William Durand changed bug 1221531
What Removed Added
CC   will+opensuse@drnd.me

Comment # 22 on bug 1221531 from William Durand
Hello from Mozilla,

I came here after having seen a few bug reports around add-ons and openSUSE
15.5 in the last 24 hours ([1], [2], [3]).

The most recent changes to the `crypto-policies` package introduced in Bug
1211301 broke Firefox.

Looking at this package, it seems `sha1` is now disabled in `nss` via a policy
file. Unfortunately, this breaks Firefox because Firefox is configured to
verify both signatures in add-ons (PKCS#7+SHA1 and COSE+SHA256). openSUSE's CI
didn't catch this regression because tests seem to be running without the
policies applied [4]. 

It is worth noting that add-ons have been dual-signed for many years. In fact,
Redhat folks experienced a very similar situation in 2020 [5]. We are working
on removing the SHA-1 verification entirely but that will take time.

I would suggest updating the `crypto-policies` package to revert the NSS policy
support temporarily.

[1]: https://github.com/mozilla/addons/issues/1575
[2]: https://support.mozilla.org/bm/questions/1442616
[3]:
https://forums.opensuse.org/t/firefox-addon-installation-aborted-corrupt-addon/173283/15
[4]: https://build.opensuse.org/request/show/1154074#diff_1_n38
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1908018


You are receiving this mail because: