5

Mozilla announced that "On March 14, 2025, a root certificate used to verify signed content and add-ons for various Mozilla projects, including Firefox, will expire". They do not offer any option except updating Firefox. However, my upgrade from 115 ESR with Tree Style Tabs failed, tried both 128 ESR and 136 - session not saved or restored, large part of UI not working at all. Searching for similar bugs and with most close to my symptoms being referring to changes in 127, I took Firefox 126 and built it from sources and run in Jail container. It works OK with my profile but it's certificate will expire today.

So, how do I patch this version of FF with new certificate? That is, where in Firefox sources this certificate resides?

Please note that it is NOT usual certificate database issue - on Mozilla support threads they say this certificate is baked into code.

I tried to look in NSS release notes but did not find mentions, so it's probably in Firefox package's sources, not in NSS.

Vadim Goncharov
  • 61

3 Answers3

2

I have the same issue here, an when compiling FF from source is a solution for this issue, we should collect the information for such a process in an answer.

I have not enough reputation to comment, so i put my comment in this answer.

The once downvoted answer around this one has very useful information, because with the addons certified all the past years, and disabling them because the cert failed and not the addons, disabling the verification does not impose any additonal risk. Except you start to update your addons.

But you could certify an addon in a for you not working FF-version on another machine and install it without any additional risk.

Because of that if upvoted the answer.

Torsten Dieter Kühnel
  • 69
1

If you are open to alternative solutions, you can disable the certificate verification by going to about:config and setting

xpinstall.signatures.required = false
extensions.langpacks.signatures.required = false

I tested this successfully in Firefox Nightly for Android, should work in ESR too.

Alberto M
  • 263
1

As it turned out, the keys itself in certificates did NOT change, just certificates were made on same key with date much far in the future (the files are in binary format so that's why one will not find them by typical techniques like searching for *.pem or grepping for MII). One can assure this by looking to the same files within two unpacked Firefox sources from different versions, e.g.:

openssl x509 -in firefox-115.12.0/security/manager/ssl/addons-public.crt -inform DER -text

openssl x509 -in security/manager/ssl/addons-public.crt -inform DER -text

Thus, to build older version of Fireffox with newer certificates, it is enough to copy just 3 files from newer version's sources to older version's source tree, like:

newer-ff-src$ cp security/manager/ssl/addons-public-intermediate.crt security/manager/ssl/addons-public.crt security/manager/ssl/content-signature-prod.crt $OLDER_FIREFOX_SRC/security/manager/ssl/

and then build it. I'm writing this from Firefox 126 built in this way - tested as OK.

Vadim Goncharov
  • 61