Adblock Plus and (a little) more

More extension signing adventures · 2009-12-21 11:22 by Wladimir Palant

Things got significantly better since the last time I tried to sign Adblock Plus. Firefox 3.5.6 will now show my name instead of “Author not verified” even if the organization field of the certificate is empty (thanks, Boris). And StartCom certificates are accepted by all main applications that Adblock Plus needs to support (meaning Firefox 3.0 starting with 3.0.12, Firefox 3.5/3.6/3.7, SeaMonkey 2.0 and Thunderbird 3.0). So I started signing development builds again and even released Adblock Plus 1.1.2 as a signed XPI a little more than a week ago.

And the catch? Well, some people still report seeing “Signing could not be verified” error when trying to install Adblock Plus. Wait, but this should not happen because all supported application versions come with an NSS version that has an up-to-date certificate store! But do they really? Ah, there are those Linux distributions that come with their own copy of NSS. The good news: official Firefox and SeaMonkey builds generally don’t depend on system’s NSS library. The bad news: the builds from distribution’s app store usually do depend on it. And that dependency typically requires only some version >= 3.12. For reference: NSS 3.12 was released in June 2008. The first NSS version to allow StartCom certificates for code signing was NSS (July 2009). So as long as some Linux distribution ships with an outdated NSS version some people will always have trouble installing Adblock Plus.


Comment [19]

  1. Kadir · 2009-12-21 17:47 · #

    I really admire how much thought you put into your rather awesome extension. You are not content with having the best ad blocker out there, you’re still trying to find ways to improve it, that’s rare, thanks a lot!

  2. Warren · 2009-12-22 01:18 · #

    I’m seeing that error now with PCLinuxOS’ release of Firefox 3.5.6. It might have been a hasty build; the update was available on the PCLinuxOS servers before the official version was available from Mozilla and they accidently included an earlier release of NSS.

    But, I’m speculating.

    Is there any way to force an installation?

    Reply from Wladimir Palant:

    As I mentioned above, the Firefox build has nothing to do with it – it’s the outdated version of the NSS library. This problem can certainly be “fixed”, see – “Known issues” at the bottom.

  3. W^L+ · 2009-12-22 08:25 · #

    Also seeing the error. Also Firefox 3.5.6 on PCLOS.

  4. Shawn Wilsher · 2009-12-22 08:28 · #

    You should really file a bug on upgrading the minimum version in configure. We take those NSS upgrades for security fixes, so we should be requiring those new versions in configure too. If a linux distro wants to ship it with a lower version, they know how to request that change. I deal with this all the time with SQLite. It’s annoying for add-on authors when it should work on all platforms, but doesn’t because linux uses the system library.

    Reply from Wladimir Palant:

    Good idea, I didn’t think about configure. Of course, theoretically the distribution could compile with a new NSS version but still allow the package to be installed with an old one. Would be an improvement nevertheless.

  5. steve · 2009-12-22 14:32 · #

    Do you know which distributions have this issue? Perhaps filing a bug there would be also a good idea.


    Reply from Wladimir Palant:

    So far I have reports about Gentoo and PCLinuxOS. However, when I check RPM dependencies for some other distributions it looks like they could be affected as well. Filing bugs with all Linux distributions (and forcing the issue because they are probably staying on an older version because of long-term support and similar) isn’t something I have time for…

  6. Warren · 2009-12-22 21:44 · #

    Just an FYI,

    The latest (and in my case, installed) version of NSS for PCLinuxOS is 3.12.5-1pclos2010.

  7. Warren · 2009-12-22 21:50 · #

    …Oh, and deliberately setting “identify software makers” in the signing authority section permitted installation of the extension.

  8. mmmmna · 2009-12-23 04:19 · #

    Adblock signing error seen on PCLOS and Seamonkey 2.01. Solution proposed by Wladimir Palant in response to Warren · 2009-12-22 01:18
    allows plugin to be installed.

    Good work, Mr Palant, GOOD work.

  9. mmmmna · 2009-12-23 04:21 · #

    BTW, I will post a suggestion in the PCLOS support forums, unless someone already made such a suggestion; in that case, I’ll post that I support the existing post.

  10. nesetalis · 2009-12-24 19:40 · #

    is there a way around this? I’m using Sabayon (fork of gentoo) and were stuck in 3.12.3.r1… which fails to allow addblock plus to install…
    is there some config in firefox that i can force it to install anyway?

    Reply from Wladimir Palant:

    See my answer to second comment above.

  11. dallas7 · 2009-12-25 09:19 · #

    Just did the “fix” in PCLinuxOS Gnome. I’ll paste your text here for any one else who might stop in…

    View certificates in the encryption/certificates tab of the options, select “StartCom Certification Authority” under “Authorities” and click “Edit”. Make sure “This certificate can identify software makers” is checked and click OK.

  12. Arnd Bergmann · 2010-01-01 20:24 · #

    Installing the testing version of nss in gentoo (currently 3.12.4.r2) works.

  13. Chris · 2010-01-04 22:39 · #

    Need your advice on how to allow Gmail integration with Thunderbird 3.0. No incoming e-mail. Stopped after installing Adblock Plus 1.1.2. Is there a filter issue?

    I use Vista with Mozilla Thunderbird (TB) and Gmail (IMAP) for e-mail. I just upgraded from TB 2.0 to TB 3.0 which installed automatically. I included an ad blocker extension Adblock Plus 1.1.2; an earlier version Adblock was used with TB 2.0. My firewall, Outpost, was also used with TB 2.0.

    After the upgrade I can send e-mail but I cannot receive. At first I did receive e-mail through TB 3.0 for a couple of hours and then the incoming stopped after Adblock Plus was added. The messages are sitting in Gmail.

    My server settings are what TB 3.0 recommends:
    IMAP Mail Server (IMAP) settings:
    Server Name:
    Port: 993
    User Name: or (for google apps users)
    Connection security: SSL/TLS
    Use secure authentication: UNTICKED

    Outgoing Server (SMTP) settings:
    Server Name:
    Port: 587     Default: 25
    Use name and password : TICKED
    username: or (for google apps users)
    Connection security: STARTTLS

    Please advise a solution ASAP.
    Thanks – Chris

    Reply from Wladimir Palant:

    Adblock Plus has no effect on IMAP whatsoever. I am using Gmail in Thunderbird myself and I think that you are looking in the wrong place. Just because you recently installed Adblock Plus doesn’t mean that Adblock Plus is responsible. Otherwise – there are Mozillazine forums ( where you can usually get help.

  14. French boy 1111 · 2010-01-05 14:40 · #

    Congratulation about the work you’ve done on this addon, I just discovered it and its already changing my life ! You’re awesome ! Bless

  15. FBIgame · 2010-01-08 11:53 · #

    wow,nice,and thanks for the information

  16. mixer · 2010-01-17 08:57 · #

    thank everyone, but if u guys will so grate how u can, may be u’ll make this banners more neutral? i use it for no c banners, so if i c mindfuck info with ur pictures, is same as c banners, so, pleace, or just gray picture or withno any pictures with “think about” or with other fagocommunistic words or pictures, sorry for no political correct but ur bunners is same
    in any way than you all

  17. ladyyatexel · 2010-01-19 01:06 · #

    I just want to tell you how much I love Adblock Plus! I was shocked by how well it worked, and I’m just thrilled to not have to see dancing flash animated people telling me that Obama wants moms to go to school or pictures of teeth and weightloss. This is THE BEST thing I have ever downloaded for Firefox, thank you so much! The internet is awesome again.

  18. Pythagoars · 2010-04-02 17:24 · #

    Mozilla’s certificate manager allows the user to change what is needed. Here with NSS 3.12.3 I opened the certificate viewer Edit > Preferences > Advanced > Encryption > View Certificates, then for all StartCom certificates I clicked Edit… and checked “This certificate can identify software makers”

    This worked for me and is — beside of updating — the cleanest method I think.

  19. MI · 2010-06-08 02:57 · #

    Help! I had to switch over from my main computer to a back-up computer. I’m getting the signing not verified error -260 and unable to install. Is there any workaround to get this app to work on my machine?

    I can’t stand animated, flashing, or brightly colored adverts, so I must download this app or abandon any website that has such ads.

Commenting is closed for this article.