Bugzilla – Bug 1221531
Extension could not be verified for use in Firefox and has been disabled
Last modified: 2024-03-20 07:57:29 UTC
Created attachment 873591 [details] Extensions window with errors All extensions suddenly disabled on 17.03.2024 with error: could not be verified for use in Firefox and has been disabled. Firefox 123 from main repo, 123 from mozilla repo, 123 tarball from mozilla.org - all have the same issue. Creating new profile doesn't help. Nighly from mozilla.org is ok
I can confirm on one of my systems where I updated to NSS 3.98 already. On my system with 3.97 it seems to still work. (But there are other things which could make a difference.) You may try a downgrade to 3.97 and see if it changes anything.
I also tried on my system and I can install addons still or again but the old ones stay deactivated. I guess they are marked in the profile now and need to be reinstalled potentially. I don't know if there is another way to reactivate them.
If it turns out to be NSS then I'm wondering if it is just the version breaking something or if it was ------------------------------------------------------------------- Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com> - Add crypto-policies support [bsc#1211301] which has been added along the way.
Short term I reverted the NSS version in mozilla so that people updating will trigger that issue for the moment until it's analyzed what the issue is.
(In reply to Wolfgang Rosenauer from comment #1) > I can confirm on one of my systems where I updated to NSS 3.98 already. > On my system with 3.97 it seems to still work. (But there are other things > which could make a difference.) > > You may try a downgrade to 3.97 and see if it changes anything. Downgrading NSS (mozilla-nss, libsoftokn3, libfreebl3 from tumbleweed main repo) to 3.97 didn't help
Hmm, it certainly helped for me. As said I had to remove and reinstall the deactivated addons but they are a live again for me. Did you try that?
I observe the same symptom (openSuSE 15.5, installed most recent mozilla nss with the updater applet yesterday): all extensions are disabled and can not be enabled or installed "xxx could not be verified for use in Firefox and has been disabled". In contrast to Wolfgang Rosenauer I am not even able to install a "recommended extension" from the Add-On Manager.
(In reply to Wolfgang Rosenauer from comment #6) > Hmm, it certainly helped for me. As said I had to remove and reinstall the > deactivated addons but they are a live again for me. Did you try that? Thank you. This helped indeed, previously I didn't try to reinstall those addons.
*** Bug 1221573 has been marked as a duplicate of this bug. ***
(In reply to Oleg Antonyan from comment #8) > (In reply to Wolfgang Rosenauer from comment #6) > > Hmm, it certainly helped for me. As said I had to remove and reinstall the > > deactivated addons but they are a live again for me. Did you try that? > > Thank you. This helped indeed, previously I didn't try to reinstall those > addons. What sucks is that all settings in those addons reset after removal and reinstallation: NoScript, uBlock rules are gone
Wondering if anystill has the issue an can try this prior to starting Firefox: export NSS_IGNORE_SYSTEM_POLICY=1 That should hopefully confirm in any direction that this change is related.
(In reply to Oleg Antonyan from comment #10) > What sucks is that all settings in those addons reset after removal and > reinstallation: NoScript, uBlock rules are gone Hmm, that's bad. In case there are addon updates available those also will reactivate and keep the data but waiting for updates to the addons is typically not an option :-(
(In reply to Wolfgang Rosenauer from comment #11) > Wondering if anystill has the issue an can try this prior to starting > Firefox: > export NSS_IGNORE_SYSTEM_POLICY=1 > > That should hopefully confirm in any direction that this change is related. With that environment variable, I can add extensions again.
I just hit the same thing. THIS UPDATE NEEDS TO BE RETRACTED IMMEDIATELY! This is very, very bad to heavily customized FF setups. There's no current remedy that preserves add-on settings, or is there? Not even "xpinstall.signatures.required to false" (as an 'advanced' workaround documented by Mozilla) will re-enable the disabled plugins. I'll try the environment variable next.
Lars, Wolfgang reverted already. Try export NSS_IGNORE_SYSTEM_POLICY=1 and start firefox from the same commandline. Then I had to "add" all extensions again.
The update is still in the channel though, I updated a mere few minutes ago. So lets hope it disappears soon. AJ, that still loses all add-on settings.
(In reply to Andreas Jaeger from comment #15) > Try export NSS_IGNORE_SYSTEM_POLICY=1 > and start firefox from the same commandline. Then I had to "add" all > extensions again. I did so, and three of my extensions have "returned": DownThemAll, KeePassXC-Browser, LibRedirect. Others are still deactivated, among them NoScript and uBlock Origin. With this environment variable set, I am now allowed to install "new" ones that didn't work before, e.g. some samples from the "recommended extensions" in the Add-On Manager.
Same fault is showing in opensuse 15.5 OS: opensuse 15.5 Firefox: 123.0.1 mozilla-nss: 3.98-lp155.1.2 libsoftokn3: 3.98-lp155.1.2 libfreebl3: 3.98-lp155.1.2 Tryed the command line "export NSS_IGNORE_SYSTEM_POLICY=1" and then call "firefox" and nothing has changed. All extensions are blocked. Not happy to downgrade NSS (mozilla-nss, libsoftokn3, libfreebl3 from tumbleweed main repo) to 3.97. I have to keep my system as "safe as possible". Happy to provide more info if it helps
(In reply to Andres Nogueiras from comment #18) > mozilla-nss: 3.98-lp155.1.2 Where does it come from? andrei@leap155:~> zypper se -sx -t package mozilla-nss Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository --+-------------+---------+----------------------+--------+------------------------------------------------------------- i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository andrei@leap155:~>
either mozilla devel project or tumbleweed. was not released via maintenance
I came across this issue on a TW and Leap 15.5 system earlier today. I'm not convinced that mozilla-nss is the whole cause of this issue. I also had a leap 15.5 system which was fully updated yesterday, that brought mozilla-nss and associated packages to V3.98 - That system was updated and then switched off, so I had not used firefox since the update. On that system I downgraded mozilla-nss, mozilla-nss-certs, libsoftokn3 and libfreebl3 to 3.97 Currently installed: paul@HP255G7:~> zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs libsoftokn3 libfreebl3 Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------------+---------+-------------------+--------+--------------- i+ | libfreebl3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | libsoftokn3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | mozilla-nss-certs | package | 3.97-lp155.2.1 | x86_64 | Mozilla (Leap) i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | Mozilla (Leap) paul@HP255G7:~> Upon starting firefox, after approximatey 60secs a banner displayed notifying addons had been disabled. I had a backup of the profile for FF 123.0.0 which I restored, again upon starting FF the addons where disabled. With a completely new FF profile I'm unable to add addons, tested with "FlagFox" and "NoScript" Both attempts fail with the message: "Installation aborted because the add-on appears to be corrupt."
Hello from Mozilla, I came here after having seen a few bug reports around add-ons and openSUSE 15.5 in the last 24 hours ([1], [2], [3]). The most recent changes to the `crypto-policies` package introduced in Bug 1211301 broke Firefox. Looking at this package, it seems `sha1` is now disabled in `nss` via a policy file. Unfortunately, this breaks Firefox because Firefox is configured to verify both signatures in add-ons (PKCS#7+SHA1 and COSE+SHA256). openSUSE's CI didn't catch this regression because tests seem to be running without the policies applied [4]. It is worth noting that add-ons have been dual-signed for many years. In fact, Redhat folks experienced a very similar situation in 2020 [5]. We are working on removing the SHA-1 verification entirely but that will take time. I would suggest updating the `crypto-policies` package to revert the NSS policy support temporarily. [1]: https://github.com/mozilla/addons/issues/1575 [2]: https://support.mozilla.org/bm/questions/1442616 [3]: https://forums.opensuse.org/t/firefox-addon-installation-aborted-corrupt-addon/173283/15 [4]: https://build.opensuse.org/request/show/1154074#diff_1_n38 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1908018
(In reply to Andrei Borzenkov from comment #19) > (In reply to Andres Nogueiras from comment #18) > > mozilla-nss: 3.98-lp155.1.2 > > Where does it come from? > > andrei@leap155:~> zypper se -sx -t package mozilla-nss > Loading repository data... > Reading installed packages... > > S | Name | Type | Version | Arch | Repository > --+-------------+---------+----------------------+--------+------------------ > ------------------------------------------- > i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository > andrei@leap155:~> atenas:~ # zypper se -sx -t package mozilla-nss Refreshing service 'openSUSE'. ... Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------+---------+----------------------+--------+---------------------- i+ | mozilla-nss | package | 3.98-lp155.1.2 | x86_64 | (System Packages) v | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | opensuse 15.5 mozilla v | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | update-sle (15.5) v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | repo-oss (15.5) And this is it... following messages have point out that SHA1 disabled on policies is to blame ¯\(°_o)/¯ Hope it gets reverted soon
Also, remove the extension and adding again makes it work, but all the config / setup for the extension is lost :(
I confirm the problem occurs today for me (tumbleweed). It's very annoying.
I have been working with the downgraded packages the rest of yesterday and this morning for 3 hours - and now get a message that all extensions are disabled again. $ zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs libsoftokn3 libfreebl3 Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+----------------+---------+-------------------+--------+----------- i+ | libfreebl3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla i+ | libsoftokn3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla i+ | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | Mozilla i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | Mozilla Note this is on openSUSE 15.5.
(In reply to Andreas Jaeger from comment #26) > I have been working with the downgraded packages the rest of yesterday and > this morning for 3 hours - and now get a message that all extensions are > disabled again. > > $ zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs > libsoftokn3 libfreebl3 > Loading repository data... > Reading installed packages... > > S | Name | Type | Version | Arch | Repository > ---+----------------+---------+-------------------+--------+----------- > i+ | libfreebl3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla > i+ | libsoftokn3 | package | 3.97-lp155.2.1 | x86_64 | Mozilla > i+ | mozilla-nss | package | 3.97-lp155.2.1 | x86_64 | Mozilla > i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | Mozilla > > Note this is on openSUSE 15.5. I'm also on openSUSE 15.5. For me, without further changes in any of the packages, all extensions started to work again yesterday sometime during the afternoon, and this is still the case. I have, however, not downgraded but rather used the configuration which was broken since Sunday, March, 17: > zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs libsoftokn3 libfreebl3 Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------------+---------+----------------------+--------+------------------------------------------------------------- i+ | libfreebl3 | package | 3.98-lp155.1.1 | x86_64 | (System Packages) i+ | libsoftokn3 | package | 3.98-lp155.1.1 | x86_64 | (System Packages) i+ | mozilla-nss | package | 3.98-lp155.1.1 | x86_64 | (System Packages) i+ | mozilla-nss-certs | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | mozilla Maybe this help to clear up what's going on.
My workaround: Reset mozilla-nss and mozilla-nss-certs to version 3.97-lp155.2.1 from the mozilla-Repo and set this variable: export NSS_IGNORE_SYSTEM_POLICY=1 After that Fx works without problems.
Tumbleweed 3.97 installed yesterday by discover export NSS_IGNORE_SYSTEM_POLICY=1 has no effect. problem still here and i can't install any extension.
(In reply to Episteme PROMENEUR from comment #29) > Tumbleweed > 3.97 installed yesterday by discover > > export NSS_IGNORE_SYSTEM_POLICY=1 > > has no effect. > > problem still here and i can't install any extension. Where/How do you set this variable? Typing it in a terminal window and starting Firefox from the menu has no effect! You should try this in a terminal window: export NSS_IGNORE_SYSTEM_POLICY=1; firefox & If that works, put the export NSS_IGNORE_SYSTEM_POLICY=1 into ~/.profile logout and login again.
The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but the LEGACY one does allow it. Could somebody test if switching to LEGACY helps?: > sudo update-crypto-policies --set LEGACY Note that, this command is shipped by the crypto-policies-scripts package. If it help, I would force using the LEGACY policy only in mozilla-nss by default for now in crypto-policies and submit in a moment. TIA
(In reply to Manfred Hollstein from comment #30) > (In reply to Episteme PROMENEUR from comment #29) > > Tumbleweed > > 3.97 installed yesterday by discover > > > > export NSS_IGNORE_SYSTEM_POLICY=1 > > > > has no effect. > > > > problem still here and i can't install any extension. > > Where/How do you set this variable? Typing it in a terminal window and > starting Firefox from the menu has no effect! > > You should try this in a terminal window: > > export NSS_IGNORE_SYSTEM_POLICY=1; Firefox & > > If that works, put the > > export NSS_IGNORE_SYSTEM_POLICY=1 > > into ~/.profile logout and login again. all my extension stays disabled. there is some progress. I can install an extension. I don't want to install the statement in ~/.profile. I prefer to limit this to Firefox environment.
(In reply to Episteme PROMENEUR from comment #32) > > export NSS_IGNORE_SYSTEM_POLICY=1 > > > > into ~/.profile logout and login again. > > all my extension stays disabled. There's no way to reenable them once they're flagged as disabled for this reason (the flag can't be manually cleared it seems), short of reinstalling the extension - that's what the Mozilla Firefox docs say at least. Apparently, some people managed to just install the extension on top (without first uninstalling them), which may preserve settings. I just set NSS_IGNORE_SYSTEM_POLICY=1 only for the start of Firefox; I just start it from the terminal for this purpose, not via a menu/hotkey.
(In reply to Pedro Monreal Gonzalez from comment #31) > The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but > the LEGACY one does allow it. Could somebody test if switching to LEGACY > helps?: > > > sudo update-crypto-policies --set LEGACY > > Note that, this command is shipped by the crypto-policies-scripts package. > > If it help, I would force using the LEGACY policy only in mozilla-nss by > default for now in crypto-policies and submit in a moment. > > TIA Using a new Firefox profile with "update-crypto-policies" unchanged: Unable to install extension "Installation aborted because the add-on appears to be corrupt." Using a new Firefox profile after "update-crypto-policies --set LEGACY": extensions install correctly. Using a new Firefox profile after resetting crypto policy "update-crypto-policies --set DEFAULT": Unable to install extension "Installation aborted because the add-on appears to be corrupt."
This workaround helped me on Leap 15.5 and might work for others, too: 1. Launch Firefox with 'NSS_IGNORE_SYSTEM_POLICY=1 firefox' * Do not uninstall any extensions! * Instead, re-install everything you had previously installed on top of your old extensions * This should keep your extension settings (uBlock, password managers etc.) 2. Downgrade mozilla-nss and libsoftokn3 * zypper in --oldpackage mozilla-nss=3.79.4-150400.3.29.1 * zypper in --oldpackage libsoftokn3=3.79.4-150400.3.29.1 3. Prevent upgrades to those two packages for now: * zypper al 'libsoftokn3<=3.79.4' * zypper al 'libsoftokn3<=3.79.4' 4. Start Firefox with 'firefox --allow-downgrade' * Since you downgraded Firefox together with mozilla-nss, your profile is newer than your (now) installed Firefox. * Even though Firefox warns about possible corruptions, for me nothing broke. YMMV, though. 5. Now you can use firefox like you used to (without any command line parameters and with all extensions). 6. Keep an eye on this bugzilla to see if you can remove the package locks. I think this might be the best option without completely disabling security checks. Sure, it keeps an obsolete version of NSS. But the other two options seem to be to either disable extension signature checks completely or to not use Firefox extensions for now. Once the issue is fully resolved, you can remove the locks with 'zypper rl libsoftokn3' and 'zypper rl mozilla-nss' and perform a regular (dist-)upgrade.
(In reply to Pedro Monreal Gonzalez from comment #31) > The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but > the LEGACY one does allow it. Could somebody test if switching to LEGACY > helps?: > > > sudo update-crypto-policies --set LEGACY > > Note that, this command is shipped by the crypto-policies-scripts package. > > If it help, I would force using the LEGACY policy only in mozilla-nss by > default for now in crypto-policies and submit in a moment. > > TIA Additionally: With crypto policies set to legacy and after forcing FF to validate add on signature(s) by setting "app.update.lastUpdateTime.xpi-signature-verification" = 0 and restarting FF, upon restart signature verification is OK. (One can check that verification has indeed taken place by looking at the value of "app.update.lastUpdateTime.xpi-signature-verification").
Quick update: All NSS packages I'm aware of now have crypto-policies disabled again. Therefore locking or going back/or stay with 3.97 is not required anymore. The relevant support will be added later again.
(In reply to Wolfgang Rosenauer from comment #37) > Quick update: > All NSS packages I'm aware of now have crypto-policies disabled again. > Therefore locking or going back/or stay with 3.97 is not required anymore. > > The relevant support will be added later again. Just to confirm: Leap 15.5 updated mozilla-nss etc to 3.98-lp155.2.1 - all now appears OK, addons can be installed, forced signature verification succeeds.
(In reply to Paul Tannington from comment #38) > (In reply to Wolfgang Rosenauer from comment #37) > > Quick update: > > All NSS packages I'm aware of now have crypto-policies disabled again. > > Therefore locking or going back/or stay with 3.97 is not required anymore. > > > > The relevant support will be added later again. > > Just to confirm: > Leap 15.5 updated mozilla-nss etc to 3.98-lp155.2.1 - all now appears OK, > addons can be installed, forced signature verification succeeds. same here, 3.98-lp155.2.1 just arrived through updater applet: > zypper se -i -sx -t package MozillaFirefox mozilla-nss mozilla-nss-certs libsoftokn3 libfreebl3 Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+-------------------+---------+----------------------+--------+------------------------------------------------------------- i+ | libfreebl3 | package | 3.98-lp155.2.1 | x86_64 | mozilla i+ | libsoftokn3 | package | 3.98-lp155.2.1 | x86_64 | mozilla i+ | mozilla-nss | package | 3.98-lp155.2.1 | x86_64 | mozilla i+ | mozilla-nss-certs | package | 3.90.2-150400.3.39.1 | x86_64 | Update repository with updates from SUSE Linux Enterprise 15 i+ | MozillaFirefox | package | 123.0.1-lp155.1.1 | x86_64 | mozilla all extensions still active and verification OK. Thanks for resolving the issue quickly.
Tumbleweed 3.98 packages installed The newly installed extensions are not disabled. But you must install again your old extensions (do not uninstall them). For me, the problem is solved. Thanks to all
I worked on my laptop that wasn't updated yet while this issue was being resolved. I just got home, turned on my TW PC that was effected by this. I just ran the updates, rebooted. Started up Firefox and everything worked. Didn't had to do anything. Thx!!
(In reply to Episteme PROMENEUR from comment #40) > Tumbleweed > > 3.98 packages installed > > The newly installed extensions are not disabled. > > But you must install again your old extensions (do not uninstall them). > > For me, the problem is solved. > > Thanks to all On my system (15.5), there was no need to re-install any of the extensions. Everything just re-appeared including settings. I add this, to just to save someone from unnecessary work, maybe.
- just installed the latest update libfreebl3-3.98-lp155.2.1.x86_64 mozilla-nss-certs-3.98-lp155.2.1.x86_64 libsoftokn3-3.98-lp155.2.1.x86_64 mozilla-nss-3.98-lp155.2.1.x86_64 - Backup of Firefox profile imported - Firefox started - everything works fine Thank you :)
Can confirm same solution in #38 to #41 Thanks for the fix!
(In reply to Andrei Borzenkov from comment #19) > (In reply to Andres Nogueiras from comment #18) > > mozilla-nss: 3.98-lp155.1.2 > > Where does it come from? > > andrei@leap155:~> zypper se -sx -t package mozilla-nss > Loading repository data... > Reading installed packages... > > S | Name | Type | Version | Arch | Repository > --+-------------+---------+----------------------+--------+------------------ > ------------------------------------------- > i | mozilla-nss | package | 3.90.2-150400.3.39.1 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.90.1-150400.3.35.2 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.90-150400.3.32.1 | x86_64 | Update > repository with updates from SUSE Linux Enterprise 15 > v | mozilla-nss | package | 3.79.4-150400.3.29.1 | x86_64 | Main Repository > andrei@leap155:~> Leap uses Firefox ESR by default. To get newer ones user needs to add Mozilla repo: zypper addrepo https://download.opensuse.org/repositories/mozilla/openSUSE_Leap_15.5/mozilla.repo Package mozilla-nss 3.98-lp155.1.2 was retracted. Newer mozilla-nss 3.98-lp155.2.1 solves problems with addons. I didn’t touch FF 123 for a couple of days, used FF ESR. After installing mozilla-nss 3.98-lp155.2.1 for Leap 15.5 addons for FF 123 started to work without reinstall, for FF ESR I made uninstall + install to get rid of warnings (with losing settings). For some addons you can perform Backup + Restore settings (NoScript, uBlock Origin, etc.). Soon we will get FF 124, possible it will help with addons troubles.
(In reply to Pedro Monreal Gonzalez from comment #31) > The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but > the LEGACY one does allow it. Could somebody test if switching to LEGACY > helps?: > > > sudo update-crypto-policies --set LEGACY > > Note that, this command is shipped by the crypto-policies-scripts package. > > If it help, I would force using the LEGACY policy only in mozilla-nss by > default for now in crypto-policies and submit in a moment. > > TIA Since the crypto-policies support has been disabled in the nss packages for the time being, is there an SR already from your side? Thx.
(In reply to Frank Krüger from comment #46) > (In reply to Pedro Monreal Gonzalez from comment #31) > > The DEFAULT policy in crypto-policies does not allow SHA-1 signatures but > > the LEGACY one does allow it. Could somebody test if switching to LEGACY > > helps?: > > > > > sudo update-crypto-policies --set LEGACY > > > > Note that, this command is shipped by the crypto-policies-scripts package. > > > > If it help, I would force using the LEGACY policy only in mozilla-nss by > > default for now in crypto-policies and submit in a moment. > > > > TIA > > Since the crypto-policies support has been disabled in the nss packages for > the time being, is there an SR already from your side? Thx. Since crypto-policies support has been disabled in nss, there is no need to submit any changes in CP for now. We may have to allow SHA1 in the nss DEFAULT policy for some time if we want to enforce crypto-policies back for it.