Build Identifier: https://hg.mozilla.org/releases/mozilla-release/rev/62bee8cdd19f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 ID:20150513174244 Signed extensions on AMO fails to install. Steps to reproduce: Try to install from https://addons.mozilla.org/en-US/firefox/addon/quoteurltext/ https://addons.mozilla.org/en-US/firefox/addon/aguse/ Actual Results: It fails to install. Door hanger said "The add-on downloaded from addons.mozilla.org could not be installed because it appears to be corrupt." Expected Results: Successfully installed

Another example: Map This 0.3.1.1-signed https://addons.mozilla.org/firefox/addon/map-this/ The add-ons successfully install in Nightly, but the signature is not recognized: the warning “could not be verified for use in Nightly” is displayed.

Potentially an important regression, tracking.

This comment is about the "addon is corrupt" issue. I think it's different than the "signature is not recognized" one. Here are the logs when trying to install the "quoteurl" addon from https://addons.mozilla.org/en-US/firefox/addon/quoteurltext/ 1432893291948 addons.xpi DEBUG Download started for https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary to file /Users/mathieu/Library/Caches/TemporaryItems/tmp-g1c.xpi 1432893291949 addons.xpi DEBUG Download of https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary completed. 1432893291950 addons.xpi WARN Download of https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary failed: [Exception... "Component returned failure code: 0x8052000b (NS_ERROR_FILE_CORRUPTED) [nsIZipReader.getSigningCert]" nsresult: "0x8052000b (NS_ERROR_FILE_CORRUPTED)" location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: AI_loadManifest :: line 5295" data: no] Stack trace: AI_loadManifest()@resource://gre/modules/addons/XPIProvider.jsm:5295 < AI_onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:5580 < <file:unknown> 1432893291954 addons.xpi DEBUG downloadFailed: removing temp file for https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary 1432893291954 addons.xpi DEBUG removeTemporaryFile: https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary removing temp file /Users/mathieu/Library/Caches/TemporaryItems/tmp-g1c.xpi I tried the two others also on my FF 39, with the same result. I could manage installing them on my Firefox Dev edition "40.0a2 (2015-05-28)" though. The very first time I tried on the dev edition (before it got updated/restarted?) it failed with the exact same issue. I also tried using a new profile on my FF 39, but it failed the same way.

I've opened a new bug for the "this signature is not recognized" issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1169574

I think the patch in bug 1038068 needs to be uplifted to beta. :Mossop, can you confirm?

mozregression narrowed it down to https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5fa88d413c4f&tochange=ad388474898c From reading the description that page, bug 1038068 is the only bug I spotted who could be "responsible".

(In reply to Andreas Wagner [:TheOne] from comment #6) > I think the patch in bug 1038068 needs to be uplifted to beta. > > :Mossop, can you confirm? No that shouldn't be necessary. If beta doesn't work without that patch then I'd expect no version of Firefox before 40 to work, is that the case?

So the bug is that these add-ons have multiple manifest.mf files. One of them is the one we add during signing, the other is one that was already present in the add-on and in the cases here they don't contain hashes for the files in the add-on. The old Firefox signature checks call an add-on corrupt if it appears signed and has multiple manifest.mf files so these add-ons probably don't install in any version of Firefox before 40. The new signature checks don't do that, but they will use the original manifest.mf (it is listed first in the zip) for the signature checks which in at least these cases will fail because they don't hash the add-on's files. The original manifest looks like it comes from some build tools, gcc is mentioned in one, Apache Ant in another. This is something we'll have to fix by signing these add-ons correctly I think.

I guess bug 1169574 is the bug to do that

Fixed in https://github.com/mozilla/olympia/commit/8b4966ff33f22f35ba1cf286fb3f822c8bec0258 (at the same time as bug 1169574)