[Bug 1221531] New: Extension could not be verified for use in Firefox and has been disabled
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Bug ID: 1221531 Summary: Extension could not be verified for use in Firefox and has been disabled Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Firefox Assignee: factory-mozilla@lists.opensuse.org Reporter: oleg.b.antonyan@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 873591 --> https://bugzilla.suse.com/attachment.cgi?id=873591&action=edit Extensions window with errors All extensions suddenly disabled on 17.03.2024 with error: could not be verified for use in Firefox and has been disabled. Firefox 123 from main repo, 123 from mozilla repo, 123 tarball from mozilla.org - all have the same issue. Creating new profile doesn't help. Nighly from mozilla.org is ok -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Bernd Speiser <bernd.speiser@uni-tuebingen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernd.speiser@uni-tuebingen | |.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Paul Tannington <paul.pgp-7@gmx.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul.pgp-7@gmx.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c18 Andres Nogueiras <anogueiras@yahoo.es> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |anogueiras@yahoo.es --- Comment #18 from Andres Nogueiras <anogueiras@yahoo.es> --- Same fault is showing in opensuse 15.5 OS: opensuse 15.5 Firefox: 123.0.1 mozilla-nss: 3.98-lp155.1.2 libsoftokn3: 3.98-lp155.1.2 libfreebl3: 3.98-lp155.1.2 Tryed the command line "export NSS_IGNORE_SYSTEM_POLICY=1" and then call "firefox" and nothing has changed. All extensions are blocked. Not happy to downgrade NSS (mozilla-nss, libsoftokn3, libfreebl3 from tumbleweed main repo) to 3.97. I have to keep my system as "safe as possible". Happy to provide more info if it helps -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c19 Andrei Borzenkov <arvidjaar@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arvidjaar@gmail.com --- Comment #19 from Andrei Borzenkov <arvidjaar@gmail.com> --- (In reply to Andres Nogueiras from comment #18)
mozilla-nss: 3.98-lp155.1.2
Where does it come from? andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~> -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Ian Hodge <ian@hodgepigs.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ian@hodgepigs.org.uk -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c21 --- Comment #21 from Paul Tannington <paul.pgp-7@gmx.com> --- I came across this issue on a TW and Leap 15.5 system earlier today. I'm not convinced that mozilla-nss is the whole cause of this issue. I also had a leap 15.5 system which was fully updated yesterday, that brought mozilla-nss and associated packages to V3.98 - That system was updated and then switched off, so I had not used firefox since the update. On that system I downgraded mozilla-nss, mozilla-nss-certs, libsoftokn3 and libfreebl3 to 3.97 Currently installed: paul@HP255G7:~> zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs libsoftokn3 libfreebl3 Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------------+---------+-------------------+--------+--------------- i+ | libfreebl3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | libsoftokn3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | mozilla-nss-certs | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | Mozilla (Leap) paul@HP255G7:~> Upon starting firefox, after approximatey 60secs a banner displayed notifying addons had been disabled. I had a backup of the profile for FF 123.0.0 which I restored, again upon starting FF the addons where disabled. With a completely new FF profile I'm unable to add addons, tested with "FlagFox" and "NoScript" Both attempts fail with the message: "Installation aborted because the add-on appears to be corrupt." -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c22 William Durand <will+opensuse@drnd.me> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |will+opensuse@drnd.me --- Comment #22 from William Durand <will+opensuse@drnd.me> --- Hello from Mozilla, I came here after having seen a few bug reports around add-ons and openSUSE 15.5 in the last 24 hours ([1], [2], [3]). The most recent changes to the `crypto-policies` package introduced in Bug 1211301 broke Firefox. Looking at this package, it seems `sha1` is now disabled in `nss` via a policy file. Unfortunately, this breaks Firefox because Firefox is configured to verify both signatures in add-ons (PKCS#7+SHA1 and COSE+SHA256). openSUSE's CI didn't catch this regression because tests seem to be running without the policies applied [4]. It is worth noting that add-ons have been dual-signed for many years. In fact, Redhat folks experienced a very similar situation in 2020 [5]. We are working on removing the SHA-1 verification entirely but that will take time. I would suggest updating the `crypto-policies` package to revert the NSS policy support temporarily. [1]: https://github.com/mozilla/addons/issues/1575 [2]: https://support.mozilla.org/bm/questions/1442616 [3]: https://forums.opensuse.org/t/firefox-addon-installation-aborted-corrupt-add... [4]: https://build.opensuse.org/request/show/1154074#diff_1_n38 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1908018 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c23 --- Comment #23 from Andres Nogueiras <anogueiras@yahoo.es> --- (In reply to Andrei Borzenkov from comment #19)
(In reply to Andres Nogueiras from comment #18)
mozilla-nss: 3.98-lp155.1.2
Where does it come from?
andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages...
S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------ ------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~>
atenas:~ # zypper se -sx -t package mozilla-nss Refreshing service 'openSUSE'. ... Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------+---------+----------------------+--------+---------------------- i+ | mozilla-nss | package | 3.98-lp155.1.2 | x86_64 | (System Packages) v | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | opensuse 15.5 mozilla v | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | repo-oss (15.5) And this is it... following messages have point out that SHA1 disabled on policies is to blame ¯\(°_o)/¯ Hope it gets reverted soon -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c24 --- Comment #24 from Andres Nogueiras <anogueiras@yahoo.es> --- Also, remove the extension and adding again makes it work, but all the config / setup for the extension is lost :( -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c25 Episteme PROMENEUR <epistemepromeneur@free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |epistemepromeneur@free.fr --- Comment #25 from Episteme PROMENEUR <epistemepromeneur@free.fr> --- I confirm the problem occurs today for me (tumbleweed). It's very annoying. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Frank Krüger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Tomas Kloucek <tomas.kloucek@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomas.kloucek@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c28 Neike <reni@vivaldi.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |reni@vivaldi.net --- Comment #28 from Neike <reni@vivaldi.net> --- My workaround: Reset mozilla-nss and mozilla-nss-certs to version 3.97-lp155.2.1 from the mozilla-Repo and set this variable: export NSS_IGNORE_SYSTEM_POLICY=1 After that Fx works without problems. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c30 --- Comment #30 from Manfred Hollstein <manfred.h@gmx.net> --- (In reply to Episteme PROMENEUR from comment #29)
Tumbleweed 3.97 installed yesterday by discover
export NSS_IGNORE_SYSTEM_POLICY=1
has no effect.
problem still here and i can't install any extension.
Where/How do you set this variable? Typing it in a terminal window and starting Firefox from the menu has no effect! You should try this in a terminal window: export NSS_IGNORE_SYSTEM_POLICY=1; firefox & If that works, put the export NSS_IGNORE_SYSTEM_POLICY=1 into ~/.profile logout and login again. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c34 --- Comment #34 from Paul Tannington <paul.pgp-7@gmx.com> --- (In reply to Pedro Monreal Gonzalez from comment #31)
The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but the LEGACY one does allow it. Could somebody test if switching to LEGACY helps?:
sudo update-crypto-policies --set LEGACY
Note that, this command is shipped by the crypto-policies-scripts package.
If it help, I would force using the LEGACY policy only in mozilla-nss by default for now in crypto-policies and submit in a moment.
TIA
Using a new Firefox profile with "update-crypto-policies" unchanged: Unable to install extension "Installation aborted because the add-on appears to be corrupt." Using a new Firefox profile after "update-crypto-policies --set LEGACY": extensions install correctly. Using a new Firefox profile after resetting crypto policy "update-crypto-policies --set DEFAULT": Unable to install extension "Installation aborted because the add-on appears to be corrupt." -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c35 Frederik Möllers <frederik+suse@die-sinlosen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |frederik+suse@die-sinlosen. | |de --- Comment #35 from Frederik Möllers <frederik+suse@die-sinlosen.de> --- This workaround helped me on Leap 15.5 and might work for others, too: 1. Launch Firefox with 'NSS_IGNORE_SYSTEM_POLICY=1 firefox' * Do not uninstall any extensions! * Instead, re-install everything you had previously installed on top of your old extensions * This should keep your extension settings (uBlock, password managers etc.) 2. Downgrade mozilla-nss and libsoftokn3 * zypper in --oldpackage mozilla-nss=3.79.4-150400.3.29.1 * zypper in --oldpackage libsoftokn3=3.79.4-150400.3.29.1 3. Prevent upgrades to those two packages for now: * zypper al 'libsoftokn3<=3.79.4' * zypper al 'libsoftokn3<=3.79.4' 4. Start Firefox with 'firefox --allow-downgrade' * Since you downgraded Firefox together with mozilla-nss, your profile is newer than your (now) installed Firefox. * Even though Firefox warns about possible corruptions, for me nothing broke. YMMV, though. 5. Now you can use firefox like you used to (without any command line parameters and with all extensions). 6. Keep an eye on this bugzilla to see if you can remove the package locks. I think this might be the best option without completely disabling security checks. Sure, it keeps an obsolete version of NSS. But the other two options seem to be to either disable extension signature checks completely or to not use Firefox extensions for now. Once the issue is fully resolved, you can remove the locks with 'zypper rl libsoftokn3' and 'zypper rl mozilla-nss' and perform a regular (dist-)upgrade. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c36 --- Comment #36 from Paul Tannington <paul.pgp-7@gmx.com> --- (In reply to Pedro Monreal Gonzalez from comment #31)
The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but the LEGACY one does allow it. Could somebody test if switching to LEGACY helps?:
sudo update-crypto-policies --set LEGACY
Note that, this command is shipped by the crypto-policies-scripts package.
If it help, I would force using the LEGACY policy only in mozilla-nss by default for now in crypto-policies and submit in a moment.
TIA
Additionally: With crypto policies set to legacy and after forcing FF to validate add on signature(s) by setting "app.update.lastUpdateTime.xpi-signature-verification" = 0 and restarting FF, upon restart signature verification is OK. (One can check that verification has indeed taken place by looking at the value of "app.update.lastUpdateTime.xpi-signature-verification"). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c38 --- Comment #38 from Paul Tannington <paul.pgp-7@gmx.com> --- (In reply to Wolfgang Rosenauer from comment #37)
Quick update: All NSS packages I'm aware of now have crypto-policies disabled again. Therefore locking or going back/or stay with 3.97 is not required anymore.
The relevant support will be added later again.
Just to confirm: Leap 15.5 updated mozilla-nss etc to 3.98-lp155.2.1 - all now appears OK, addons can be installed, forced signature verification succeeds. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c41 Ricardo Minnaard <opensuse@x-labs.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse@x-labs.nl --- Comment #41 from Ricardo Minnaard <opensuse@x-labs.nl> --- I worked on my laptop that wasn't updated yet while this issue was being resolved. I just got home, turned on my TW PC that was effected by this. I just ran the updates, rebooted. Started up Firefox and everything worked. Didn't had to do anything. Thx!! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c43 --- Comment #43 from Neike <reni@vivaldi.net> --- - just installed the latest update libfreebl3-3.98-lp155.2.1.x86_64 mozilla-nss-certs-3.98-lp155.2.1.x86_64 libsoftokn3-3.98-lp155.2.1.x86_64 mozilla-nss-3.98-lp155.2.1.x86_64 - Backup of Firefox profile imported - Firefox started - everything works fine Thank you :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531 https://bugzilla.suse.com/show_bug.cgi?id=1221531#c45 Nikolai Nikolaevskii <kaykaykay123@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kaykaykay123@gmail.com --- Comment #45 from Nikolai Nikolaevskii <kaykaykay123@gmail.com> --- (In reply to Andrei Borzenkov from comment #19)
(In reply to Andres Nogueiras from comment #18)
mozilla-nss: 3.98-lp155.1.2
Where does it come from?
andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages...
S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------ ------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~>
Leap uses Firefox ESR by default. To get newer ones user needs to add Mozilla repo: zypper addrepo https://download.opensuse.org/repositories/mozilla/openSUSE_Leap_15.5/mozill... Package mozilla-nss 3.98-lp155.1.2 was retracted. Newer mozilla-nss 3.98-lp155.2.1 solves problems with addons. I didn’t touch FF 123 for a couple of days, used FF ESR. After installing mozilla-nss 3.98-lp155.2.1 for Leap 15.5 addons for FF 123 started to work without reinstall, for FF ESR I made uninstall + install to get rid of warnings (with losing settings). For some addons you can perform Backup + Restore settings (NoScript, uBlock Origin, etc.). Soon we will get FF 124, possible it will help with addons troubles. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com