https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c22
William Durand changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |will+opensuse@drnd.me
--- Comment #22 from William Durand ---
Hello from Mozilla,
I came here after having seen a few bug reports around add-ons and openSUSE
15.5 in the last 24 hours ([1], [2], [3]).
The most recent changes to the `crypto-policies` package introduced in Bug
1211301 broke Firefox.
Looking at this package, it seems `sha1` is now disabled in `nss` via a policy
file. Unfortunately, this breaks Firefox because Firefox is configured to
verify both signatures in add-ons (PKCS#7+SHA1 and COSE+SHA256). openSUSE's CI
didn't catch this regression because tests seem to be running without the
policies applied [4].
It is worth noting that add-ons have been dual-signed for many years. In fact,
Redhat folks experienced a very similar situation in 2020 [5]. We are working
on removing the SHA-1 verification entirely but that will take time.
I would suggest updating the `crypto-policies` package to revert the NSS policy
support temporarily.
[1]: https://github.com/mozilla/addons/issues/1575
[2]: https://support.mozilla.org/bm/questions/1442616
[3]:
https://forums.opensuse.org/t/firefox-addon-installation-aborted-corrupt-add...
[4]: https://build.opensuse.org/request/show/1154074#diff_1_n38
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1908018
--
You are receiving this mail because:
You are the assignee for the bug.