had their clocks a day forward, but they may be just early canaries for the actual widespread issue.

Going backwards in time allows installation from AMO but do not remove the unsupported mark from the add ons already installed.

List of affected add-ons:

Activate Reader View	0.1.0	true	@activatereaderview
Netflix 1080p	1.8	true	{89d04aec-e93f-4f56-b77c-f2295051c13e}
Amazon Assistant for Firefox	10.1904.10.11834	false	abb@amazon.com
Amazon SMILE!	1.4.5	false	{1417a6e0-be73-4358-912c-5dce719b5791}
CanvasBlocker	0.5.8	false	CanvasBlocker@kkapsner.de
Check4Change	2.2.3	false	check4change-owner@mozdev.org
Facebook Container	1.6.5	false	@contain-facebook
Fakespot - Analyze Fake Amazon Reviews	0.3.1	false	contact@fakespot.com
Firefox Multi-Account Containers	6.1.0	false	@testpilot-containers
Ghostery – Privacy Ad Blocker	8.3.3	false	firefox@ghostery.com
Google Scholar Button	2.0	false	button@scholar.google.com
Greasemonkey	4.7	false	{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Honey	11.1.0	false	jid1-93CWPmRbVPjRQA@jetpack
HTTPS Everywhere	2019.5.2.1	false	https-everywhere@eff.org
InvisibleHand	6.6	false	canitbecheaper@trafficbroker.co.uk
Kee - Password Manager	3.1.21	false	keefox@chris.tomlinson
Laboratory	3.0.5	false	1b2383b324c8520974ee097e46301d5ca4e076de387c02886f1c6b1503671586@pokeinthe.io
MEGA	3.57.9	false	firefox@mega.co.nz
NflxMultiSubs (Netflix Multi. Subtitles)	1.6.7	false	{e7ca39ec-6668-455e-9768-db28c364e4d2}
NoScript	10.6.1	false	{73a6fe31-595d-460b-a920-fcc0f8843232}
ReviewMeta.com Review Analyzer	2.5	false	FirefoxExtension@ReviewMeta.com
Substital	2.1.0	false	jid1-Cn7LiNrWh4k6RA@jetpack
uBlock Origin	1.18.16	false	uBlock0@raymondhill.net
User-Agent Switcher	1.2.11	false	user-agent-switcher@ninetailed.ninja

Note, only Activate Reader View and Netflix 1080p were tested to check possible workarounds. I would leave those disabled for now. Also Firefox own Multi-Account Containers was blocked.

I can confirm

Severity: normal → blocker
Status: UNCONFIRMED → NEW
Component: Untriaged → Add-ons Manager
Ever confirmed: true
Product: Firefox → Toolkit
Summary: Firefox marked addons due signing as unsupported, but doesn't allow re-downloads from AMO → All extensions disabled due to expiration of intermediate signing cert
See Also: → 1548975

TREES ARE CLOSED FOR THIS.

Duplicate of this bug: 1548975
Duplicate of this bug: 1548980
Duplicate of this bug: 1548979
Duplicate of this bug: 1548978

(In reply to Andreea Pavel [:apavel] from comment #4)

TREES ARE CLOSED FOR THIS.

To clarify, XPCShell signing tests are failing because of the expired cert.

Duplicate of this bug: 1548976
See Also: 1548975

Should other bug reports be opened about the empty error message that the browser console shows and related symptoms to help people know what it's going on? Or should that be implemented in a post-morten?

Flags: needinfo?(ddurst)

In case it's not understood I'm seeing a rash of reports of this across mozilla and freenode IRC networks as well as reddit.

Many people are very angry and it seems to be growing.

We don't yet know how broadly affected the user base is.
This seems like an urgent matter we want to get fixed as quickly as possible, at a high cost if necessary.

Alias: armagadd-on-2.0
Flags: needinfo?(dveditz)
Flags: needinfo?(dkeeler)
See Also: → armagadd-on

(In reply to Caspy7 from comment #12)

We don't yet know how broadly affected the user base is.

We do. All users with add-ons and remotely accurate system clocks are affected, with the possible exception of nightly/dev edition users with signing disabled.

Duplicate of this bug: 1548983

CloudOps is taking a look at this

Can somehow signing be disabled?

Confirming that add-ons were also disabled here on 66.0.3 (Win 10) at approx 9pm ET.

(In reply to Milos from comment #16)

Can somehow signing be disabled?

Only on dev, nightly versions as :kmag noted.

(In reply to Milos from comment #16)

Can somehow signing be disabled?

I don't think so if you are using Firefox 48+ on PC: https://wiki.mozilla.org/Add-ons/Extension_Signing#Timeline

However, on Firefox for Android (at least up to 66.0.2), you can set xpinstall.signatures.required to false and bypass this problem.

We have confirmed this issue. Extra comments about this being broken will not advance this bug to being fixed.

Restrict Comments: true
Duplicate of this bug: 1549009
Blocks: 1549013

If you want to watch somewhere for user-facing updates on this issue, it looks like https://twitter.com/mozamo is the place to watch.

caitmuenster has also said this page will receive official updates/statuses on the issue:
https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047

Blocks: 1549017
Duplicate of this bug: 1548988
Flags: needinfo?(dveditz)
Priority: -- → P1

The dates on the cert in question were:

Not Before: May 4 00:09:46 2017 GMT
Not After : May 4 00:09:46 2019 GMT

Duplicate of this bug: 1549005
Duplicate of this bug: 1549032
Summary: All extensions disabled due to expiration of intermediate signing cert → [work in progress] All extensions disabled due to expiration of intermediate signing cert
Keywords: dogfood
OS: Unspecified → All
Hardware: Unspecified → All
Duplicate of this bug: 1549036

For all the CC folks: we are making progress

Duplicate of this bug: 1549038
Duplicate of this bug: 1549039
Duplicate of this bug: 1549040

Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.

Summary: [work in progress] All extensions disabled due to expiration of intermediate signing cert → [first mitigation completed, working on a second one] All extensions disabled due to expiration of intermediate signing cert

(In reply to Eric Rescorla (:ekr) from comment #57)

[...] Users who have Normandy on should see their add-ons start working over the next few hours. [...]

Will we need to take any action, e.g. quit and restart, or check for add-on updates, or will it just start working?

For everyone's info: we don't need to so anything if ""studies" is enabled (Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies).

See https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/12

Thanks Eddi for the tip.

Duplicate of this bug: 1549062
Duplicate of this bug: 1549065
Duplicate of this bug: 1549067
Depends on: 1549061
Duplicate of this bug: 1549071
Duplicate of this bug: 1549072
Duplicate of this bug: 1549077
Blocks: 1549078
Duplicate of this bug: 1549088
Duplicate of this bug: 1549090
Duplicate of this bug: 1549094
Duplicate of this bug: 1549110
Depends on: 1549116
No longer depends on: 1549116
No longer blocks: 1549117
Blocks: 1549121
No longer blocks: 1549121
Duplicate of this bug: 1549120
Duplicate of this bug: 1549124
Depends on: 1549129
See Also: → 1549134
See Also: 1549134
Duplicate of this bug: 1549137
Duplicate of this bug: 1549138
Duplicate of this bug: 1549143
Depends on: 1549145
Duplicate of this bug: 1549173
No longer depends on: 1549129
See Also: → 1549129
Duplicate of this bug: 1549180
Duplicate of this bug: 1549198
Duplicate of this bug: 1549203
See Also: → 1549216
See Also: → 1549224
Depends on: 1549249
Blocks: 1549266
Duplicate of this bug: 1549248
Duplicate of this bug: 1549218
Depends on: 1549305
Depends on: 1549258
Duplicate of this bug: 1549352
Depends on: 1549400

Please document here the root cause of this issue and what is being done to ensure that it does not happen again, or if that has already been documented elsewhere, please post a link to that documentation here. I've reviewed all the comments on this bug as well as the other information sources to which it links, and I don't see an explanation of the root cause or of steps being taken to prevent recurrence.

Flags: needinfo?(dkeeler)
Depends on: 1549441
See Also: → 1549490
Whiteboard: [stockwell needswork:owner] → [stockwell needswork:owner] cert2019
Depends on: 1549604
See Also: → 1549624
See Also: → 1549627
Duplicate of this bug: 1549679
Duplicate of this bug: 1549200
Depends on: 1549905

is the part
"[first mitigation completed, working on a second one]"
in the bug title meanigful in any way?

No longer depends on: 1549305
Depends on: 1551321
Summary: [first mitigation completed, working on a second one] All extensions disabled due to expiration of intermediate signing cert → All extensions disabled due to expiration of intermediate signing cert
Depends on: 1552392
Flags: needinfo?(ddurst)
Whiteboard: [stockwell needswork:owner] cert2019 → cert2019
Keywords: meta
Summary: All extensions disabled due to expiration of intermediate signing cert → [meta] All extensions disabled due to expiration of intermediate signing cert
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Duplicate of this bug: 1569470
You need to log in before you can comment on or make changes to this bug.