[Mozilla Enterprise] Add-ons running on Firefox v61

Mon May 6 19:02:12 UTC 2019

Hi Andrew,

> The issue is caused by a certificate expiring.
>The released fix is a work-around which reduces security by not checking the addon's signature.

If you have Studies/Normandy enabled, you can go navigate to "about:studies" and you will see that there is an expired workaround regarding setting the xpi verification date to a time before the expiration date (I believe this was the temporary/rush workaround, someone please correct me if I misrepresented this fix.).  

	"about:studies" description:  
	hotfix-reset-xpi-verification-timestamp-1548973*Complete
	This study sets app.update.lastUpdateTime.xpi-signature-verification to 1556945257.

>I'm hoping that Mozilla can get the appropriate certificate re-signed
>- some certificates use retired encryption and I don't know which certificates are involved, so this may not be possible.
>That way the current fix can be reversed and all browsers will work exactly as before.
>
>Can somone confirm that this is the plan ?

You will also notice that there is another study/fix with the same bug number referenced.  This is the new intermediate that was delivered.  You can investigate the payload (if the study is still active on your machine - if it's inactive, the payload may have been deleting from the extensions dir) by going to "%appdata%\Mozilla\Firefox\Profiles\<yourprofile _here>.default\extensions" on Windows and open archive "hotfix-update-xpi-intermediate at mozilla.com.xpi" with 7-Zip or whatever archive/compression tool you prefer.  You will see the new "mozilla.rsa" in "META-INF".

	"about:studies" description:  
	hotfix-update-xpi-signing-intermediate-bug-1548973*Complete
	This is a hotfix that updates an intermediate certificate used for signing add-ons. It is one of the mechanisms used to fix bug 1548973.

-----

tl;dr: You can consider that second hotfix (hotfix-update-xpi-signing-intermediate-bug-1548973) the final intermediate fix, along with the release of 60.6.2 for users that didn't have Studies enabled.

Release notes: https://www.mozilla.org/en-US/firefox/60.6.2/releasenotes/

Best regards,
John Gage

-----Original Message-----
From: Enterprise <enterprise-bounces at mozilla.org> On Behalf Of Andrew C Aitchison
Sent: Monday, May 6, 2019 2:33 PM
To: Karthik Krishnamurthy <karthik3186 at gmail.com>
Cc: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] Add-ons running on Firefox v61

EXTERNAL EMAIL

On Sat, 4 May 2019, Karthik Krishnamurthy wrote:

> Hello all,
>
> In light of the new add-ons issue, what would be the fate of 
> enterprises running older versions of Firefox? Our organization runs 
> thousands of Windows systems with Firefox v61 with a managed add-on 
> installation using the windows registry method. How is the fix for 
> these older systems going to arrive for the add-ons bug?

The issue is caused by a certificate expiring.
The released fix is a work-around which reduces security by not checking the addon's signature.

I'm hoping that Mozilla can get the appropriate certificate re-signed
- some certificates use retired encryption and I don't know which certificates are involved, so this may not be possible.
That way the current fix can be reversed and all browsers will work exactly as before.

Can somone confirm that this is the plan ?

-- 
Andrew C. Aitchison					Cambridge, UK
 			andrew at aitchison.me.uk
_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org with a subject of "unsubscribe"

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.