Please sign the attached XPI, a Firefox hotfix that upgrades clients stuck on old releases. For your reference, a similar request is bug 985689.

attached

Wil or Jorge: Could one of you please upload the signed hotfix to the *dev* AMO server and publish it? https://addons-dev.allizom.org/developers/addon/firefox-hotfix/edit

It's up on dev and published now.

I can't make the automatic install work, using the info on https://developer.mozilla.org/en-US/Add-ons/Hotfix#Testing_the_hotfix_on_the_staging_server. The signature is correct, also tried by running the ping snippet. Tested on FF 10, 28 Win 7. So, what could be the problem ?

Wait, why is the filename of the signed xpi different from what I submitted? When I attempt to install it, I get the following: Timestamp: 6/24/14, 11:43:30 AM Error: Expected certificate attribute 'sha1Fingerprint' value incorrect, expected: 'F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45', got: 'CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89'. Source File: resource:///modules/CertUtils.jsm Line: 103 Timestamp: 6/24/14, 11:43:30 AM Error: Certificate checks failed. See previous errors for details. Source File: resource:///modules/CertUtils.jsm Line: 106 Timestamp: 6/24/14, 11:43:30 AM Warning: WARN addons.manager: The hotfix add-on was not signed by the expected certificate and so will not be installed. LOG addons.xpi: Cancelling download of https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi Not sure if the two are related. I'm going to reopen this until we have staging working.

$ wget https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi $ wget https://bugzilla.mozilla.org/attachment.cgi\?id\=8443851 -O signed.xpi $ md5sum *.xpi 1fa3c14f708d3502269357c41f4ee549 mozilla_firefox_hotfix-20130826.01-fx.xpi a7722cc56ba17c672d80a4937839ce1d signed.xpi They are not identical. Also 20130826 doesn't sound right...

Are you sure you're getting the right file? When I install from https://addons-dev.allizom.org/en-US/firefox/addon/firefox-hotfix/ it does a redirect dance and ends up at https://addons-dev-cdn.allizom.org/storage/public-staging/354399/mozilla_firefox_hotfix-20140527.01.xpi which md5sums to a7722cc56ba17c672d80a4937839ce1d.

I'll be off Thu-Wed. Please ping people in #releng if there is something actionable from Releng side. I'll keep the bug assigned to me to make sure it's closed properly.

I uploaded the file in comment #1, which has and incorrect file name but appears to be the correct version. install.rdf and AMO have the correct number: 20140527.01 I don't know what could be wrong with the auto install. Maybe Unfocused can help with this.

To summarize what I think is happening here: * rail made a typo when creating the signed file, using the command in the doc without updating the output file name. The correct input and signing cert were used. * in comment #5, the build is expecting an old cert, it needs this treatment https://developer.mozilla.org/en-US/Add-ons/Hotfix#Signatures before testing the hotfix. For reference, the baked in key signatures in Firefox are: From 10.0 - F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45 From 17.0 - CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89 From 25.0 - 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA * the wrong file in comment #5, something wrong on the AMO side or testing method ? It looks like the original v20130826.01, with a key sig which matches the active cert at that time (ie CA:C4...) I suggest retesting, making sure extensions.hotfix.certs.1.sha1Fingerprint has been set to 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA.

I suspect because the update ping to addons-dev.allizom.org results in a 304 status code, redirecting to versioncheck.addons.mozilla.org. Might want to fix that :)

(In reply to Blair McBride [:Unfocused] from comment #11) > I suspect because the update ping to addons-dev.allizom.org results in a 304 > status code, redirecting to versioncheck.addons.mozilla.org. > > Might want to fix that :) Wil, did something change recently about the update ping on -dev?

Nothing from me. Jason would know if we moved boxes around - they were changing settings files recently which might have affected this, although I thought it was only marketplace. Are you expecting -dev to just point to -dev and not any VAMO (not even a -dev VAMO)?

I expect auto-updates to use -dev if you point your profile to -dev. I don't know what that entails.

Jason: This URL is redirecting to production VAMO: https://addons-dev.allizom.org/update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE% Do you think that's a recent change? Can you make it...not do that? :)

Should be fixed now: λ master ~ → curl -I https://addons-dev.allizom.org/update/VersionCheck.php\?reqVersion\=2\&id\=firefox-hotfix@mozilla.org\&version\=\&maxAppVersion\=%ITEM_MAXAPPVERSION%\&status\=userEnabled,incompatible\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=24.0\&appOS\=Darwin\&appABI\=x86_64-gcc3\&locale\=en-US\&currentAppVersion\=24.0\&updateType\=%UPDATE_TYPE%\&compatMode\=%COMPATIBILITY_MODE% HTTP/1.1 301 Moved Permanently Server: nginx X-Backend-Server: dev2 Content-Type: text/html Date: Mon, 30 Jun 2014 19:16:41 GMT Location: https://versioncheck-dev.allizom.org//update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID=ec8030f7-c20a-464f-9b0e-13a3a9e97384&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE% Via: Moz-zlb10 Connection: keep-alive Content-Length: 178

Great! We will have a new hotfix shortly for signing and staging. I think we should call this bug FIXED and file a new bug for the fixed version.