[Bug 1221531] New: Extension could not be verified for use in Firefox and has been disabled
https://bugzilla.suse.com/show_bug.cgi?id=1221531 Bug ID: 1221531 Summary: Extension could not be verified for use in Firefox and has been disabled Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Firefox Assignee: factory-mozilla@lists.opensuse.org Reporter: oleg.b.antonyan@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 873591 --> https://bugzilla.suse.com/attachment.cgi?id=873591&action=edit Extensions window with errors All extensions suddenly disabled on 17.03.2024 with error: could not be verified for use in Firefox and has been disabled. Firefox 123 from main repo, 123 from mozilla repo, 123 tarball from mozilla.org - all have the same issue. Creating new profile doesn't help. Nighly from mozilla.org is ok -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c18
Andres Nogueiras
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c19
Andrei Borzenkov
mozilla-nss: 3.98-lp155.1.2
Where does it come from? andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~> -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c21
--- Comment #21 from Paul Tannington
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c22
William Durand
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c23
--- Comment #23 from Andres Nogueiras
(In reply to Andres Nogueiras from comment #18)
mozilla-nss: 3.98-lp155.1.2
Where does it come from?
andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages...
S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------ ------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~>
atenas:~ # zypper se -sx -t package mozilla-nss Refreshing service 'openSUSE'. ... Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------+---------+----------------------+--------+---------------------- i+ | mozilla-nss | package | 3.98-lp155.1.2 | x86_64 | (System Packages) v | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | opensuse 15.5 mozilla v | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | repo-oss (15.5) And this is it... following messages have point out that SHA1 disabled on policies is to blame ¯\(°_o)/¯ Hope it gets reverted soon -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c24
--- Comment #24 from Andres Nogueiras
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c25
Episteme PROMENEUR
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c28
Neike
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c30
--- Comment #30 from Manfred Hollstein
Tumbleweed 3.97 installed yesterday by discover
export NSS_IGNORE_SYSTEM_POLICY=1
has no effect.
problem still here and i can't install any extension.
Where/How do you set this variable? Typing it in a terminal window and starting Firefox from the menu has no effect! You should try this in a terminal window: export NSS_IGNORE_SYSTEM_POLICY=1; firefox & If that works, put the export NSS_IGNORE_SYSTEM_POLICY=1 into ~/.profile logout and login again. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c34
--- Comment #34 from Paul Tannington
The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but the LEGACY one does allow it. Could somebody test if switching to LEGACY helps?:
sudo update-crypto-policies --set LEGACY
Note that, this command is shipped by the crypto-policies-scripts package.
If it help, I would force using the LEGACY policy only in mozilla-nss by default for now in crypto-policies and submit in a moment.
TIA
Using a new Firefox profile with "update-crypto-policies" unchanged: Unable to install extension "Installation aborted because the add-on appears to be corrupt." Using a new Firefox profile after "update-crypto-policies --set LEGACY": extensions install correctly. Using a new Firefox profile after resetting crypto policy "update-crypto-policies --set DEFAULT": Unable to install extension "Installation aborted because the add-on appears to be corrupt." -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c35
Frederik Möllers
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c36
--- Comment #36 from Paul Tannington
The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but the LEGACY one does allow it. Could somebody test if switching to LEGACY helps?:
sudo update-crypto-policies --set LEGACY
Note that, this command is shipped by the crypto-policies-scripts package.
If it help, I would force using the LEGACY policy only in mozilla-nss by default for now in crypto-policies and submit in a moment.
TIA
Additionally: With crypto policies set to legacy and after forcing FF to validate add on signature(s) by setting "app.update.lastUpdateTime.xpi-signature-verification" = 0 and restarting FF, upon restart signature verification is OK. (One can check that verification has indeed taken place by looking at the value of "app.update.lastUpdateTime.xpi-signature-verification"). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c38
--- Comment #38 from Paul Tannington
Quick update: All NSS packages I'm aware of now have crypto-policies disabled again. Therefore locking or going back/or stay with 3.97 is not required anymore.
The relevant support will be added later again.
Just to confirm: Leap 15.5 updated mozilla-nss etc to 3.98-lp155.2.1 - all now appears OK, addons can be installed, forced signature verification succeeds. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c41
Ricardo Minnaard
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c43
--- Comment #43 from Neike
https://bugzilla.suse.com/show_bug.cgi?id=1221531
https://bugzilla.suse.com/show_bug.cgi?id=1221531#c45
Nikolai Nikolaevskii
(In reply to Andres Nogueiras from comment #18)
mozilla-nss: 3.98-lp155.1.2
Where does it come from?
andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages...
S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------ ------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~>
Leap uses Firefox ESR by default. To get newer ones user needs to add Mozilla repo: zypper addrepo https://download.opensuse.org/repositories/mozilla/openSUSE_Leap_15.5/mozill... Package mozilla-nss 3.98-lp155.1.2 was retracted. Newer mozilla-nss 3.98-lp155.2.1 solves problems with addons. I didn’t touch FF 123 for a couple of days, used FF ESR. After installing mozilla-nss 3.98-lp155.2.1 for Leap 15.5 addons for FF 123 started to work without reinstall, for FF ESR I made uninstall + install to get rid of warnings (with losing settings). For some addons you can perform Backup + Restore settings (NoScript, uBlock Origin, etc.). Soon we will get FF 124, possible it will help with addons troubles. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com