Waterfox treating signed addons as unsigned

I confirmed that this is caused by Mozilla forgetting that their certificate was going to expire. In Firefox this caused people's addons to get disabled, in Waterfox the effects aren't as serious.
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Related Browser Console message -

Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).

Track https://discourse.mozilla.org/t/-/39845?u=grahamperrin – expect advice from Mozilla in due course.

In the meantime there's a workaround for most cases where an add-on will either not install, or not update:

• https://redd.it/bktabg

NB the _Wood time_ example in the overview at https://www.reddit.com/comments/bktabg/-/emmt6qp/

The fix from mozilla-esr60 looks to fix this issue in Waterfox. I'll do a pull request soon.

The impact of this issue on Waterfox is more serious than I originally realised.

Waterfox 56.2.9 can no longer install signed WebExtensions that don't specify an addon ID in their manifest.json.
Example: https://addons.mozilla.org/firefox/addon/cookie-quick-manager/

Browser Console message -

addons.xpi  WARN    Download of https://addons.mozilla.org/firefox/downloads/file/1676320/cookie_quick_manager-0.4rc4-an+fx.xpi?src=dp-btn-primary failed: Error: Cannot find id for addon /tmp/tmp-n3i.xpi (resource://gre/modules/addons/XPIInstall.jsm:1643:17) JS Stack trace: [email protected]:1643:17

This problem does not exist in a custom Waterfox build with the patches from the pull request.

Example: https://addons.mozilla.org/firefox/addon/cookie-quick-manager

Yep, in my patch-free _default_ profile with 56.2.9 on FreeBSD-CURRENT:

• the page above yields a red alert,

Download failed. Please check your connection.

• an attempt to install https://addons.mozilla.org/firefox/downloads/file/1676320/cookie_quick_manager-0.4rc4-an+fx.xpi yields a different red alert,

The add-on downloaded from this site could not be installed because it appears to be corrupt.

No problem with a profile into which I imported the icfix.pem from https://www.velvetbug.com/benb/icfix/

Obliquely related, a Mozilla bug that I began following at the weekend:

• 1549129 - Add-ons without explicit ID in their manifest.json are removed when the signature is invalid AND their modification time has changed

– in particular, the response(s) to comment 8. Edge case, and (!) too much to get my head around at the moment, but it might be prudent to discourage end users from messing with their system clock as an interim workaround to armagadd-on-2.0.

:100:

STEPS TO IMPORT THE CERTIFICATE

Different methods to have your extensions act normal again are listed below, starting with the easiest, fastest one with the least footprint and number of clicks - direct import, no extra extension needed, compliantly working for both, Desktop and Android.

RECOMMENDED: "CATCH-ALL Fix", tested with Waterfox Desktop 56.2.9 & Waterfox Android 56.1.0, but should work with _any_ edition and version of Waterfox/ Firefox affected by the armagadd-on 2.0 bug:

1. Click onto icfix.pem (BASE64 format version credit to Ben B/velvetbug) OR addons-public-intermediate.der (BINARY format version credit to Mozilla) _(both formats, binary and base64, have exactly the same effect and are interchangeable)_
2. Click onto OK (no need to check both boxes - you can leave them BLANK when authorizing the certificate it makes! Hint and screenshot credit to grahamperrin):
   
3. To verify if you can install extensions again which are affected by the certificate bug, test-install e.g. Custom UserAgent String

Waterfox _DESKTOP_ 56.2.9 ONLY:

A) Mozilla also provides extensions that import that same certificate into the matching version of Firefox. For instructions about the extension installation, go to Mozilla's 'Disabled Add-on Fix for Firefox 52 - 56' (compatible with Waterfox 56.2.9).

Note that Disabled Add-on Fix for Firefox 47 - 56 (by Mozilla) is _NOT_ immediately working for Waterfox _Desktop_ 56.2.9: "_This add-on is not compatible with your version of Firefox_" due to Waterfox pretending to be Firefox 57 on AMO in about:config?filter=general.useragent.override (credit to laniakea64 for the hint). It is, however, possible to install it via this direct link (v.1.1.4, 2019-05-14), or (if you want to walk through step-by-step) by right-clicking the greyed out "Add To Firefox.." button > Copy link location, then right-click the address bar > Paste & Go. Via same right-click contextual menu, it can be downloaded manually and be dragged into about:addons, where you should see it active afterwards. In a fresh virgin account, affected Add-ons DO then install.

B) If you prefer to save the certificate to your hard drive to import it for later offline usage:

1. Download via right ("secondary") click, "Save Link As..":
   • icfix.pem (BASE64) from either location 1 or location 2
   • addons-public-intermediate.der/.crt (BINARY) from either location 1 or location 2
2. Options/ Preferences, Advanced
3. View Certificates
4. Select "Authorities"
5. Import
6. Navigate to icfix.pem on your hard drive
7. Click onto OK to import the certificate

[Credits to megalomaniacs4u for his base fix [Addons Fix for Firefox 56.0.2 & older](https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/)]

C) If you still can't install an extension that should be installable, you could try the steps for Firefox 56.0.2 and older outlines by Ben B:

1. Open the browser console (Windows: Ctrl + Shift + J | Mac: Cmd + Shift + J) and run the following two lines (copy, paste, enter):

Components.utils.import("resource://gre/modules/addons/XPIProvider.jsm");
XPIProvider.verifySignatures();

1. Test again (Custom UserAgent String)

Waterfox _ANDROID_ 56.1.0 ONLY:

Again I highly recommend you ONLY install the certificate itself as described above (!) because Mozilla made the Extensions for Firefox not for Waterfox and did NOT test them in Waterfox, naturally! In a test run in a new fresh virgin profile, v.1.1.2 of the Extension installed and had the desired effect of affected Add-ons installing afterwards, but the Extension is NOT and can NOT be enabled in Add-ons (even after WF force-quit and re-launch), which rings an alarm bell..

On May 14 2019 Mozilla published v.1.1.4 on their Disabled Add-on Fix for Firefox 47-56 page, but again, think twice if you _really_ voluntarily want to play guinea pig even though there is no need to...

Also please note that in the process of the recent purge of addons.mozilla.org, Mozilla not only removed all legacy Extensions but also Themes, and ONLY left themes for Firefox Android 65.0+!! You might still find an older theme version on addons.mozilla.org which might install, but very most likely it will not have any effect!

I'm confident Alex will also release WF 56.x.x with this fix very soon (as per Alex also for Android "on its way" 🥇) because the release of WF 68 final will still take a while.

BTW, I think this is a worthwhile read for everyone: What you need to know about add-ons in Waterfox 68 - gHacks Tech News

Further links:

• Mozilla's hot-fix: a test routine for users of Waterfox 56.2.9
• Mozilla's thread with different extensions for Firefox 47-65 at bugzilla.mozilla.org: 1550793 - publish armagadd-on 2.0 hotfixes on AMO for self-install.

Yeah OK, I was kinda suprised I ran into this issue https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-489872863 issue today since Waterfox already allows unsigned extensions by default and my custom legacy addons work alright and I had no troubles with recent armagadd-on even without new certificate.

Yet I couldn't install one specific modded addon today. I believe only WE addons are affected and fix is pretty simple (via https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-489872863 & https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-490002026 @laniakea64, thanks for the short description) .

Carve-up XPI, open manifest.json and add JSON block:

"applications": {
        "gecko": {
            "id": "<your_addon_id>"
        }
    },

Repack XPI and you are good to go.

By the way this bug forces browser to delete "corrupted" addons.

(Edit: This is in reply to https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-490452890 . I don't understand why this reply is showing above that comment?)

Carve-up XPI, open manifest.json and add JSON block:

"applications": {
        "gecko": {
            "id": "<your_addon_id>"
        }
    },

:+1:
This should work if you give it the same addon ID as the AMO version. You should be able to find that ID in about:support

By the way this bug forces browser to delete "corrupted" addons.

I haven't experienced this in Waterfox 56.2.9. Could you please explain more under what circumstances does this happen?

@laniakea64

This should work if you give it the same addon ID as the AMO version. You should be able to find that ID in about:support

Correct, yes. In case addon was not installed in the first place one should look into mozilla.rsa certificates for proper ID. If addon was initially downloaded from AMO, XPI name is basically its ID.

Could you please explain more under what circumstances does this happen?

1. Install WebExtension addon that doesn't have id in manifest.json (e.g. Smart HTTPS 0.2.5).
2. Close Waterfox.
3. Edit any file inside installed XPI.
4. Launch Waterfox.

Extension will be gone without any visible notification, Waterfox will move XPI file to trash subfolder inside extensions folder. I believe it will be permanently deleted later but I am not sure.

Alternatively you may download XPI from AMO, edit it and try to install it. Waterfox won't let you do it saying it's "corrupted".

This problem does not exist in a custom Waterfox build with the patches from the pull request.

Are you sure about that? That patch basically installs new certificate and that's it. I've already installed it manually and it's still impossible to install edited addons without touching manifest.json.

My understanding is the issue in the first post and recent armagadd-on-2.0 are totally unrelated, just bad timing.

_{I wonder how you managed to reply to my post the way it shows above mine 🤔}

_{Edit: Github rearranged our posts (LOL).}

Incidentally … without testing the effect of this PR, I find it unnecessary to check any of the three trust options:

Simply having the certificate present seems to suffice for e.g. the Cookie Quick Manager case.

Am I missing something?

https://www.reddit.com/r/firefox/comments/bkspmk/-/emkd8qp/ some users of Firefox find the same, no need to check any of the boxes.

Helpful information, all of it - thanks for sharing here!

Three questions:

1. Which file does icfix.pem get imported into?
   .. and regarding Waterfox Android:
2. how can I import the certificate icfix.pem the easiest way (no certificate import option as in Waterfox Desktop)
3. how can I install a modified xpi (there is no drag-&-drop as in Waterfox Desktop)

Android 7.1.1, rooted

If you go to the following link...

https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/

... And select the link at the very top, it'll install on the Android app as a normal addon.

~Ibuprophen

Thanks, @ibuprophen1 , you just cured some of my headaches .. ;) I never thought the .xpi would have any effect neither in legacy Firefox nor in Waterfox which both don't have or use "normandy", so I sure am surprised that now two oddities I never thought were related to this add-on signing issue are back to normal in my Android Waterfox 👍

Still, as others noted, not all extensions install, like Custom UserAgent String by Linder. Or does it install for anybody, either in Waterfox Android with the .xpi installed, or in Waterfox Mac/ Linux/ Windows with icfix.pem imported?

Would be great if someone could test-install this add-on and feed-back- thanks.

There's a handful of them that I can't install myself since this nightmare began.

I'm hoping to either figure out or find something to get going at least 2 of the ones I can't install since I do rely on them for a handful of items I do on the Android Browser.

I'm happy to see a good handful of them going so far.

~Ibuprophen

the link at the very top, it'll install on the Android app

Note, the linked file is not a fix for Waterfox 56.2.9.

… not all extensions install, like Custom UserAgent String by Linder. Or does it install for anybody, … in Waterfox Mac/ Linux/ Windows with icfix.pem imported? …

Custom UserAgent String can be added to (desktop) Waterfox 56.2.9 on FreeBSD-CURRENT.

For any add-on that can not be added to a _fixed_ installation of 56.2.9, please raise a separate issue. Thanks

1. Install WebExtension addon that doesn't have id in manifest.json (e.g. Smart HTTPS 0.2.5).

2. Close Waterfox.

3. Edit any file inside installed XPI.

4. Launch Waterfox.

Extension will be gone without any visible notification, Waterfox will move XPI file to trash subfolder inside extensions folder. I believe it will be permanently deleted later but I am not sure.

Alternatively you may download XPI from AMO, edit it and try to install it. Waterfox won't let you do it saying it's "corrupted".

This problem does not exist in a custom Waterfox build with the patches from the pull request.

Are you sure about that? That patch basically installs new certificate and that's it. I've already installed it manually and it's still impossible to install edited addons without touching manifest.json.

Thanks for the clarification. I think this is unrelated to armagadd-on-2.0, and expected behavior. WebExtensions that are not properly signed have always required addon ID.

I'm surprised you were ever able to get that to work.

I've always had to do this when modifying signed WebExtensions that don't have an ID:

1) Copy the xpi outside of profile folder

2) Delete the signature

3) Add addon ID to manifest.json, as you described

4) Make your modifications

5) Install modified XPI through Waterfox, the normal way, e.g. by drag&drop to tab bar.

Mozilla changed their fix for esr60 - https://hg.mozilla.org/releases/mozilla-esr60/rev/5749f5b42cbf5a972bc8c398ed377977da35dbd2

I don't understand this patch :frowning_face: Does Waterfox need to follow suit?

@laniakea64

I think this is [...] expected behavior.

Looks like this is the case, yes, it's just very confusing since it stops user from installing unsigned WE extensions while Waterfox and Firefox ESR claim it's supported, i.e. xpinstall.signatures.required, false doesn't help.

I've always had to do this when modifying signed WebExtensions that don't have an ID

Oh so you ran into this issue before? Well I barely have any WE addons since their support in pre-57 versions is quite poor, most of them require 60+ or even 66 anyway, so I never had a reason to modify them.

I don't understand this patch

Previous hotfix forced Firefox to install new certificate into user storage cert8.db/cert9.db, now Mozilla bakes it into Firefox itself.

Is it possible the plugins available for download at the Mozilla website have been altered so that only Firefox 66 users can install them?--possibly since Add-on issue started days ago (so-called Armagadd-on-2.0) ?

Is it possible the plugins available for download at the Mozilla website have been altered so that only Firefox 66 users can install them?--possibly since Add-on issue started days ago (so-called Armagadd-on-2.0) ?

I don't think so. The only difference between Firefox 66.0.3 and 66.0.4/66.0.5 is armagadd-on-2.0 fix. And that same fix works for Waterfox to install the addons again.

The only difference between Firefox 66.0.3 and 66.0.4/66.0.5 is armagadd-on-2.0 fix. And that same fix works for Waterfox to install the addons again.

Then where's the fix for Waterfox 56?

Merged but not released yet - https://github.com/MrAlex94/Waterfox/pull/940

I did notice, for the Android App, that regarding some of the Addons I couldn't install, I was able to install only certain older versions/releases of them.

This is an oddity...

~Ibuprophen

one more step and you're there .. ;) (moved up for better accessibility)

I am rooted...

I've got the Waterfox Beta v56.1.0 (ARM 32-bit) I always install directly from the Play Store.

I took a look and found that it currently has the "cert9.db". Should I try to look within this Github Repo (or the Apk file) for a cert8.db to extract and replace the current one with?

~Ibuprophen

@ibuprophen1 : FIXED!! Here's how:

1. fired up FX (my fav. Android file manager), tapped onto "System (root)"
2. navigated to my Waterfox profile (data/data/org.waterfoxproject.waterfox/files/mozilla/abc..xyzDefault): also only cert9.db.
3. navigated to my Firefox 66.0.5 profile (data/data/org.mozilla.firefox/files/mozilla/abc..xyzDefault): also only cert9.db.
4. force quit Waterfox, renamed cert9.db -> cert9.db.bak
5. copied FF profile cert9.db -> WF profile
6. launched WF, went to Custom UserAgent String, tapped onto "+ Add to Firefox" -> BOOM, INSTALLED!!
   🥇 👍 💯

Just for the record (thanks to Samuel Vuorela for the link) - in case someone wants to compare it w. v.1.0.2 and/ or play with it:
[email protected]

@LeeBinder, I had tried your steps (very carefully too) and didn't resolve the issue for me.

It did make me think a little more about some other directions to try out. I'll definitely let you know of any results on my end.

I did receive the following Popup yesterday before trying your steps out and just remembered about forgetting to provide the screenshot as it is a new one (for me). Also, I was actually in Github when it happened without doing anything addon related too.

New-Error-1

Thanks a bunch! :-)

~Ibuprophen

You guys shouldn't really tamper directly with cert.db files, just import new certificate as new CA: https://www.velvetbug.com/benb/icfix/icfix.pem (yes, it's the one from hotfix XPI, you can verify it manually)

@reallyuniquename : then please tell ibuprofen how to do that in Waterfox for Android which is lacking any certificate import function in preferences.

@ibuprophen1 :

1. attached you find the cert9.db from FF Android which works for me in WF Android:
   cert9.db.zip

1. paste this into your Android WF address bar:

about:config?filter=xpinstall.signatures.required

and make sure the value is set to false. If it's not, toggle it to true (by simply tapping on it) and try install the add-on again.

1. which add-on are you trying to install - Custom UserAgent String for testing? If a different one, please post the link, would you.

@LeeBinder

Waterfox for Android is lacking any certificate import function

Is it though? AFAIK if you open certificate via URL that returns application/x-x509-ca-cert MIME type Waterfox for Android would ask you to install it. I bet you can even install just by visiting file:///sdcard/blabla.crt.

@reallyuniquename : no that doesn't work, just tried: regardless if a) from URL or from file and b) filename extension .pem or .crt, Waterfox simply opens the text file as what it is, as text file.

when you put the certificate on a webserver, make sure it is served with MIME type application/x-x509-ca-cert (or application/x-x509-user-cert for client certificates).

Without this, Firefox will not install the certificate, but download it instead.
(source)

Also: Setting up a webserver to automatically serve .crt files as installable certificates for Firefox Android

Obviously Ben from velvetbug was not aware of this.

@LeeBinder that's weird, this is how certificate installation worked a year ago, although that was vanilla Firefox for Android.

filename extension .pem or .crt

Extension doesn't matter, it's all about MIME type. Try snatching it off the web server that forces proper MIME type (run it on python or something).

Otherwise, yeah, one would need to replace cert.db indeed...

Agree, see my edit above .. ;)

so if someone here with access to a properly configured webserver would upload icfix.pem to their server, best as both .crt and .pem, then test if Waterfox automatically offers to install it when clicking onto the linked file, then we should be all set!

https://mahalo.lima-city.de/icfix.pem ;)
@ibuprophen1

@LeeBinder, okay... Progress...

I had tried your last 2 post suggestions and I can install the Addons now but, their disabled with the "Cannot be Verified" message in the about:Addons screen.

~Ibuprophen

… I'm confident Alex will also release WF 56.x.x with this fix very soon …

In parallel, re: https://www.reddit.com/r/waterfox/comments/bktabg/for_users_of_waterfox_5629_who_may_be_affected_by/emyvez4/ it seems to me that Mozilla's extensions are in the final stages of quality assurance (QA). Interested users can/should track the topic in Mozilla Discourse.

@Ibuprophen1 : step-by-step..
So I guess you cannot ENable them? And have you force-quit WF then restarted?

… force-quit WF then restarted?

From what I found with some prior approaches to importing the certificate:

• a simple quit (not forced) should suffice.

Nit:

false. If it's not, toggle it to true

I tried them all... I'm still a determined individual and don't want to lose Waterfox since I've been using it for years on my PC's and Android's.

~Ibuprophen

@LeeBinder - I've just checked, v1.0.3 has exactly the same PEM string as v1.0.2.

@ibuprophen1 : either we or Mozilla (with the user-installable extension for FF 52 through 60 - 👍 @grahamperrin for the link!) will get you back on board until your headaches are gone .. ;)

Are you still using the cert9.db either from me or from your FF? If so, do the following (A):

1. quit WF
2. restore your old cert9.db with your root file manager
3. re-open WF, click onto icfix.pem, import the cert into YOUR cert9.db
4. quit WF
5. re-open WF, go to about:addons and check if your add-ons are back

If still not working (B):

1. quit WF
2. in Android settings, set your date ahead, e.g. two days
3. re-open WF, go to about:addons and check if your add-ons are back
4. set your time/date back to automatic

If still not working (C):

1. quit WF
2. backup your cert9.db with your root file manager, e.g. by renaming it so WF will not find it
3. re-open WF - it should re-create a new virgin cert9.db from scratch. Go to about:addons and check if your add-ons are back
4. click onto icfix.pem and import the cert
5. try installing an add-on for testing, like Cookie Quick Manager

@unicorndreams: thanks for comparing v.1.0.2/ 1.0.3 xpi PEM string

Okay, I've updated the fix pushed by Mozilla: https://github.com/MrAlex94/Waterfox/commit/946ffc1d3d8404f980392f9f353373a7d63506f2

I've tested and seems okay to me, but would appreciate any testing from others as well.

Thanks @MrAlex94 , I tested it on one installation with the previous fix and one without. Seems to work in both cases.

@ibuprophen1 : I hope you were able to get your extensions back in your Android Waterfox, one way or the other?

@LeeBinder, thank you very much for keeping me in mind regarding a status! :-)

I had to take a little break from this because of the various other Developments/Projects that required my attention that I had to take care of.

Just yesterday I had decided to start from square one with removing the Waterfox Beta app on my Android, performing a little cleanup and then installing it via the Play Store again.

As you know, after performing various tries, re-tries, undo, redo, etc... it can get to a point where it's a real challenge to get something to work without ruling out the possibility of something forgotten about that may have been unsuccessful and wondering if something was previously done and overlooked that may have affected the failed results.

Now with a fresh installation completed, i plan to revisit this again (tomorrow or the next day) with a fresh look.

I'm looking to perform a "Overview" with take a look at everything on this issue (and a few other places) to evaluate what I've done that didn't work, may work and haven't tried yet.

I've been monitoring the Waterfox Repo of Issues and Changes to keep a type of applicable notes and such.

I'll definitely be chiming in with a status update on this (of course with the Developers and yourself in the loop).

~Ibuprophen

… testing from others …

Whilst I'm not in a position to test (sorry), someone might like to tell whether a refresh of Waterfox will delete/distrust Mozilla's recent CA.

(Re: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings#w_these-items-and-settings-will-be-removed in Firefox cases, _security certificate … settings_ will be removed.)

@ibuprophen1 @grahamperrin @MrAlex94 : the extension approach ONLY works for Waterfox 56.2.9 Desktop, NOT for Waterfox 56.1.0 Android!

I have uploaded the certificate to my server with the correct MIME type and compiled a write-up how to import the certificate which works for both. You can find it here.

Understood, thanks. https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-491746426 is not about the extension.

I know. Haven't had a chance yet to test. Was focusing first on what I was prioritizing .. ;)

I guess because of all the stress they had with armagadd-on 2.0, someone at Mozilla did not fully check into what they were doing and uploaded the binary version of the certificate to their server with a non-compliant extension .crt. Their server is not configured to serve .crt as a MIME type, so the .crt won't install on click (unless one downloads it first then imports):

https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/apps/addons-public-intermediate.crt (thanks to Jefferson Scher for the link on his Firefox Extension Verification May 2019 page)

Server default for a X.509 Certificate (application/x-x509-ca-cert) is .der (see Wikipedia: X.509/Certificate filename extensions).

I uploaded the binary .crt as .der to my server and correctly chose 'binary' as transfer mode, and as expected the certificate does install on click.. ;):

https://mahalo.lima-city.de/addons-public-intermediate.der

as does the .pem (BASE64) from Ben B.:

https://mahalo.lima-city.de/icfix.pem

@reallyuniquename @grahamperrin

Mozilla armagadd-on 2.0: information for users of Waterfox 60.1.0 on Android : waterfox

Please, can someone advise? Thanks.

@grahamperrin : my manual incl. the certificate uploads in both, binary and base64 on my correctly configured server in regards to MIME types, should work for any version of Waterfox/ Firefox on _any_ platform and architecture. The folks over @ Mozilla have been thinking and acting into the much much MUCH more complicated direction (as usual over time) with the different extensions approach....

Following the QA etc. with Mozilla was is enlightening. Not as fast as everyone would like, but it was orderly and well thought-out.

addons-public-intermediate.der

After addition to Waterfox 60.1.0, I have two add-ons that can not be verified.

Just FYI.

Personally it's not troublesome (I rarely browse on the mobile handset).

PS I'll take a second look at the handset later, or in the morning. Maybe I simply need to wait a while.

@LeeBinder, @grahamperrin and @MrAlex94...

I just began to get back to this...

I did notice a slew of Blacklisted addons that Mozilla points to regarding their ability to be installed on both the PC and Android.

https://blocked.cdn.mozilla.net

I apologize if that was already pointed out by others.

I'll keep you all in the loop with anything new.

~Ibuprophen

addons-public-intermediate.der

After addition to Waterfox 60.1.0, I have two add-ons that can not be verified.

which are which? You do know that a certificate does not install any add-on, do you? Your two unverified add-ons must have been installed in your profile before.

I installed that cert from Mozilla in several installations and did not encounter any unverified add-ons. Two unrelated things .. ;)

I almost forgot to point out the following link that reflects addon blocking requests (the keywords I used for this search is only by example) :

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=Block+Requests

~Ibuprophen

Your two unverified add-ons must have been installed in your profile before.

True:

• No PDF Download https://addons.mozilla.org/addon/no-pdf-download/ 1.0.3
• PDF Viewer (from I don't know where) 1.0.277

@grahamperrin, the PDF Viewer is built-in and currently at v2.0.943 based upon the following Mozilla Repo.

https://github.com/mozilla/pdf.js

The No PDF Download is currently at v1.0.5 as well.

https://addons.mozilla.org/en-US/android/addon/no-pdf-download/

Just in case you weren't aware of this... :-)

~Ibuprophen

Seems Waterfox 68 alpha has only a partial fix for this. Waterfox 68 is still affected when used with an existing (from v56) profile, but not with a new profile? :confused:

And also in the existing profile, the WebExtensions that don't specify addon ID in manifest.json are totally non-functional in v68, as if they were disabled, and clicking on any of them just goes to Get Add-ons. I can't figure out how to get them working.

I tried reinstalling from AMO, but that also failed, with this Browser Console message -

addons.xpi WARN Download of <url to xpi> failed: Error: Cannot find id for addon /tmp/tmp-***.xpi(resource://gre/modules/addons/XPIInstall.jsm:1372:19) JS Stack trace: [email protected]:1372:19 async*[email protected]:2159:14

PDF Viewer is built-in

Thanks, I didn't know.

_No PDF Download_ remains disabled, unverified. I haven't attempted to enable it.

68 is still affected when used with an existing (from v56) profile

56.2.9?

If 56.2.9: in what way(s) did the 56.2.9 profile gain the fix?

If 56.2.9: in what way(s) did the 56.2.9 profile gain the fix?

Yes 56.2.9. Said profile gained the fix by me self building Waterfox from https://github.com/MrAlex94/Waterfox/commit/946ffc1d3d8404f980392f9f353373a7d63506f2 .

Found the cause.

My existing profile had been through the previous hotfix, the one that added the cert to user DB and set extensions.signer.hotfixed to true. When I updated to the newer fix, I deleted my cert8.db, but didn't clear the pref. Reset the pref in v56, loaded the existing profile in v68, and now the signed WebExtensions that don't specify addon ID in manifest.json load fine!

So Waterfox 68 just needs the updated armagadd-on-2.0 fix.

Re: https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-491746426 above, has anyone tested the result of a refresh?

Graham, that should not be an issue anymore with WF 56.2.10, should it?
https://www.waterfox.net/blog/waterfox-56.2.10-release-download/

I don't know, as I wrote earlier, I couldn't test (still can't).

Did anyone test?

I have just tested Waterfox Alpha 68.0a1 (I'm writing on it!) First, I tried an on-the-place install, but it started up all clunky (using the 56.2.9 profile), so I did a fresh install, only using "user.js" and importing my bookmarks. Although the doomsday certificate is stated as already installed, several legacy add-ons failed to install:

"another_restart-0.0.2.1-signed-fx.xpi"
"bazzacuda_image_saver_plus-0.66-fx.xpi"
"downthemall_anticontainer-1.5-sm+fx.xpi"
"fasterfox_lite-3.9.9Lite.1-signed-fx.xpi"
"firegestures-1.11.1-fx.xpi"
"playflash_32bit-30.0.0.134-fx-windows.xpi"
"playflash_64bit-30.0.0.113-fx+sm-windows.xpi"
"quickjava-2.1.2-fx.xpi"

I tried the "manifest.json" hacking to see if they would work, but "FireGesture" doesn't have a "manifest.json" file!!! I haven't checked the other add-ons, as I don't have much time now.

@unicorndreams probably unrelated to the certificate issue.

Can you raise yours as a separate issue? (Things here are already somewhat complicated.) Thanks.

Well, Waterfox threw the "corrupt" error when I tried to install those add-ons, so, well, I don't know. Besides, the question was if someone had tried the Alpha, and I just did. Some Pages are rendering badly (no icons, no border, no nothing, except text on the right places). All add-ons except those I listed installed flawlessly, even those that showed up as "corrupt" on 56.2.9 without the certificate (e.g., "user_agent_switcher-1.2.12-an+fx.xpi").

Sorry if my information was not useful here.

I don't know, as I wrote earlier, I couldn't test (still can't).

Did anyone test?

just did, with WF 56.2.10 macOS: even after refresh, Extensions before affected by armagadd-on 2.0 (uBlock Origin, Quick Cookie Manager) DO install. I also clicked onto my cert import links and WF offered to install the cert, so as Alex wrote, WF 56.2.10's cert is hard-coded into it and thus not affected even by a refresh.

Anyway folks thanks for all the great postings here in this thread. I really enjoyed all the professionalism, focus, dedication, collaboration and content richness etc. in here. Made me proud once again of being part of the "Waterfox tribe" - beyond the slighted shadow of a doubt a much higher vibe than of the general Firefox user. Great decision of everybody to BE HERE 👍 🥇

Over and out (unsubscribed) of this thread
~Lee

+1

Waterfox 56.2.10 on FreeBSD-CURRENT:

• with the fix that's integral to Waterfox
• without Mozilla's extension for the fix (not listing Mozilla's certificate in preferences).

Confirmed. Adding Mozilla's extension (superfluous) then removing the extension, then performing a refresh:

• de-lists the certificate
• does not reduce compatibility with AMO.

Thanks again

It looks like there's updates to the addon fixes and now there's 3 to choose from...

https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox

~Ibuprophen

Yep, https://bugzilla.mozilla.org/show_bug.cgi?id=1550793#c37

Also FYI the _shipping_ bugs in the tree at https://bugzilla.mozilla.org/showdependencytree.cgi?id=1549604&hide_resolved=0

@laniakea64 since Alex has tweeted re: availability of 56.2.10, would you like to close this issue?

For the _apparent_ corruptions that are unrelated to armagadd-on 2.0 we have #972

@grahamperrin Please leave this open until https://github.com/MrAlex94/Waterfox/issues/936#issuecomment-493504037 gets addressed -

Waterfox 68 just needs the updated armagadd-on-2.0 fix.

My bad! I hadn't even _looked_ at commits for gecko68 branch or the 68.0a1 tag. Oops. Sorry.

My Deepest Apologies to @grahamperrin, @MrAlex94, @LeeBinder and others here!

I had almost forgotten about following up on this as I had previously mentioned...

Since I had performed a ton of various trials, errors, fresh installations, etc... I decided to just save time (and space here) to provide what had finally/ultimately worked for me.

Please keep in mind that the following is ONLY regarding the following Official Waterfox App obtained/installed via the Google Play Store.

"Waterfox Web Browser - Open, Free and Private (Beta) version 56.1.0"

1) I first went to the devices Settings Menu -> Apps -> Waterfox and then I selected to Force Stop the App, selected the Storage option, selected to Clear Data and then back 1 (to the previous area) and then selected Uninstall.

2) I then, as a personal choice (using a reliable File Explorer with Root Permissions), I went to the "/data/app" to make sure that the following package name was gone...

org.waterfoxproject.waterfox-1

... Then to the "data/data" to make sure that the following package name was gone as well...

org.waterfoxproject.waterfox

... They weren't there but, I would have deleted those 2 directories if one or both were still there.

3) I then rebooted the device and went to the Google Play Store and installed the Waterfox Browser again.

4) I had launched the app and, of course gave it all the required/needed permissions first, and set up the Sync a some other personal preferences within its settings.

5) I had then closed Waterfox...

I had already obtained a copy of the "key4.db" and "cert9.db" from the Android Firefox Browser I had installed (via the Play Store) earlier that day.

I had then used the same File Explorer (with Root Access of course) and then navigated to the following directory...

/data/data/org.waterfoxproject.waterfox/files/mozilla/pqywvuhz.default/

... and I first backed up the Original "key4.db" and "cert9.db" files and then replaced those 2 with the ones I had obtained from the Firefox Android Browser.

6) I launched Waterfox again and installed the following Addon Fix...

https://addons.mozilla.org/en-US/firefox/addon/disabled-add-on-fix-52-56/

... I then installed the icfix.pem provided on the following link...

https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/

... And then, just as a personal preference (that's not needed for the Addon issue), I had manually added the following "general.useragent.override" String within the "about:config" screen.

Mozilla/5.0 (Android 7.0; Mobile; rv:54.0) Gecko/62.0 Firefox/62.0

7) ONLY for posterity Closed Waterfox and Rebooted the Device.

I know some of the above is a bit of an "Overkill" but, this is what worked out for me and I'm hoping it'll help out some others as well.

I hope that I had explained the above information okay via text... LOL! :-)

Thank you all So Much for your time, patience, understanding and especially your support with this! :-)

~Ibuprophen

@ibuprophen1 : exemplary thorough - congrats .. ;)

Two questions:

• where did you read about this UA string? What's the advantage, esp. the rv:54.0 part?
• where did you read about moving over key4.db, too?

@LeeBinder, The UA string was one of those "trial and error" resolutions I had figured out a while ago.

This single UA string was a resolution I had figured upon to prevent from having to use different ones for different sites. Just a way to elevate the sporadic issues (like in Github and some other websites).

The UA just worked out for me but, I can't guarantee that it will for all since everyone goes to and performs different actions on different websites.

The db keys were just a hunch of mine based upon reading a bunch of feedback here and elsewhere on top of a personal trial and error as well.

I just told myself... What would Spock do (the logical approach) and After grabbing, trying, etc... 5 different Mozilla browsers, I found that the ones from the regular Firefox one was good enough.

If you would like, I can zip the 2 up. I forgot to do that... LOL!

~Ibuprophen

@grahamperrin, @MrAlex94, @LeeBinder and others here!

Just as a little Helper regarding the Waterfox Beta v56.1.0 App's DB files...

These are the ones I had mentioned just after "STEP 5" of the little guide I had just previously provided (above).

The following are just the Firefox & Waterfox DB files only for those who may want them for a manual installation of them.

Firefox-Android-v66.0.5_Fresh-Install_DB-Files_Manual.zip
Waterfox-Android-v56.1.0_Fresh-Install_DB-Files_Manual.zip

As previously stated, there's no guarantees but, may hopefully work for many/most using the Waterfox Beta v56.1.0 App.

~Ibuprophen

Thanks @ibuprophen1 . Install via TWRP etc. won't work because the script only installs to YOUR profile folder "pqywvuhz.default". It would need to:

• parse /data/data/org.waterfoxproject.waterfox/files/mozilla/profiles.ini for the current profile
• inject the name of that profile into a variable inside the script

So before flashing the two files, the path inside the zip and in the script would need to be adjusted.

BTW (regarding your step 6.b), if the cert9.db really contains the certificate, there will be an alert: "_This certificate is already installed as a certificate authority_" - it would NOT install again. Test by tapping either onto icfix.pem (BASE64 format version) or addons-public-intermediate.der (BINARY format version).

Are any of you able to install themes? (56.2.10 desktop)

With the cert fix, extensions install just fine - any theme I have tried does not: https://addons.mozilla.org/en-US/firefox/themes/

Download failed. Please check your connection.

Even directly going to the xpi, wget the xpi & opening - throws the 'download is corrupt' error.

@angela-d the themes issue is https://github.com/MrAlex94/Waterfox/issues/972 , it's unrelated to this one.

@angela-d : also have a look at here f.f.

Thanks, wasn't typing the right queries when I searched the existing issues.

I had just experienced the addon issue just minutes ago... Go figure... LMAO!!!

I was able to get them going again by performing the "Alternative 1: Set Firefox to check for studies more rapidly" instructions available on the following link under the response titled "The Problem"

https://superuser.com/questions/1432789/all-of-my-firefox-add-ons-have-been-disabled-suddenly-how-can-i-re-enable-them

Regarding the Android Browsers, if the mentioned “app.normandy.run_interval_seconds” within about:config isn't present/available, I just manually added it and then followed those steps.

What a headache!

~Ibuprophen

… Android … app.normandy.run_interval_seconds …

Not effective with Waterfox 60, one of the unverified add-ons can't be enabled.

I assume that it's preconfigured to not work with Normandy. I'm happy to await an update.

Please leave this open until #936 (comment) gets addressed -

Waterfox 68 just needs the updated armagadd-on-2.0 fix.

Looks like this has been done in 68.0a2 :+1: