Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#41689 - [nss] Firefox silently ignores add-on updates

Attached to Project: Arch Linux
Opened by kinodont (kinodont) - Monday, 25 August 2014, 09:42 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 28 August 2014, 21:03 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Jan de Groot (JGC)
Ionut Biru (wonder)
Jan Alexander Steffens (heftig)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Firefox can not find updates for add-ons even though they are available.
Add-ons can only be installed from

Additional info:
nss 3.17-1
nspr 4.10.7-1
ca-certificates 20140325-2
ca-certificates-utils 20140325-2
ca-certificates-mozilla 3.17-1
ca-certificates-cacert 20140824-1
firefox 31.0-1

Steps to reproduce:
1) add-on update
* have an add-on installed that requires an update
(or install an older version - e.g. for AdBlock Plus install version 2.6.3
but ANY out-of-date add-on will do)
* in Firefox, go to add-ons, Extensions tab and click Check for updates
* "No updates found" is displayed even though some add-ons that have a newer version are available
* NO ERRORS are reported to the user, no errors on stderr and no errors in the Browser Console
* Downloading add-ons directly from DOES work.

2) AdBlock Plus download from developer's web site
* go to
* click "Install For Firefox" and then Allow
* an error is reported: "The add-on could not be downloaded because of a connection failure on"
* another error is also reported to the Browser Console:
addons.xpi WARN Download of failed: [Exception... "Certificate issuer is not built-in." nsresult: "0x80004004 (NS_ERROR_ABORT)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 169" data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:169 < AI_onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:5306 < <file:unknown>

Downgrading nss to version 4.10.6-1 fixes all issues.
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Thursday, 28 August 2014, 21:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  firefox 31.0-2 et al
Comment by kinodont (kinodont) - Monday, 25 August 2014, 10:45 GMT
EDIT: mixed up the versions - Downgrading nss to version 3.16.1-1 fixes all issues.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 26 August 2014, 19:09 GMT
It seems this is due to Firefox depending on NSS internals - specifically, addons must be signed by certificates validated by the built-in trusted root store, which is matched by name.

Fedora was affected as well:
Upstream report, arguing for the check to be removed:

Now we can:
a. Patch p11-kit to rename the store; the easy way.
b. Patch Firefox and Thunderbird and SeaMonkey to not require the name to match; the hard way, and the one Fedora chose.
c. Revert the change that links NSS to p11-kit; rather not, as it makes it really hard to control the root store.