Hi Andrew,
> The issue is caused by a certificate expiring.
>The released fix is a work-around which reduces security by not checking the
>addon's signature.
If you have Studies/Normandy enabled, you can go navigate to "about:studies"
and you will see that there is an expired workaround regarding setting the xpi
verification date to a time before the expiration date (I believe this was the
temporary/rush workaround, someone please correct me if I misrepresented this
fix.).
"about:studies" description:
hotfix-reset-xpi-verification-timestamp-1548973*Complete
This study sets app.update.lastUpdateTime.xpi-signature-verification to
1556945257.
>I'm hoping that Mozilla can get the appropriate certificate re-signed
>- some certificates use retired encryption and I don't know which certificates
>are involved, so this may not be possible.
>That way the current fix can be reversed and all browsers will work exactly as
>before.
>
>Can somone confirm that this is the plan ?
You will also notice that there is another study/fix with the same bug number
referenced. This is the new intermediate that was delivered. You can
investigate the payload (if the study is still active on your machine - if it's
inactive, the payload may have been deleting from the extensions dir) by going
to "%appdata%\Mozilla\Firefox\Profiles\<yourprofile _here>.default\extensions"
on Windows and open archive "[email protected]"
with 7-Zip or whatever archive/compression tool you prefer. You will see the
new "mozilla.rsa" in "META-INF".
"about:studies" description:
hotfix-update-xpi-signing-intermediate-bug-1548973*Complete
This is a hotfix that updates an intermediate certificate used for
signing add-ons. It is one of the mechanisms used to fix bug 1548973.
-----
tl;dr: You can consider that second hotfix
(hotfix-update-xpi-signing-intermediate-bug-1548973) the final intermediate
fix, along with the release of 60.6.2 for users that didn't have Studies
enabled.
Release notes: https://www.mozilla.org/en-US/firefox/60.6.2/releasenotes/
Best regards,
John Gage
-----Original Message-----
From: Enterprise <[email protected]> On Behalf Of Andrew C
Aitchison
Sent: Monday, May 6, 2019 2:33 PM
To: Karthik Krishnamurthy <[email protected]>
Cc: [email protected]
Subject: Re: [Mozilla Enterprise] Add-ons running on Firefox v61
EXTERNAL EMAIL
On Sat, 4 May 2019, Karthik Krishnamurthy wrote:
> Hello all,
>
> In light of the new add-ons issue, what would be the fate of
> enterprises running older versions of Firefox? Our organization runs
> thousands of Windows systems with Firefox v61 with a managed add-on
> installation using the windows registry method. How is the fix for
> these older systems going to arrive for the add-ons bug?
The issue is caused by a certificate expiring.
The released fix is a work-around which reduces security by not checking the
addon's signature.
I'm hoping that Mozilla can get the appropriate certificate re-signed
- some certificates use retired encryption and I don't know which certificates
are involved, so this may not be possible.
That way the current fix can be reversed and all browsers will work exactly as
before.
Can somone confirm that this is the plan ?
--
Andrew C. Aitchison Cambridge, UK
[email protected]
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
This message and any attachments are intended only for the use of the addressee
and may contain information that is privileged and confidential. If the reader
of the message is not the intended recipient or an authorized representative of
the intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication
in error, please notify us immediately by e-mail and delete the message and any
attachments from your system.
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
