Recent add-on signature verification errors

(Jorge) #1

Yesterday, we discovered some add-ons are triggering the “unverified” error in Firefox when they shouldn’t. It turns out that add-ons that were signed about a year ago and haven’t been updated since then are having their signatures invalidated because of the expiration date they have set.

We plan to fix this in two fronts:

  1. The immediate fix is to re-sign all add-ons that had their latest version signed near the beginning of the signing program. All affected developers will be notified so that they can distribute the new versions externally if they need to. This process will be run later today.
  2. The long term fix is to remove the certificate expiration date check in Firefox, since this restriction was never part of the original plan. This fix should be uplifted to Firefox 46 and ESR.

If you think you’re affected and want to take preemptive action, all you need to do is upload a new version of your add-on for signing. The newly-signed version will have a certificate that is valid for at least a year (I think we already changed it to 3 years as a precaution), and soon all current versions of Firefox will ignore the expiration date anyway.