Around midnight yesterday, Firefox add-ons around the world near-silently failed. NoScript disappeared and newly opened tabs loaded untrusted javascript freely. Mozilla released a blog post explaining that a relevant intermediate certificate expired causing installed add-ons to lose their root of trust (additional details on bug 1548973 here).
Per the blog post, users can allow Firefox to install and run studies to eventually receive the fix. Unfortunately, this requires both "Allow Firefox to send technical and interaction data to Mozilla" and waiting until the study eventually installs (potentially alongside other studies). I find this approach pretty disingenuous from Mozilla as they developed a hotfix, then hid an installation option behind an option with privacy impacts. That's a very disappointing move by Mozilla. We can workaround this.
Behind the scenes, Normandy provides the study management system for Firefox. We can directly access the endpoint (https://normandy.cdn.mozilla.net/api/v1) that it uses about:config under app.normandy.api_url. Here's a view of this Api Root:
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Cache-Control: public, max-age=30
Content-Type: application/json
Vary: Accept
{
"action-list": "https://normandy.cdn.mozilla.net/api/v1/action/",
"action-signed": "https://normandy.cdn.mozilla.net/api/v1/action/signed/",
"approvalrequest-list": "https://normandy.cdn.mozilla.net/api/v1/approval_request/",
"classify-client": "https://classify-client.services.mozilla.com/api/v1/classify_client/",
"extension-list": "https://normandy.cdn.mozilla.net/api/v1/extension/",
"recipe-list": "https://normandy.cdn.mozilla.net/api/v1/recipe/",
"recipe-signed": "https://normandy.cdn.mozilla.net/api/v1/recipe/signed/",
"reciperevision-list": "https://normandy.cdn.mozilla.net/api/v1/recipe_revision/"
}
The hotfix we're interested in is located under the recipe-list, although it's unclear why it isn't under recipe-signed. A quick search for bug 1548973 (referenced in the blog post above) reveals the hotfix:
{
"id": 761,
"last_updated": "2019-05-04T09:44:57.116104Z",
"name": "Hotfix: Update XPI signing intermediate [Bug 1548973]",
...
"arguments": {
"name": "hotfix-update-xpi-signing-intermediate-bug-1548973",
"description": "This is a hotfix that updates an intermediate certificate used for signing add-ons. It is one of the mechanisms used to fix bug 1548973.",
"extensionApiId": 85,
"addonUrl": "https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi",
"isEnrollmentPaused": false
},
...
},
Per the normandy entry, the hotfix update is available here. Either allow googleapis.com to install add-ons (no thanks), or download locally then Install from file in the Firefox Add-ons Management tab (Tools => Add-ons => Click gearbox in top right => Install Add-on from File...). It's rather interesting to watch the add-ons slowly enable as their certificates are re-validated.