Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Firefox - Certificate issue causing add-ons to be disabled
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 136

PostPosted: Sat May 04, 2019 4:44 pm    Post subject: Firefox - Certificate issue causing add-ons to be disabled Reply with quote

Mozilla has a problem with the certificate that is used to sign addons.

https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

The temporary "Studies" workaround doesn't seem to work for me on Gentoo. The update in the last link says:

"Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)"

Does this mean we need another solution in Gentoo?
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 446

PostPosted: Sat May 04, 2019 4:55 pm    Post subject: Reply with quote

You can manually download the fix, I fixed it that way.
Found the fix here, 2nd comment at the time of this writing.
Just click it and it will fix it.
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

I will link the fix here directly for convenience.
https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5879

PostPosted: Sat May 04, 2019 5:30 pm    Post subject: Reply with quote

Another workaround, works offline, worked for me:
Code:
sed -i -e 's/"appDisabled":true/"appDisabled":false/g' \
       -e 's/"signedState":-1/"signedState":2/g' \
    ~/.mozilla/firefox/*.default/extensions.json


The "Studies" code has been disabled by Gentoo and other distros, since it was abused by Mozilla to push ads in Dec 2017.
Back to top
View user's profile Send private message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2740
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Sat May 04, 2019 11:26 pm    Post subject: Reply with quote

This sucks.

As transpetaflops said, the temporary "Studies" workaround doesn't work. On my version even the checkboxes are disabled. I cannot do anything.

I've made a backup of my profile and installed the workaround from the link that kajzer posted, and that didn't work either.

Ant P. workaround doesn't work for me either, all I get is that the extensions are going to be enabled after the next restart. Click on "restart" then firefox restarts and I get the same message. So the extensions remain disabled.

WTF? Why does the validity of a certificate determine whether you can use your locally installed extensions? That makes no sense to me. Without the extensions, my FF becomes 100% useless to me.

UPDATE

while searching online for this, I've found this: https://superuser.com/questions/1432789/all-of-my-firefox-add-ons-been-disabled-suddenly-how-can-i-re-enable-them

Quote:

Mozilla will need to get the add-ons resigned and/or push a new cert out. Work is in progress to fix it. There is no resolution at this time unless you are on a developer code branch which you can go into about:config and set xpinstall.signatures.required to false.


on my ESR Version (60.6.1esr) I have this setting. I set it to false just to test it and most extension are working again (although FF is telling me that they could not be verified). Only my mouse gesture extension remains disabled, apparently because it requires a "newer version of Firefox (at least version 61.0)", but it was working yesterday, so why stop working now?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14064

PostPosted: Sun May 05, 2019 1:18 am    Post subject: Reply with quote

pablo_supertux wrote:
WTF? Why does the validity of a certificate determine whether you can use your locally installed extensions? That makes no sense to me. Without the extensions, my FF becomes 100% useless to me.
As of several years ago, Mozilla decided that Firefox shall only allow use of extensions signed by the signing framework provided by Mozilla. That framework's certificate expired, so now Firefox treats all extensions as unverifiable, and unverifiable as untrusted, and untrusted as unable to load.
pablo_supertux wrote:
Only my mouse gesture extension remains disabled, apparently because it requires a "newer version of Firefox (at least version 61.0)", but it was working yesterday, so why stop working now?
Perhaps it was recently updated to a version which does not work with your Firefox? I've had Firefox do that to me before. It helpfully automatically updates an extension to one that doesn't work with the ESR I'm running, then the extension is totally broken. Are you sure that the currently broken version is the same version you had yesterday?
Back to top
View user's profile Send private message
Juippisi
Developer
Developer


Joined: 30 Sep 2005
Posts: 361
Location: /home

PostPosted: Sun May 05, 2019 5:52 am    Post subject: Reply with quote

I found this to be working for now,
https://news.ycombinator.com/item?id=19824410

need to re-apply it once a day until Mozilla fixes this, but still faster than any other alternatives I've found so far.

A bit shady that Mozilla pushes a fix with "studies" while this is happening...
Back to top
View user's profile Send private message
transsib
l33t
l33t


Joined: 26 Jul 2003
Posts: 869

PostPosted: Sun May 05, 2019 9:12 am    Post subject: Reply with quote

I recompiled version 60.6.1 on this Gentoo system: everything is back to normal now.
On another Gentoo box the same process has had no effect; add-ons and theme
are still disabled there.

The setting "Allow Firefox to install and run studies" is still greyed out though.
There are messages shown in Preferences like
Quote:
Your organization has disabled the ability to change some preferences

that I do not see on my Firefox on Windows.

Why´ s that?
Back to top
View user's profile Send private message
Murmeltier
n00b
n00b


Joined: 14 May 2008
Posts: 32

PostPosted: Sun May 05, 2019 10:07 am    Post subject: [Solved] Firefox - Certificate issue Reply with quote

Hi all,

this could be solved here in FF 60.6.1esr by following these steps:

- Install "hotfix-update-xpi-intermediate@mozilla.com.xpi" already mentioned by "kajzer"
- restart firefox
- re-install (!) all addons by opening the xpi files in the "extensions" subdir of your FF profile directory
- re-install needed language packs also
- restart firefox

no change of config, no "studies" necessary.
everything is working here again :D
hope, this will help...
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 136

PostPosted: Sun May 05, 2019 2:35 pm    Post subject: Reply with quote

Ant P. wrote:
Another workaround, works offline, worked for me:
Code:
sed -i -e 's/"appDisabled":true/"appDisabled":false/g' \
       -e 's/"signedState":-1/"signedState":2/g' \
    ~/.mozilla/firefox/*.default/extensions.json


The "Studies" code has been disabled by Gentoo and other distros, since it was abused by Mozilla to push ads in Dec 2017.


I did this manually and it worked but I see I have to reapply it each day. Where is the faulty certificate stored and how do I replace it if I don't want to use neither Studies nor that xpi file circulating?
Back to top
View user's profile Send private message
transpetaflops
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2005
Posts: 136

PostPosted: Sun May 05, 2019 9:28 pm    Post subject: Reply with quote

I see they have released 66.0.4 now that will include a new certificate. Just waiting for it to hit Portage then. :)
Back to top
View user's profile Send private message
Akkara
Administrator
Administrator


Joined: 28 Mar 2006
Posts: 6702
Location: &akkara

PostPosted: Mon May 06, 2019 7:00 am    Post subject: Reply with quote

It seems to me this is a very serious single-point-of-failure situation, and I'd like to understand what can be done to fix it so that it can't happen again.

If an extension had been deemed OK and had been signed vouching for it, and if it had not been updated since then, why should the expiry of the signing certificate in any way invalidate existing signatures? Agreements signed in real-life don't suddenly become invalid when the pen used to sign them stops working. Why is this different? It seems it is serious problem as we move more and more toward signed everything, if it will also require a steady stream of updated certs to keep it working.
_________________
Many think that Dilbert is a comic. Unfortunately it is a documentary.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4209
Location: Dallas area

PostPosted: Mon May 06, 2019 9:32 am    Post subject: Reply with quote

Quote:
If an extension had been deemed OK and had been signed vouching for it, and if it had not been updated since then, why should the expiry of the signing certificate in any way invalidate existing signatures?


It shouldn't ... but evidently that kind of logic escaped the brains at mozilla ... or they just didn't care.

https://forums.gentoo.org/viewtopic-t-1096386.html - 2nd post for a fix that doesn't involve kowtowing to mozilla.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
pfc
n00b
n00b


Joined: 14 Jan 2017
Posts: 4

PostPosted: Mon May 06, 2019 12:49 pm    Post subject: Reply with quote

transsib wrote:
I recompiled version 60.6.1 on this Gentoo system: everything is back to normal now.
On another Gentoo box the same process has had no effect; add-ons and theme
are still disabled there.


Recompiling firefox fixed the problem for me (www-client/firefox-60.6.1) 64 bit.
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 22196
Location: here

PostPosted: Mon May 06, 2019 1:55 pm    Post subject: Reply with quote

Patch for firefox 60.x and 66.x
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum