[RESOLVED] 2.9.0.4 AMO download is corrupt.

[RDL]

The 'stable'version 2.9.0.4 published on AMO is not signed and silently fails to install from file even though I have xpinstall.signatures.required set false.

On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.

[barbaz]

The 'stable'version 2.9.0.4 published on AMO is not signed

This is not true.

and silently fails to install from file even though I have xpinstall.signatures.required set false.

On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.

Both files are identical, and have this SHA256 checksum:

Code: Select all

94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

This indicates that what you are experiencing is unrelated to this topic; please start a new thread if you would like to discuss it more.

[RDL]

The 'stable'version 2.9.0.4 published on AMO is not signed

This is not true.

Well, since you've just called me a liar, I really have to reply to you here, don't I ?

I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?

I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.

Doesn't that mean it isn't signed? If so, then at very least there is a problem with what file AMO is delivering.

In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?

and silently fails to install from file even though I have xpinstall.signatures.required set false.

On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.

Both files are identical, and have this SHA256 checksum:

Code: Select all

94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

This indicates that what you are experiencing is unrelated to this topic; please start a new thread if you would like to discuss it more.

It may well be unrelated but, as I pointed out above, your form of reply made a new topic inappropriate at that point.

Perhaps you would split off this part of the topic, from my original post, to this one, to a new topic, before we continue.

[barbaz]

Split off as suggested.

I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?

That's exactly what I did.

I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.

Doesn't that mean it isn't signed?

It could also mean that 7-Zip is hiding the META-INF folder from you. (I don't know.)
Does the SHA256 checksum I posted match the file you're downloading from AMO?

In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?

Doesn't matter what browser/OS I'm using as much as it matters how I present myself to AMO, which is a randomly selected Firefox profile, so I have no idea what I was "using".

[Guest]

Split off as suggested.

Thanks.

I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?

That's exactly what I did.

Curious.

I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.

Doesn't that mean it isn't signed?

It could also mean that 7-Zip is hiding the META-INF folder from you. (I don't know.)
Does the SHA256 checksum I posted match the file you're downloading from AMO?

Well, 7-Zip has always shown me the META-INF folder in signed extensions, including the direct download from https://secure.informaction.com/downloa ... .9.0.4.xpi

and according to 'Rapid CRC Unicode Portable', the SHA256 checksums don't match.

Your SHA256:

94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

Download from https://secure.informaction.com/downloa ... .9.0.4.xpi

94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

But download from https://addons.mozilla.org/firefox/down ... xpi?src=ss

7c65095465f8abc7594dd20ad63e20de57fd68b015b016b3c03e0d5692eacb4e

In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?

Doesn't matter what browser/OS I'm using as much as it matters how I present myself to AMO, which is a randomly selected Firefox profile, so I have no idea what I was "using".

I don't know if AMO would ever publish an unsigned version of an xpi for any product or perhaps for a development version? I wouldn't expect that to affect the range of versions one was offered for download, except for it to indicate when the extension was not compatible with the user's apparent user agent.

Time for me to sleep. I'll check AMO again in the morning.

[barbaz]

I don't think the XPI I downloaded from AMO had quite the same URL as what you posted, so tried again with your download link, which redirects to this

Code: Select all

https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

which matches what I get before and does indeed have the SHA256 checksum listed in that URL...

That was presenting as Firefox 38 on Linux i686. Will try again with your UA -> EDIT same result.

[therube]

/latest/722/ is from the NoScript page on AMO.
/file/397766/ is from the NoScript/versions/ page on AMO.

I suspect that 397766 is a "unique" number assigned to a particular extension/version.
"722" being the extension family.

In any case, /file/397766/

Code: Select all

Redirect to https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

so we're back to 722.

The same way, /latest/722/

Code: Select all

Redirect to https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5

So they are one in the same, & as they're the same the hashes are the same & as expected ...73f5.

The files are the same.

[therube]

Would be interesting to know how your two different 2.9.0.4's differ.
Check each files contents.
Better, use a binary file comparison utility.
Or ZIP the two up & post them someplace.

[Guest]

Would be interesting to know how your two different 2.9.0.4's differ.
Check each files contents.
Better, use a binary file comparison utility.
Or ZIP the two up & post them someplace.

I should have gone to bed but instead compared the two xpi's using WinMerge.

I fully unpacked each into a separate folder and compared the unpacked folder contents
since comparing the packed xpi's gave confusing results.

It appears that the only difference is that the one I received from AMO is the unsigned version of
the one from the developers site. In other words, the one on the dev site is the same as
the one I received from AMO but after signing.

Here is the WinMerge report, with my annotations:

Compare Q:\TEMP\7-Zip-Temps\AMO with Q:\TEMP\7-Zip-Temps\Developer

12/02/2016 05:48:15

Filename Folder Comparison result Extension Left Creation Time Right Creation Time

META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer 12/02/2016 05:02:52
manifest.mf META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF mf 12/02/2016 05:02:53
mozilla.rsa META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF rsa 12/02/2016 05:02:52
mozilla.sf META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF sf 12/02/2016 05:02:53


The Creation Times are when I unpacked the xpi since comparing them as archives (packed) gave confusing results.
I unpacked each fully into its own folder and then compared all the resulting files across the two folders.

I also tried installing direct from the link on AMO (left-click on the link). This resulted in the error message:

The add-on could not be installed because it does not match the add-on Firefox expected.

Very curious.

Good night.

[Giorgio Maone]

It's working for me, but then AMO devs where busy upgrading their infrastructure yesterday, so maybe a temporary glitch.
Could you retry when you wake up? Thanks!

[garif]

FYI. I agree with "RDL," I have the same problem yesterday (02/11/2016) since 4:00 pm up to 11:00 pm. It always says, "It is not signed," and even doesn't have "install" to click on. But today at 8:00 am, everything working fine and able to install it.

Thanks!

[Guest]

It's working for me, but then AMO devs where busy upgrading their infrastructure yesterday, so maybe a temporary glitch.
Could you retry when you wake up? Thanks!

Well, I closed down the pc as usual, ate, slept, hung up the washing and ate again. After that, I just tried again but it's the same; no META-INF folder in what downloads for me from that AMO link.

Could be a snag working its way out of the internet buffers but if that, taking a long time about it.
I only see garif's report and no-one else with the same problem.
Could be DNS poisoning.
Could be MitM attack.

I haven't heard of malware which does this sort of thing but looks like time for some in-depth scans.

I'll also look out for what happens with the next update and keep my eye on what others report, if anything.

[grid2]

Have to agree with "RDL".I had/have issues yesterday and today installing/updating to amo noscript version 2.9.0.4.

I received this notification: the add-on could not be installed because it does not match the add-on Firefox expected.
(Even with new firefox profile without any add-ons installed)

Downloaded new (2.9.0.4) and 2 previous amo versions (2.9.0.2 + 2.9.0.3) and checked xpi files with 7-zip.

There is no META-INF folder in noscript_security_suite-2.9.0.4-fx+fn+sm.xpi at these Amo download locations:
https://addons.mozilla.org/firefox/down ... src=search
https://addons.mozilla.org/firefox/down ... src=search

The noscript version from https://secure.informaction.com/downloa ... .9.0.4.xpi does have META-INF folder.

It appears the glitch continues...
Kind regards

[therube]

There is no META-INF folder

Are those two particular files identical?

Can you post those files someplace for download?

Are you able to capture detailed logs of the downloads, perhaps including the particular CloudFront server they came from?

[barbaz]

Can those who are affected please post here the results of a DNS lookup of addons.cdn.mozilla.net (idk how to do this on Windows, but on Mac/Linux/Unix open Terminal and enter the following: )

Code: Select all

dig addons.cdn.mozilla.net

For me I get:

Code: Select all

$ dig addons.cdn.mozilla.net

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> addons.cdn.mozilla.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63550
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;addons.cdn.mozilla.net.                IN      A

;; ANSWER SECTION:
addons.cdn.mozilla.net. 36      IN      CNAME   d1sp2sgy246t7c.cloudfront.net.
d1sp2sgy246t7c.cloudfront.net. 25 IN    A       52.84.3.72

;; Query time: 32 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Feb 14 14:07:46 EST 2016
;; MSG SIZE  rcvd: 107