Closed Bug 1777449 Opened 3 years ago Closed 3 years ago

The Firefox app signature on macOS becomes invalid after update or during normal operation

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Version:
Firefox 102
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hossein.afshari, Unassigned)

Details

Steps to reproduce:

  1. Open Firefox browser on macOS
  2. Upgrade the Firefox to the latest version by clicking on the "About Firefox" menu item and updating.
  3. Checking the signature of Firefox app after the update using the following command line in a terminal
    codesign -v /Applications/Firefox.app

One additional note:
In some cases it has been observed in our company (Nexthink) that the Firefox app signature becomes invalid with out even being updated after sometime.

Actual results:

When checking the signature of the firefox app on macOS after its update using the following command line in a terminal:
codesign -v /Applications/Firefox.app
the following output was seen:
/Applications/Firefox.app : a sealed resource is missing or invalid
and the return error code is 1

Expected results:

The following command line
codesign -v /Applications/Firefox.app
should indicate a valid signature with 0 error code as return value.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Cocoa' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Cocoa
Product: Firefox → Core

(In reply to hossein.afshari from comment #0)

Steps to reproduce:

  1. Open Firefox browser on macOS
  2. Upgrade the Firefox to the latest version by clicking on the "About Firefox" menu item and updating.
  3. Checking the signature of Firefox app after the update using the following command line in a terminal
    codesign -v /Applications/Firefox.app

One additional note:
In some cases it has been observed in our company (Nexthink) that the Firefox app signature becomes invalid with out even being updated after sometime.

Actual results:

When checking the signature of the firefox app on macOS after its update using the following command line in a terminal:
codesign -v /Applications/Firefox.app
the following output was seen:
/Applications/Firefox.app : a sealed resource is missing or invalid
and the return error code is 1

Expected results:

The following command line
codesign -v /Applications/Firefox.app
should indicate a valid signature with 0 error code as return value.

Could you run this again with the -vvvv argument? What's the output now?

Flags: needinfo?(hossein.afshari)

(In reply to Stephen A Pohl [:spohl] from comment #2)

(In reply to hossein.afshari from comment #0)

Steps to reproduce:

  1. Open Firefox browser on macOS
  2. Upgrade the Firefox to the latest version by clicking on the "About Firefox" menu item and updating.
  3. Checking the signature of Firefox app after the update using the following command line in a terminal
    codesign -v /Applications/Firefox.app

One additional note:
In some cases it has been observed in our company (Nexthink) that the Firefox app signature becomes invalid with out even being updated after sometime.

Actual results:

When checking the signature of the firefox app on macOS after its update using the following command line in a terminal:
codesign -v /Applications/Firefox.app
the following output was seen:
/Applications/Firefox.app : a sealed resource is missing or invalid
and the return error code is 1

Expected results:

The following command line
codesign -v /Applications/Firefox.app
should indicate a valid signature with 0 error code as return value.

Could you run this again with the -vvvv argument? What's the output now?

Hi thanks for the prompt reply here is the the output of the command that you posted.

--prepared:/Applications/Firefox.app/Contents/MacOS/pingsender
--validated:/Applications/Firefox.app/Contents/MacOS/pingsender
--prepared:/Applications/Firefox.app/Contents/MacOS/liblgpllibs.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/liblgpllibs.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libfreebl3.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libfreebl3.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libosclientcerts.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libosclientcerts.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libnss3.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libnss3.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/firefox-bin
--validated:/Applications/Firefox.app/Contents/MacOS/firefox-bin
--prepared:/Applications/Firefox.app/Contents/MacOS/libmozavutil.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libmozavutil.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libipcclientcerts.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libipcclientcerts.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/plugin-container.app
--validated:/Applications/Firefox.app/Contents/MacOS/plugin-container.app
--prepared:/Applications/Firefox.app/Contents/MacOS/libmozglue.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libmozglue.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libmozavcodec.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libmozavcodec.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib
--validated:/Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib
--prepared:/Applications/Firefox.app/Contents/MacOS/updater.app
--validated:/Applications/Firefox.app/Contents/MacOS/updater.app
--prepared:/Applications/Firefox.app/Contents/MacOS/crashreporter.app
--validated:/Applications/Firefox.app/Contents/MacOS/crashreporter.app
--prepared:/Applications/Firefox.app/Contents/MacOS/XUL
--validated:/Applications/Firefox.app/Contents/MacOS/XUL
--prepared:/Applications/Firefox.app/Contents/MacOS/minidump-analyzer
--validated:/Applications/Firefox.app/Contents/MacOS/minidump-analyzer
/Applications/Firefox.app: a sealed resource is missing or invalid
file added: /Applications/Firefox.app/Contents/Resources/zscaler.cfg
file added: /Applications/Firefox.app/Contents/Resources/defaults/pref/a1zscaler.js

Flags: needinfo?(hossein.afshari)

It appears that the Firefox .app bundle is being modified by an app from Zscaler, or that pretends to be from Zscaler (https://www.zscaler.com/). Are you running any software from Zscaler? The following two files are not expected to be in the .app bundle, and by adding these files, the signature on the .app bundle will no longer be valid:

file added: /Applications/Firefox.app/Contents/Resources/zscaler.cfg
file added: /Applications/Firefox.app/Contents/Resources/defaults/pref/a1zscaler.js

Flags: needinfo?(hossein.afshari)

(In reply to Stephen A Pohl [:spohl] from comment #4)

It appears that the Firefox .app bundle is being modified by an app from Zscaler, or that pretends to be from Zscaler (https://www.zscaler.com/). Are you running any software from Zscaler? The following two files are not expected to be in the .app bundle, and by adding these files, the signature on the .app bundle will no longer be valid:

file added: /Applications/Firefox.app/Contents/Resources/zscaler.cfg
file added: /Applications/Firefox.app/Contents/Resources/defaults/pref/a1zscaler.js

Thanks Stephen,
Yes this is the case we are using Zscaler in our IT environment for VPN access. We'll follow suite why this application is adding these files in the Firefox application bundle which corrupts its signature.

Flags: needinfo?(hossein.afshari)

Thanks for your response. Resolving as invalid.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.