nspr has been pushed to stable, it's not possible to push nss back to testing again.

If you need nss, please add karma for the nspr builds. Once nspr pushes, I'll push nss again.

I wasn't able to add this to nss, so I unpushed NSS. I'll push it after this goes to stable.

OK, I couldn't unpush nspr and add it to the nss, unpush nss until nspr can co to stable;(.

This update has been unpushed.

Unpushing this so I can be attached to the nss build to prevent the f33 issue from happing on f32 (where NSS gets pushed before nspr, causing a broken dependency in stable).

This update has been unpushed.

Mozilla has create a bugzilla for their end.:https://bugzilla.mozilla.org/show_bug.cgi?id=1682613

So for rawhide, I don't think we should be backing out the sha1-signature restrictions. It's probably reasonable for f32 and f33. though. I'll create new builds with those. I think we'll need a firefox work around until mozilla changes your addon-signing scheme.

When I said 'not disabled' I really meant 'not enabled'.

strasky: The in tree NSS doesn't use the system-policy, so that is expected.

The issue is in F32, F33, and rawhide.

OK, the issue is add-ons appear to be using sha1 signatures, which are not disabled by policy. NSS 3.59 is now enforcing general signatures. If you use update-crypto-policies -set LEGACY add-ons work will work.

The question is how we should deal with this. We shouldn't back out the enforcement in NSS. I'm not sure if we should hack around it in Firefox until add-ons update, or if we should just require LEGACY crypto policies if you want to load add-ons. Does anyone know if firefox is moving to using SHA-2 for add-ons anytime soon?

To turn SHA1 on for non-certificate signatures: / Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit. does not change NSS_USE_ALG_IN_CERT_SIGNATURE / rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); / checking rv is optional here, more likely to give a nice error message if policy is * locked /

To temporarily turn policy on for one function: / Get the previous state of the signature policy bit / policy=0; policy_rv = NSS_GetAlgorithmPolicy(SEC_OID_SHA1, &policy); if (policy_rv == SECSuccess) { / this sets policy to NSS_USE_ALG_IN_ANY_SIGNATURE if that bit was off, We'll use it to clear * that bit after we complete our command / policy = (~policy & NSS_USE_ALG_IN_ANY_SIGNATURE) ; / turn on policy / policy_rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); } / do function here / if (policy_rv == SECSuccess) { / clear the policy bit again if it was off before / NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, policy); }

Probably the easiest is have a pref that enables sha1 signatures for add-ons and is it's set just flip the policy bit and not worry about saving and clearing it, since it only affects policy for firefox.

I'm able to reproduce the issue with the 3.59-2 build