Signature Verification Error, firefox

Question

I'm getting this message in Firefox browser console: "Signature Verification Error: the signature on this .jar archive is invalid because the certificate used to sign this file has an unrecognized issuer." It's very strange because I've used this certificate in previous version of Firefox and my extension was recognized as signed. My current Firefox version is 38.0.5.

Answer 1

There are multiple possibilities for this. Without more information, it is not possible to narrow down exactly what is causing your issue. What CA are you using, OS, what was the last version of Firefox in which it worked, etc.?

Bug fixes:

For instance, it could be that the following bugs were fixed:

• Bug 1077864 - Check that tbsCertificate.signature and signatureAlgorithm are equal in mozilla::pkix
• Bug 968560 - Return a distinct error codes for certificates that are not valid yet, as opposed to being expired, in mozilla::pkix
• Bug 1146010 - Blacklist misissued XS4ALL certificate

Other certificate related bugs fixed:

• Bug 1131767 - Prune away paths using unacceptable signature algorithms earlier
• Bug 1076329 - sec_error_unknown_issuer for site signed with imported CA certificate
• Bug 1097622 - mozilla::pkix returns ERROR_NOT_YET_VALID_CERTIFICATE or ERROR_EXPIRED_CERTIFICATE rather than ERROR_INVALID_TIME when decoding invalid time values
• Bug 1085506 - add telemetry for all TLS handshake certificate verification errors encountered
• Bug 1123671 - Clicking "Add Exception" for invalid certificates fail in both Nightly & Developer Edition
• Bug 1143085 - Certificates with empty subject alternative name extension are rejected by Firefox 36 (e.g. generated by TinyCA by default)
• Bug 1126675 - Site identity data is not updated in some cases of weird certificates
• Bug 1155279 - Temporarily re-enable Equifax Secure Certificate Authority 1024-bit root
• Bug 1027512 - Refactor getCertificate() security's lib function, in order to fix 'SSLStatus is null' js type error in security tests
• Bug 1146314 - Test failure 'sec_error_expired_certificate != sec_error_unknown_issuer' in testSecurityNotification.js
• Bug 1130754 - Calculate the tbsCertificate digest at most once per path building step

Overall change to extension signing:

It could also be that the reason for this is that Mozilla has changed/is changing to requiring all extensions to be signed through addons.mozilla.org (AMO). Self signing will no longer be acceptable unless explicitly enabled within Firefox. The reason for this change is to "protect users from malware and extensions that haven't been reviewed."

As of this point, all extensions that have been reviewed on AMO have been signed. This occurred on or around 2015-05-28. It is possible that one change in Firefox was to require that the issuer of all certificates be AMO. I did not see that this change had been implemented in 38.0.5, but I do expect that it will be a requirement. When it is, an error such as you have reported would be generated and the extension not be permitted to be installed (unless checking for signing has been disabled). I was under the impression that this was supposed to be enabled as of Firefox 40, but some portion of it may have made it into 38.0.5 and be causing your issue.

AMO sent out the following email to add-on developers in late May:

Dear add-on developer,

Mozilla will begin signing all add-ons in order to protect users from malware and extensions that haven't been reviewed. Here's what you need to know about the new process:

No action is required for add-ons distributed via addons.mozilla.org (AMO). On May 28, 2015, the latest versions of your existing add-ons will be automatically signed and pushed as updates to your users, after which you will receive an email notification. Starting on June 1, all files you submit will be signed after they pass review.

If you have add-ons that are not distributed via AMO, including beta versions or debug builds, there will be a new option in the add-on submission process to submit these as unlisted add-ons starting on June 1. Starting around June 15th, users of builds based on Firefox 40 or higher (currently Nightly and Developer Editions) will see unsigned add-ons disabled by default, with the option to bypass the signature check to re-enable them. Users will no longer be able to bypass the signature check when builds based on Firefox 41 reach beta, on or around August 11.

The Firefox add-on distribution agreement has also been updated to reflect the new distribution options and clarify our review policies. You can read the updated agreement here: https://developer.mozilla.org/Add-ons/AMO/Policy/Agreement

If you have any questions or concerns, read the add-on signing FAQ or visit our forums:
FAQ: https://wiki.mozilla.org/Addons/Extension_Signing
Forums: https://forums.mozilla.org/viewforum.php?f=7

Sincerely, The Add-ons Team

---

You are receiving this email because you have an add-on hosted on
addons.mozilla.org. Per our terms of service, we may occasionally
contact you about issues relevant to your specific add-ons.