1549400 - Update hotfix to avoid disabling extensions when the certificate addition fails

Status: VERIFIED FIXED

(Toolkit :: General, defect)

Description

[Rob Wu [:robwu]]

There are a known ways for certificate adding to fail (bug 1549249 , bug 1549344).

Let's update the hotfix to not force a signature check on failure. Otherwise the hotfix will actually result in add-ons getting disabled. This would already happen anyway when the usual verification timer is triggered.

Comment 1

[Rob Wu [:robwu]]

Attachment: hotfix-update-xpi-intermediate@mozilla.com-1.0.3.xpi

EDIT: Do not use. This package is not reviewed and may contain bugs.

Comment 2

[Rob Wu [:robwu]]

I tested the add-on from comment 1 as follows:

1. Install web-ext - https://github.com/mozilla/web-ext
2. Extract the xpi to a directory, and enter the directory.
3. Run with a pre-release version (to be able to run unsigned experiments):

web-ext run --pref=app.normandy.enabled=false --pref=xpinstall.signatures.required=false -f '/Applications/Firefox Nightly.app/Contents/MacOS/firefox'

4. Confirm that the global JS console (Ctrl/Cmd-Shift-J) contains the following:

WebExtensions: new intermediate certificate added api.js:16
WebExtensions: signatures re-verified api.js:36

5. Run again, now with security.nocertdb=true (bug 1549344).

web-ext run --pref=app.normandy.enabled=false --pref=xpinstall.signatures.required=false -f '/Applications/Firefox Nightly.app/Contents/MacOS/firefox' --pref=security.nocertdb=true

6. Look at the JS console, confirm that it shows the following:

WebExtensions: failed to add new intermediate certificate: Exception { name: "", message: "Component returned failure code: 0x805a1fe8 [nsIX509CertDB.addCertFromBase64]", result: 2153390056 .....
WebExtensions: Suppressing scheduling signature verification check

Comment 3

[Julien Cristau [:jcristau] (back April 22)]

:keeler, :mythmon, we're going to need review and signing for this update. Thanks!

Comment 4

[Masatoshi Kimura [:emk]]

Could you add a code path for older versions of Firefox? (Use Components.utils.import instead of ChromeUtils.import and Use XPIProvider.verifySignatures() instead of XPIDatabse.verifySignatures()). Currently this hotfix is deployed to Firefox 59 or earlier, but not working.
Alternatively, could you stop deploying the useless hotfix to older versions?

Comment 5

[Rob Wu [:robwu]]

Comment on attachment 9062956 [details]
hotfix-update-xpi-intermediate@mozilla.com-1.0.3.xpi

Review handled elsewhere.

Comment 6

[Rob Wu [:robwu]]

Verification steps once the XPI is signed:

1. Download an add-on from AMO (e.g. uBlock origin); save it to your disk.
2. Create a profile directory.
3. Create a file called "user.js" in it, with the following content:

user_pref("app.normandy.enabled", false);
user_pref("security.nocertdb", true);

4. Set system clock to 3rd of May.
5. Open Firefox with the given profile directory.
6. Install the add-on from step 1.
7. Close Firefox, set the system clock to the current time.
8. Start Firefox again. Install the signed XPI.
9. Open the global JS console (Ctrl-Shift-J on Linux/Windows, Cmd-Shif-J on macOS), and confirm that you see the following two messages:

WebExtensions: failed to add new intermediate certificate: Exception { name: "", message: "Component returned failure code: 0x805a1fe8 [nsIX509CertDB.addCertFromBase64]", result: 2153390056 .....
WebExtensions: Suppressing scheduled signature verification check

10. Verify that the add-on from step 1 is still installed.

With the previous version of the hotfix (1.0.2), the result is:

9. First error message shows up; Second error message is WebExtensions: signatures re-verified
10. The add-on from step 1 is disabled.

Comment 7

[Rob Wu [:robwu]]

(In reply to Masatoshi Kimura [:emk] from comment #4)

Could you add a code path for older versions of Firefox? (Use Components.utils.import instead of ChromeUtils.import and Use XPIProvider.verifySignatures() instead of XPIDatabse.verifySignatures()). Currently this hotfix is deployed to Firefox 59 or earlier, but not working.
Alternatively, could you stop deploying the useless hotfix to older versions?

The hotfix is written using mechanisms that are only available since Firefox 61 (bug 1454820). The extension isn't loaded in 60 and earlier.

Comment 8

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

(I'm assuming comment 5 indicates my input isn't needed here any longer.)

Comment 9

[Michael Cooper [:mythmon]]

Review was handled on github: https://github.com/mozilla/webext-exp-skeleton/pull/1
This was deployed as a new recipe on Normandy: https://delivery-console.prod.mozaws.net/recipe/763/

Comment 10

[Michael Cooper [:mythmon]]

(In reply to Masatoshi Kimura [:emk] from comment #4)

Could you add a code path for older versions of Firefox? (Use Components.utils.import instead of ChromeUtils.import and Use XPIProvider.verifySignatures() instead of XPIDatabse.verifySignatures()). Currently this hotfix is deployed to Firefox 59 or earlier, but not working.
Alternatively, could you stop deploying the useless hotfix to older versions?

I believe we have other compatibility issues with Firefox <= 60, so this new add-on is only targeting 61 and above.

Comment 11

[Alex Cornestean]

Verified as Fixed using Windows 10 x64 and macOS 10.13.6 on the Release (66.0.3 - 20190409155332), Beta (67.0b16 – 20190502232159) and Nightly (68.0a1 - 20190503041749) versions of Firefox prior to the 4th of May 2019.

Following the provided STR and the available hotfixes, the results documented in Comment 6 were correctly obtained, confirming the fix.

Comment 12

[Firefox Bug Husbandry Bot]

Please specify a root cause for this bug. See :tmaity for more information.