[Solved] New version of add-on signing resulting signature verification failed

We have a number of add-ons for Firefox and signing has generally been working fine. Today I uploaded a new version of our “Password Manager” alpha/CI level add-on which we host ourselves, i.e. we use addons.mozilla.org only for signing that add-on. I had previously uploaded and gotten signed that add-on on this week’s Monday and it worked fine. However, today as I signed the latest version of add-on and downloaded it and tested in Firefox (Windows, 82.0.2), Firefox claims the add-on to be corrupted and Browser Console shows warnings about add-on not being correctly signed + signature verification failed. I tried packing the add-on sources and submitting it for signing again, but the end result was same, add-on had again signature problems. I then compared the problematic signed add-on package with the Monday’s working version, and there were not many changes. In manifest version field was obviously updated, and name, short name and description (coming via locales json file) were updated because of product rebranding. Some png images had been also changed because of rebranding, and META-INF contents were of course different, but that’s it.

Doh, found the root cause, let this be a cautionary tale for all of us. Apparently (?) Firefox add-on stores the signing date to its signature, and when add-on is installed to Firefox, a signature date seeming to be in future is rejected as corrupted. In other words, I was testing with VMware image and my snapshot’s date was not correct, i.e. the image’s clock was showing a date older than add-on signing date. And that caused add-on the be flagged as corrupted. As soon as I manually adjust the image’s clock, add-on installation started working. :man_facepalming:

1 Like