Thunderbird no longer installs nightly updates using the maintenance service

RESOLVED FIXED in Thunderbird 27.0

Status

Thunderbird
General
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: bokeefe, Assigned: bokeefe)

Tracking

({regression})

Trunk
Thunderbird 27.0
All
Windows 7
regression

Thunderbird Tracking Flags

(thunderbird26+, thunderbird-esr1726+ fixed, thunderbird_esr2426+ fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Since the Authenticode certificate was updated (around 9/27?), Thunderbird won't use the maintenance service to install updates. They still install fine if I accept the UAC prompt.

From maintenanceservice.log:
Executing service command software-update, ID: a19225be-1ca5-42bf-a0f2-247a1dc189de
Passed in path: 'C:\Users\Brian\AppData\Local\Thunderbird\Mozilla Thunderbird\updates\0\updater.exe'; Using this path for updating: 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'.
updater.exe was compared successfully to the installation directory updater.exe.
The updater.exe application contains the Mozilla updater identity.
*** Warning: Certificate did not match issuer or name.  (1168)***
*** Warning: Error on certificate check.  (1168)***
*** Warning: Could not start process due to certificate check error on updater.exe. Updating update.status.  (0)***
Service command software-update complete.
service command MozillaMaintenance complete with result: Failure.


It looks like under key HKLM\SOFTWARE\Mozilla\MaintenanceService\105cad4e647fb250cd814fb4fe894222\0, value "issuer" is set to "Thawte Code Signing CA - G2". If I change that to "DigiCert Assured ID Code Signing CA-1", the next update installs fine, but eventually (sorry, I haven't been able to correlate it with anything) the value reverts to "Thawte Code Signing CA - G2".

Firefox is also using the service to install nightly builds; I haven't had any trouble with those (yet).
(Assignee)

Comment 1

5 years ago
Created attachment 819726 [details] [diff] [review]
Update the certificate issuer in the Thunderbird installer

> (sorry, I haven't been able to correlate it with anything)
This actually happens to be when I restart Thunderbird after the update was staged - the rest of the install happens, and the registry key gets reset.

I'm pretty sure this patch will fix the issue; it makes the same update as bug 803531 did for mozilla-central in the comm-central installer. I have no idea how to test this locally, though.
Assignee: nobody → bokeefe
Status: NEW → ASSIGNED
Attachment #819726 - Flags: review?(mbanner)
(Assignee)

Updated

5 years ago
Depends on: 803531
Comment on attachment 819726 [details] [diff] [review]
Update the certificate issuer in the Thunderbird installer

That would most likely be the issue, and the fix. We should just be able to land this and hopefully it'll work.
Attachment #819726 - Flags: review?(mbanner) → review+
I just landed this:

https://hg.mozilla.org/comm-central/rev/7183b4b430a8

Thanks for the patch.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
tracking-thunderbird26: --- → +
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 27.0
tracking-thunderbird-esr17: --- → ?
tracking-thunderbird_esr24: --- → ?

Updated

5 years ago
Keywords: regression
Comment on attachment 819726 [details] [diff] [review]
Update the certificate issuer in the Thunderbird installer

[Triage Comment]
Definitely need this on all branches.
Attachment #819726 - Flags: approval-comm-esr24+
Attachment #819726 - Flags: approval-comm-esr17+
https://hg.mozilla.org/releases/comm-esr17/rev/278cb52e4b3c
https://hg.mozilla.org/releases/comm-esr24/rev/0e12ff203d3b
status-thunderbird-esr17: --- → fixed
status-thunderbird_esr24: --- → fixed
tracking-thunderbird-esr17: ? → 26+
tracking-thunderbird_esr24: ? → 26+
I was asked about the service not working for someone with Thunderbird. Turns out that their app.update.service.enabled was set to false. The pref auto flips to false if more than 10 updates have failures and it has to fallback to not using the service on each.  There is a telemetry ping for this sent up if you want to see if there's a large amount of people affected by non silent updates.
You need to log in before you can comment on or make changes to this bug.