| What | Removed | Added |
|---|---|---|
| CC | will+opensuse@drnd.me |
Hello from Mozilla, I came here after having seen a few bug reports around add-ons and openSUSE 15.5 in the last 24 hours ([1], [2], [3]). The most recent changes to the `crypto-policies` package introduced in Bug 1211301 broke Firefox. Looking at this package, it seems `sha1` is now disabled in `nss` via a policy file. Unfortunately, this breaks Firefox because Firefox is configured to verify both signatures in add-ons (PKCS#7+SHA1 and COSE+SHA256). openSUSE's CI didn't catch this regression because tests seem to be running without the policies applied [4]. It is worth noting that add-ons have been dual-signed for many years. In fact, Redhat folks experienced a very similar situation in 2020 [5]. We are working on removing the SHA-1 verification entirely but that will take time. I would suggest updating the `crypto-policies` package to revert the NSS policy support temporarily. [1]: https://github.com/mozilla/addons/issues/1575 [2]: https://support.mozilla.org/bm/questions/1442616 [3]: https://forums.opensuse.org/t/firefox-addon-installation-aborted-corrupt-addon/173283/15 [4]: https://build.opensuse.org/request/show/1154074#diff_1_n38 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1908018