Closed Bug 562303 Opened 14 years ago Closed 14 years ago

Wrong extension signature causes install from local file to fail silently

Categories

(Toolkit :: Add-ons Manager, defect, P2)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla2.0b1
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: ecfbugzilla, Unassigned)

References

Details

(Whiteboard: [rewrite])

Attachments

(2 files)

Correctly signed XPI file
(deleted), application/x-xpinstall
Details
Incorrectly signed XPI file
(deleted), application/x-xpinstall
Details 
I was trying to install a version of Adblock Plus with a slightly modified install.rdf file and installation seemingly didn't do anything whatsoever. Error Console showed the reason:

Signature Verification Error: the signature on install.rdf is invalid because the MANIFEST.MF file does not contain a valid hash of the file being verified.

Error: ERROR addons.manager: Exception calling provider.getInstallForURL: Error: XPI is incorrectly signed

Shouldn't this produce some user-visible error? I don't think that we want the user to be able to install such an add-on but an error message would be useful if the download was corrupted by anti-virus software for example.
Wladimir, do you have an example of that XPI and could you attach it on that bug?

This bug depends on bug 552965 IMO.
Depends on: 552965
Attached file Correctly signed XPI file (deleted) — 
Correctly signed XPI file - this one should show "Wladimir Palant" as author.
Attached file Incorrectly signed XPI file (deleted) — 
This has the same signature as the previous XPI file but some whitespace modification in install.rdf - the signature doesn't match.
Actually, when installing from the web I get an error message:

The download of https://bug562303.bugzilla.mozilla.org/attachment.cgi?id=442047 failed: -3

With a file from your hard drive not even this (unhelpful) message is shown.
Do you eventually see bug 562302? Does a new profile or removing the extensions.sqlite file help?
No, the profile is brand new. And I can install extensions - it's only those with invalid signature that fail.
Hmm, for local files, it seems the API sends no events until after its successfully loaded the manifest (and a bunch of other stuff). So the UI doesn't know anything has actually happened, let alone an error has occurred.
Certainly the poor error message is bug 552965, the total lack of errors for local installs is something new though
Priority: -- → P2
blocking2.0: --- → beta1+
Summary: Wrong extension signature causes install to fail silently → Wrong extension signature causes install from local file to fail silently
blocking2.0: beta1+ → final+
Depends on: 570200
Fixed by the patch in bug 570200
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Flags: in-litmus-
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a5
Target Milestone: mozilla1.9.3a5 → mozilla1.9.3
Given the automated tests it looks to be stable enough to call it out as verified fixed.
Status: RESOLVED → VERIFIED
Target Milestone: mozilla1.9.3 → mozilla1.9.3a6
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: