We have completely analyzed the problem and it is two-fold:
- Mozilla's server-side signing produces a manifest file that has an improper file ending, which is what is causing the immediate crash. A point release of Pale Moon will be built and released as soon as possible to prevent the crashes seen upon installing an extension with this kind of signature problem. Expect 25.3.2 very soon.
- Mozilla's server-side signing, additionally, creates signature files that are empty and do not list the files to check. This means that even though the extensions have checksums in the meta data that has been added, they are not actually tied to the included Mozilla certificate and will not be checked for authenticity at all, even in current Firefox versions. This, first assumed to be the root cause of the crash, likely does not affect the crashes seen, but obviously will not provide any authenticity check of the signed files inside the extension either (since the files are not checked against mozilla's certificate)
Both of these problems are a direct result of the incorrect server-side signing of extensions that have started yesterday. A bug has been opened to address this at Mozilla,
bug #1158467, and as a stopgap measure we have temporarily stopped the checks for extension updates to addons.mozilla.org.
Versions affected:
Pale Moon for desktop (all current versions on all operating systems)
Pale Moon for Android (all versions)
What happens next?
- We are working on releasing a point release of Pale Moon on all platforms to stop the crash from occurring on bogus data.
- Once this point release is published, it and any future versions of Pale Moon will resume checking and updating extensions as normal. No action is required to make this happen, unless you manually switched update checking off.
- Older versions of the browser (25.3.1 and older) will remain blocked from updating extensions this way (because they are still prone to crashing) until such time as Mozilla fixes their signatures in their Firefox extensions.
Please note that this server-side signing is being done retroactively - and you may not be able to currently get new installations of extensions that are not signed (even older versions are being put through the signing process). This also affects all Firefox versions prior to Australis -- they will crash.
