Recent "unverified add-on" errors

[Jorge Villalobos]

There have been already a couple of mentions in this forum about this
problem, so I'll give a quick overview of what's happening.

Yesterday, we discovered some add-ons are triggering the "unverified"
error in Firefox. It turns out that add-ons that were signed about a
year ago and haven't been updated since then are having their signatures
invalidated because of the expiration date they have set:
https://bugzilla.mozilla.org/show_bug.cgi?id=1267318

We plan to fix this in two fronts:

1) The immediate fix is to re-sign all add-ons that had their latest
version signed near the beginning of the signing program. All affected
developers will be notified so that they can distribute the new versions
externally if they need to. This process will be run later today.

2) The long term fix is to remove the certificate expiration date check
in Firefox, since this restriction was never part of the original plan.
This fix should be uplifted to Firefox 46 (maybe even 45) and ESR.

If you think you're affected and want to take preemptive action, all you
need to do is upload a new version of your add-on for signing. The
newly-signed version will have a certificate that is valid for at least
a year (I think we already changed it to 3 years as a precaution), and
soon all current versions of Firefox will ignore the expiration date anyway.

Jorge

[Gervase Markham]

On 26/04/16 15:18, Jorge Villalobos wrote:
> There have been already a couple of mentions in this forum about this
> problem, so I'll give a quick overview of what's happening.

This is the email I got about this. There are some aspects of it which
are really unclear from the email :-(

> Your add-on, Expiry Canary, has been automatically signed.
>
> We recently discovered a problem with the expiration date of add-on signatures.
> As a result, for the next few weeks Firefox will not be able to recognize the
> signatures of some add-ons. We are contacting you because your add-on,
> Expiry Canary, is affected.
>
> To address this problem, we're signing the affected add-ons again and letting
> you know in case you need to deploy this update to your users.

What does it mean "need to deploy"? My addon is hosted on AMO - I don't
do any manual deployment. I would assume you are trying hard to make
sure all my users get an updated version without this problem ASAP. Are
you doing that? You haven't said you are. Do I need to take action? I'm
not sure... Will my users get an updated version automatically without
me having to upload one? I'd hope so...

Gerv

[David E. Ross]

Is this why I now am seeing "new" versions of extensions that are dated
last year? If so, how do I suppress these from being listed when I
check for new versions?

--
David E. Ross
<http://www.rossde.com/>.

Sarah Palin claims Bill Nye (the "Science Guy") is no more
a scientist than she is. Nye has a Bachelor of Science degree
in mechanical engineering. Palin has degree in communications
with an emphasis on journalism. Somehow, engineering seems to
be more scientific than journalism.

[Jorge Villalobos]

Yes.

If so, how do I suppress these from being listed when I
> check for new versions?

Listed where?

[Jorge Villalobos]

Yeah, that was bad wording on my part, sorry. The email was sent out to
authors of listed and unlisted add-ons, so I tried to write a message
that would cover both cases. The "in case you need to deploy this
update" was meant for unlisted add-on developers who need to grab the
re-signed files and distribute them on their own. Listed add-on devs
don't need to do anything else.

Jorge

[David E. Ross]

I launch the Add-ons Manager. On the "Tools for all add-ons" button
(the gear), I select "Check for Updates". I get a list of "new"
extensions, most of which have last year's date.

Note: I have disabled automatic updates for several reasons.
Primarily, I am maintaining my own PC plus my wife's. I want to
download once and install twice. Furthermore, I want to experience new
versions before inflicting them onto my wife. Then there is my desire
to control when updates occur, to do them when they will not interfere
with time-sensitive tasks.

See
<http://hothardware.com/news/microsofts-naggy-windows-10-upgrade-prompt-interrupts-meteorologists-weathercast>
for an example of what happens with automatic updates. There, it is
Microsoft, not Mozilla.

[Jorge Villalobos]

I'm not aware of any configuration that would hide "new" extensions. You
could make an add-on to do that, or maybe one exists already.

Jorge

[B00ze]

[snip]

This is getting confusing, I now have a bunch of addons
"-signed.1-signed" ...
No wonder Mozilla wants to hide the version numbers ...
It covers mistakes like this ...

Regards,

--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society-
oO-( )-Oo JUST DISCOVERED - Research causes cancer in rats!

[B00ze]

On 2016-04-29 22:11, B00ze <B00...@hotmail.com> wrote:

> [snip]
>
> This is getting confusing, I now have a bunch of addons
> "-signed.1-signed" ...
> No wonder Mozilla wants to hide the version numbers ...
> It covers mistakes like this ...

Alright, that was useless complaining, but 10 minutes after I wrote
this, it came to me : this will cause trouble, as for some addOns, I do
not use the latest version, on purpose, and those earlier versions of
course will not be signed-signed; or will they?

Thanks.
Best Regards,

--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society

oO-( )-Oo "Excuse me, but do you have change for a carp?"