Page 1 of 3
[RESOLVED] 2.9.0.4 AMO download is corrupt.
Posted: Thu Feb 11, 2016 11:38 pm
by RDL
The 'stable'version 2.9.0.4 published on AMO is not signed and silently fails to install from file even though I have xpinstall.signatures.required set false.
On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Thu Feb 11, 2016 11:59 pm
by barbaz
RDL wrote:The 'stable'version 2.9.0.4 published on AMO is not signed
This is not true.
RDL wrote:and silently fails to install from file even though I have xpinstall.signatures.required set false.
On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.
Both files are identical, and have this SHA256 checksum:
Code: Select all
94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
This indicates that what you are experiencing is unrelated to this topic; please start a new thread if you would like to discuss it more.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 12:40 am
by RDL
barbaz wrote:RDL wrote:The 'stable'version 2.9.0.4 published on AMO is not signed
This is not true.
Well, since you've just called me a liar, I really have to reply to you here, don't I ?
I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?
I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.
Doesn't that mean it isn't signed? If so, then at very least there is a problem with what file AMO is delivering.
In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?
barbaz wrote:RDL wrote:and silently fails to install from file even though I have xpinstall.signatures.required set false.
On the other hand, I was able to download 2.9.0.4 from this site and it was signed and installed from file without any problem.
Both files are identical, and have this SHA256 checksum:
Code: Select all
94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
This indicates that what you are experiencing is unrelated to this topic; please start a new thread if you would like to discuss it more.
It may well be unrelated but, as I pointed out above, your form of reply made a new topic inappropriate at that point.
Perhaps you would split off this part of the topic, from my original post, to this one, to a new topic, before we continue.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 12:52 am
by barbaz
Split off as suggested.
RDL wrote:I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?
That's exactly what I did.
RDL wrote:I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.
Doesn't that mean it isn't signed?
It could also mean that 7-Zip is hiding the META-INF folder from you. (I don't know.)
Does the SHA256 checksum I posted match the file you're downloading from AMO?
RDL wrote:In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?
Doesn't matter what browser/OS I'm using as much as it matters how I present myself to AMO, which is a randomly selected Firefox profile, so I have no idea what I was "using".
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 3:11 am
by Guest
barbaz wrote:Split off as suggested.
Thanks.
barbaz wrote:RDL wrote:I download .xpi files by right-click, 'Save Link As'. Is that how you made your test?
That's exactly what I did.
Curious.
barbaz wrote:RDL wrote:I've just, yet again, downloaded that file from AMO and then, again, examined it using 7-ZIP. It does NOT contain a META-INF folder.
Doesn't that mean it isn't signed?
It could also mean that 7-Zip is hiding the META-INF folder from you. (I don't know.)
Does the SHA256 checksum I posted match the file you're downloading from AMO?
Well, 7-Zip has always shown me the META-INF folder in signed extensions, including the direct download from
https://secure.informaction.com/downloa ... .9.0.4.xpi
and according to 'Rapid CRC Unicode Portable', the SHA256 checksums don't match.
Your SHA256:
94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
Download from
https://secure.informaction.com/downloa ... .9.0.4.xpi
94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
But download from
https://addons.mozilla.org/firefox/down ... xpi?src=ss
7c65095465f8abc7594dd20ad63e20de57fd68b015b016b3c03e0d5692eacb4e
barbaz wrote:RDL wrote:In case it's relevant, I'm using Firefox 44.0.2 x64 on Win 7 x64. Are you?
Doesn't matter what browser/OS I'm using as much as it matters how I present myself to AMO, which is a randomly selected Firefox profile, so I have no idea what I was "using".
I don't know if AMO would ever publish an unsigned version of an xpi for any product or perhaps for a development version? I wouldn't expect that to affect the range of versions one was offered for download, except for it to indicate when the extension was not compatible with the user's apparent user agent.
Time for me to sleep. I'll check AMO again in the morning.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 3:21 am
by barbaz
I don't think the XPI I downloaded from AMO had quite the same URL as what you posted, so tried again with your download link, which redirects to this
Code: Select all
https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
which matches what I get before and does indeed have the SHA256 checksum listed in that URL...
That was presenting as Firefox 38 on Linux i686. Will try again with your UA -> EDIT same result.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 3:44 am
by therube
/latest/722/ is from the NoScript page on AMO.
/file/397766/ is from the NoScript/
versions/ page on AMO.
I suspect that 397766 is a "unique" number assigned to a particular extension/version.
"722" being the extension family.
In any case, /file/397766/
Code: Select all
Redirect to https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
so we're back to 722.
The same way, /latest/722/
Code: Select all
Redirect to https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_suite-2.9.0.4-fx+fn+sm.xpi?filehash=sha256%3A94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5
So they are one in the same, & as they're the same the hashes are the same & as expected ...73f5.
The files are the same.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 3:47 am
by therube
Would be interesting to know how your two different 2.9.0.4's differ.
Check each files contents.
Better, use a binary file comparison utility.
Or ZIP the two up & post them someplace.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 7:09 am
by Guest
therube wrote:Would be interesting to know how your two different 2.9.0.4's differ.
Check each files contents.
Better, use a binary file comparison utility.
Or ZIP the two up & post them someplace.
I should have gone to bed but instead compared the two xpi's using WinMerge.
I fully unpacked each into a separate folder and compared the unpacked folder contents
since comparing the packed xpi's gave confusing results.
It appears that the only difference is that the one I received from AMO is the unsigned version of
the one from the developers site. In other words, the one on the dev site is the same as
the one I received from AMO but after signing.
Here is the WinMerge report, with my annotations:
WinMerge wrote:Compare Q:\TEMP\7-Zip-Temps\AMO with Q:\TEMP\7-Zip-Temps\Developer
12/02/2016 05:48:15
Filename Folder Comparison result Extension Left Creation Time Right Creation Time
META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer 12/02/2016 05:02:52
manifest.mf META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF mf 12/02/2016 05:02:53
mozilla.rsa META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF rsa 12/02/2016 05:02:52
mozilla.sf META-INF Right only: Q:\TEMP\7-Zip-Temps\Developer\META-INF sf 12/02/2016 05:02:53
The Creation Times are when I unpacked the xpi since comparing them as archives (packed) gave confusing results.
I unpacked each fully into its own folder and then compared all the resulting files across the two folders.
I also tried installing direct from the link on AMO (left-click on the link). This resulted in the error message:
addons.mozilla.org wrote:
The add-on could not be installed because it does not match the add-on Firefox expected.
Very curious.
Good night.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 9:16 am
by Giorgio Maone
It's working for me, but then AMO devs where busy upgrading their infrastructure yesterday, so maybe a temporary glitch.
Could you retry when you wake up? Thanks!
Re: 2.9.0.4 AMO download is corrupt.
Posted: Fri Feb 12, 2016 4:54 pm
by garif
FYI. I agree with "RDL," I have the same problem yesterday (02/11/2016) since 4:00 pm up to 11:00 pm. It always says, "It is not signed," and even doesn't have "install" to click on. But today at 8:00 am, everything working fine and able to install it.
Thanks!
Re: 2.9.0.4 AMO download is corrupt.
Posted: Sat Feb 13, 2016 1:20 pm
by Guest
Giorgio Maone wrote:It's working for me, but then AMO devs where busy upgrading their infrastructure yesterday, so maybe a temporary glitch.
Could you retry when you wake up? Thanks!
Well, I closed down the pc as usual, ate, slept, hung up the washing and ate again. After that, I just tried again but it's the same; no META-INF folder in what downloads for me from that AMO link.
Could be a snag working its way out of the internet buffers but if that, taking a long time about it.
I only see garif's report and no-one else with the same problem.
Could be DNS poisoning.
Could be MitM attack.
I haven't heard of malware which does this sort of thing but looks like time for some in-depth scans.
I'll also look out for what happens with the next update and keep my eye on what others report, if anything.
Re: 2.9.0.4 AMO download is corrupt.
Posted: Sat Feb 13, 2016 3:01 pm
by grid2
Have to agree with "RDL".I had/have issues yesterday and today installing/updating to amo noscript version 2.9.0.4.
I received this notification: the add-on could not be installed because it does not match the add-on Firefox expected.
(Even with new firefox profile without any add-ons installed)
Downloaded new (2.9.0.4) and 2 previous amo versions (2.9.0.2 + 2.9.0.3) and checked xpi files with 7-zip.
There is no META-INF folder in noscript_security_suite-2.9.0.4-fx+fn+sm.xpi at these Amo download locations:
https://addons.mozilla.org/firefox/down ... src=search
https://addons.mozilla.org/firefox/down ... src=search
The noscript version from
https://secure.informaction.com/downloa ... .9.0.4.xpi does have META-INF folder.
It appears the glitch continues...
Kind regards
Re: 2.9.0.4 AMO download is corrupt.
Posted: Sun Feb 14, 2016 12:42 pm
by therube
There is no META-INF folder
Are those two particular files identical?
Can you post those files someplace for download?
Are you able to capture detailed logs of the downloads, perhaps including the particular CloudFront server they came from?
Re: 2.9.0.4 AMO download is corrupt.
Posted: Sun Feb 14, 2016 7:07 pm
by barbaz
Can those who are affected please post here the results of a DNS lookup of addons.cdn.mozilla.net (idk how to do this on Windows, but on Mac/Linux/Unix open Terminal and enter the following: )
For me I get:
Code: Select all
$ dig addons.cdn.mozilla.net
; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> addons.cdn.mozilla.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63550
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;addons.cdn.mozilla.net. IN A
;; ANSWER SECTION:
addons.cdn.mozilla.net. 36 IN CNAME d1sp2sgy246t7c.cloudfront.net.
d1sp2sgy246t7c.cloudfront.net. 25 IN A 52.84.3.72
;; Query time: 32 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Feb 14 14:07:46 EST 2016
;; MSG SIZE rcvd: 107