Description

2 days ago

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Wait until it's past midnight on 2019-05-04 UTC.

Actual results:

All addons got disabled due not having valid signature.

Expected results:

If the signature was due to expire, it should have been renewed weeks ago. Not all extensions were disabled. Fakespot and Google Scholar Button were left in their disabled state.

Some reports on reddit 1 says that they had their clocks a day forward, but they may be just early canaries for the actual widespread issue.

Going backwards in time allows installation from AMO but do not remove the unsupported mark from the add ons already installed.
Comment 1

2 days ago

List of affected add-ons:

Activate Reader View	0.1.0	true	@activatereaderview
Netflix 1080p	1.8	true	{89d04aec-e93f-4f56-b77c-f2295051c13e}
Amazon Assistant for Firefox	10.1904.10.11834	false	abb@amazon.com
Amazon SMILE!	1.4.5	false	{1417a6e0-be73-4358-912c-5dce719b5791}
CanvasBlocker	0.5.8	false	CanvasBlocker@kkapsner.de
Check4Change	2.2.3	false	check4change-owner@mozdev.org
Facebook Container	1.6.5	false	@contain-facebook
Fakespot - Analyze Fake Amazon Reviews	0.3.1	false	contact@fakespot.com
Firefox Multi-Account Containers	6.1.0	false	@testpilot-containers
Ghostery – Privacy Ad Blocker	8.3.3	false	firefox@ghostery.com
Google Scholar Button	2.0	false	button@scholar.google.com
Greasemonkey	4.7	false	{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Honey	11.1.0	false	jid1-93CWPmRbVPjRQA@jetpack
HTTPS Everywhere	2019.5.2.1	false	https-everywhere@eff.org
InvisibleHand	6.6	false	canitbecheaper@trafficbroker.co.uk
Kee - Password Manager	3.1.21	false	keefox@chris.tomlinson
Laboratory	3.0.5	false	1b2383b324c8520974ee097e46301d5ca4e076de387c02886f1c6b1503671586@pokeinthe.io
MEGA	3.57.9	false	firefox@mega.co.nz
NflxMultiSubs (Netflix Multi. Subtitles)	1.6.7	false	{e7ca39ec-6668-455e-9768-db28c364e4d2}
NoScript	10.6.1	false	{73a6fe31-595d-460b-a920-fcc0f8843232}
ReviewMeta.com Review Analyzer	2.5	false	FirefoxExtension@ReviewMeta.com
Substital	2.1.0	false	jid1-Cn7LiNrWh4k6RA@jetpack
uBlock Origin	1.18.16	false	uBlock0@raymondhill.net
User-Agent Switcher	1.2.11	false	user-agent-switcher@ninetailed.ninja

Note, only Activate Reader View and Netflix 1080p were tested to check possible workarounds. I would leave those disabled for now. Also Firefox own Multi-Account Containers was blocked.

Comment 9

(In reply to Andreea Pavel [:apavel] from comment #4)

TREES ARE CLOSED FOR THIS.

To clarify, XPCShell signing tests are failing because of the expired cert.

Comment 11

2 days ago

Should other bug reports be opened about the empty error message that the browser console shows and related symptoms to help people know what it's going on? Or should that be implemented in a post-morten?

Flags: needinfo?(ddurst)

Comment 12

2 days ago

In case it's not understood I'm seeing a rash of reports of this across mozilla and freenode IRC networks as well as reddit.

Many people are very angry and it seems to be growing.

We don't yet know how broadly affected the user base is.
This seems like an urgent matter we want to get fixed as quickly as possible, at a high cost if necessary.

Comment 13

2 days ago

(In reply to Caspy7 from comment #12)

We don't yet know how broadly affected the user base is.

We do. All users with add-ons and remotely accurate system clocks are affected, with the possible exception of nightly/dev edition users with signing disabled.

Comment 15

2 days ago

CloudOps is taking a look at this

Comment 16

2 days ago

Can somehow signing be disabled?

Comment 17

2 days ago

Confirming that add-ons were also disabled here on 66.0.3 (Win 10) at approx 9pm ET.

 (Reporter)

Comment 18

2 days ago

(In reply to Milos from comment #16)

Can somehow signing be disabled?

Only on dev, nightly versions as :kmag noted.

Comment 19

2 days ago

(In reply to Milos from comment #16)

Can somehow signing be disabled?

I don't think so if you are using Firefox 48+ on PC: https://wiki.mozilla.org/Add-ons/Extension_Signing#Timeline

However, on Firefox for Android (at least up to 66.0.2), you can set xpinstall.signatures.required to false and bypass this problem.

Comment 22

2 days ago

We have confirmed this issue. Extra comments about this being broken will not advance this bug to being fixed.

Comment 36

a day ago

If you want to watch somewhere for user-facing updates on this issue, it looks like https://twitter.com/mozamo is the place to watch.

Comment 37

a day ago

caitmuenster has also said this page will receive official updates/statuses on the issue:
https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047

Comment 47

a day ago

The dates on the cert in question were:

Not Before: May 4 00:09:46 2017 GMT
Not After : May 4 00:09:46 2019 GMT

Comment 53

a day ago

For all the CC folks: we are making progress

Comment 57

a day ago

Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.

Summary: [work in progress] All extensions disabled due to expiration of intermediate signing cert → [first mitigation completed, working on a second one] All extensions disabled due to expiration of intermediate signing cert

Comment 59

a day ago

(In reply to Eric Rescorla (:ekr) from comment #57)

[...] Users who have Normandy on should see their add-ons start working over the next few hours. [...]

Will we need to take any action, e.g. quit and restart, or check for add-on updates, or will it just start working?

Comment 60

a day ago

For everyone's info: we don't need to so anything if ""studies" is enabled (Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies).

See https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/12

Thanks Eddi for the tip.

