From 042609f471459dd1c2fadbac9bf79b5ae815333d Mon Sep 17 00:00:00 2001
From: Rob Wu <rob@robwu.nl>
Date: Thu, 20 Mar 2025 09:54:00 +0000
Subject: [PATCH] Bug 1954818 - Add intermediate cert used until 2018 - ESR128
 port r=jschanck,willdurand a=pascalc

This patch was modified from the original because this ESR branch
does not include the changes from bug 1914064.

The certificate was generated from the original in D242073 with:

```
$ openssl x509 \
  -in security/manager/ssl/addons-public-2018-intermediate.pem \
  -outform DER \
  -out security/manager/ssl/addons-public-2018-intermediate.crt
```

Original Revision: https://phabricator.services.mozilla.com/D242073

Differential Revision: https://phabricator.services.mozilla.com/D242078
---
 security/manager/ssl/AppTrustDomain.cpp       |  19 +++++--
 security/manager/ssl/AppTrustDomain.h         |   2 +-
 .../ssl/addons-public-2018-intermediate.crt   | Bin 0 -> 1877 bytes
 security/manager/ssl/gen_cert_header.py       |   1 +
 security/manager/ssl/moz.build                |   5 ++
 .../disable_ctrl_q_and_cmd_q-1.xpi            | Bin 0 -> 4420 bytes
 .../disable_ctrl_q_and_cmd_q-2resigned1.xpi   | Bin 0 -> 7664 bytes
 .../test/xpcshell/test_signed_verify.js       |  48 +++++++++++++++++-
 8 files changed, 68 insertions(+), 7 deletions(-)
 create mode 100644 security/manager/ssl/addons-public-2018-intermediate.crt
 create mode 100644 toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-1.xpi
 create mode 100644 toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-2resigned1.xpi

diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
index 6ce1a9741e9d..3e99f0fd7731 100644
--- a/security/manager/ssl/AppTrustDomain.cpp
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -32,6 +32,12 @@
 // Add-on signing Certificates
 #include "addons-public.inc"
 #include "addons-public-intermediate.inc"
+#include "addons-public-2018-intermediate.inc"
+const mozilla::Span<const uint8_t> addonsPublicIntermediates[] = {
+    mozilla::Span(addonsPublicIntermediate, sizeof(addonsPublicIntermediate)),
+    mozilla::Span(addonsPublic2018Intermediate,
+                  sizeof(addonsPublic2018Intermediate)),
+};
 #include "addons-stage.inc"
 #include "addons-stage-intermediate.inc"
 // Content signature root certificates
@@ -90,12 +96,15 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
   // The intermediate bundled with signed XPI files may have expired and be
   // considered invalid, which can result in bug 1548973.
   if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
-    mAddonsIntermediate = {addonsPublicIntermediate};
+    mAddonsIntermediates.AppendElements(
+        addonsPublicIntermediates, MOZ_ARRAY_LENGTH(addonsPublicIntermediates));
   }
   // Similarly to the above logic for production, we hardcode the intermediate
   // stage certificate here, so that stage is equivalent to production.
   if (trustedRoot == nsIX509CertDB::AddonsStageRoot) {
-    mAddonsIntermediate = {addonsStageIntermediate};
+    Span<const uint8_t> addonsStageIntermediateSpan = {
+        addonsStageIntermediate, sizeof(addonsStageIntermediate)};
+    mAddonsIntermediates.AppendElement(std::move(addonsStageIntermediateSpan));
   }
 
   return NS_OK;
@@ -118,10 +127,10 @@ pkix::Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
     return rv;
   }
   candidates.AppendElement(std::move(rootInput));
-  if (!mAddonsIntermediate.IsEmpty()) {
+  for (const auto& intermediate : mAddonsIntermediates) {
     Input intermediateInput;
-    rv = intermediateInput.Init(mAddonsIntermediate.Elements(),
-                                mAddonsIntermediate.Length());
+    pkix::Result rv =
+        intermediateInput.Init(intermediate.Elements(), intermediate.Length());
     // Again, this should never fail for the same reason as above.
     if (rv != Success) {
       return rv;
diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
index 4d09cdabdfe1..db3d804bddfb 100644
--- a/security/manager/ssl/AppTrustDomain.h
+++ b/security/manager/ssl/AppTrustDomain.h
@@ -83,7 +83,7 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
 
  private:
   Span<const uint8_t> mTrustedRoot;
-  Span<const uint8_t> mAddonsIntermediate;
+  nsTArray<Span<const uint8_t>> mAddonsIntermediates;
   nsTArray<Span<const uint8_t>> mIntermediates;
   nsCOMPtr<nsICertStorage> mCertBlocklist;
 };
diff --git a/security/manager/ssl/addons-public-2018-intermediate.crt b/security/manager/ssl/addons-public-2018-intermediate.crt
new file mode 100644
index 0000000000000000000000000000000000000000..5ab1af50dab7001f104659b8b4f5961cadc63e59
GIT binary patch
literal 1877
zcmXqLVh=QEVzper%*4pV#47G&!mePz%f_kI=F#?@mywZ&mBFCaklTQhjX9KsO_(V(
z*ignm3dG?O7WU1r%FM}0RB+BOD#$NNEXmBzGt@WG1<7&?tHER)ef<>zit<xRlR*j;
zf-}?eGV{_Ef>VpiGLusc<qc#(8kmK}it_VIbdwWx3*d@%6La$olqC3#3=B;Tj1A2V
zz#s}JU}yvqu!IU2G#;g?8x0NgA#T(_a$7OPBS07HC8nh0=N0SaLc&8YzbM_%#J~t1
zikysMs>KlR7VG906l+7&L-aeqbS3BK8Z<E}A%{LAD+6;A6F&n`oQtW6iIL&Z8RMJV
zWP~1aDes*nnY{ExaJy9T6wQy*-W*P!>+z@V%pS25dncrQH(4or{r=7^YqES-CHU<v
ze?HrH{UPnM*Oa<>Zuft4n)m!q;w+o#Ox$heYF>vnG1&ZOEi>Ghs;T{N#qoUQ-z;~8
zZ}1#g9P(LFE{Q*O@wM{az6DhtA7zh8dWX)HJwAKi%Iy60FKrYmPV{~1+_#8vU7gPQ
z7r{R1lk<|pYBM&w?0u2WY%;&}iqRzfT_V$~<2)pD{=Li(TKZW{p<7S0LwvRR#V_9;
z-)sGT<c??R-2<8qd;eYXxD{BZQ*h#)DZ?3Ui-~D&3M$NYEBM2hC#ApNpj@?uF_OKd
z>aTx9nc{_pr;YlzF77xrGvaJ&<F3qGH~z}iACkEy5zrwVD&O*Rm+j?}=ks3ei8ueC
zJ5i*XL))}Ull@DPu=3KiW?Q~>6y3PmR&XJ8ve)dic%9d^6Zxu@&fj~n#{Jzip00aV
zzs}cAZMIHZy*_f&)~|a#rs@Ck4k+|CFF$OZP;)O?>bPBx!VJCqhQjE0ljSxAVeT=j
z4svt2&AfJvSHY?Cm@o52FSW_r7xa|93_g0ZRJDZv@{<$wHV?bIg0^qJxp(D`BPXm%
zg}E60nkW8UtX)<du~&8FCH`YFXD-#ucpR^wwRW0W*R^GTnqoigcU>r8T=n_wf0OGh
zF5eYyDRCH1ly`l7)J>O(nJv_OaT8;wK@(%E0S_=y$_lfv8Za|5{x{$Q@%Vu(78YP;
zW-|~2@l`>59s@2m4sA9@R#tXqW^i_s<zo?J5h<yO7g_pf>7>V-bJ<q3%9^=|%Xb(w
zt^ny%W@%ht&^Wh2Wb>X^5hbf1=2d8IT0KWuZbh=r^z9298<*4%aIw(D$Y@~9#+lIO
z!Pxf0iIIgxO-v=Dq@=(~Umr6!>L(}aCl}@D6{O}G_<_79$Kr0_y3pA`p-E0JIX|x?
zHLpY$l%EqzN{dpF^Ra<^lPrD(sD&jkyD~Begl!C4x82%cQ<jHlp3%%spDA0<?Y&;S
z&u4=luY1n+(hD6gW<5=cxp}x&O!RzprYNh9Q;Vekp@?(a-#!dlc3}4YebE!0?=;$Z
zwrjEXh|auvY`aX)npe_m+d^;5YA<9g<LW<P8oNofq1B(k=lsRZi=TTv_q?bev|DH0
zobEZ_#IK$c+%(bG_@?IZdA7Ig<tF=<IJEv+*c)Ry)BJto|Gj@rnM&mvE*Lai*}dZM
zuU>^?*0T<FepP#2G~Mo~Z{6<C(d#}RW1aM;`N+qQ96NSJ7yOR>n5KSht8cWOxJuen
z!<X#E4s6do{v|aXNO-4JUO&fYgQdXExtBdIFueB3^Jn-N;p$|(PhHz;#rfa9#|`F*
z&3kUM<=%0R{BKX5S#8?TdPj5KmiP-*6Z##310_UXPJYVG^L<%i#n;z+eTw(3>R5E|
zL)HZy=d*7&oqljuoY#g^cwP?6ZvFUw;Uxtpk`fOWR!7{q_?<<@(Rbnx!D*Tf4*A8~
z6*VoY7qnh8m8@A?<s!B+Y;xI(c2>FPYQI)&dA->3+Oo|SU*76n*W)iY?3B&X5C8Uw
zL$K4A;d{fK$;|(nlI<5AH)xW~wfU*po$++@&FGI$1b@%I^78$o=~~rMhxcjZUEKZi
zuGykxdYpxow#Vj9s}7%K;o#5^9?tiyEuZ0DY2^MVn>TKIrT5TvWkIfPx@`M00ML5!
AYXATM

literal 0
HcmV?d00001

diff --git a/security/manager/ssl/gen_cert_header.py b/security/manager/ssl/gen_cert_header.py
index d0ed40e7a2bf..8227a09dec61 100644
--- a/security/manager/ssl/gen_cert_header.py
+++ b/security/manager/ssl/gen_cert_header.py
@@ -32,6 +32,7 @@ def _create_header(array_name, cert_bytes):
 #   def arrayName(header, cert_filename):
 #     header.write(_create_header("arrayName", cert_filename))
 array_names = [
+    "addonsPublic2018Intermediate",
     "addonsPublicIntermediate",
     "addonsPublicRoot",
     "addonsStageRoot",
diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build
index 1065bd97a5dd..65253cd75cdd 100644
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -238,6 +238,11 @@ headers_arrays_certs = [
         "tests/unit/test_signed_apps/xpcshellTestRoot.der",
     ),
     ("addons-public.inc", "addonsPublicRoot", "addons-public.crt"),
+    (
+        "addons-public-2018-intermediate.inc",
+        "addonsPublic2018Intermediate",
+        "addons-public-2018-intermediate.crt",
+    ),
     (
         "addons-public-intermediate.inc",
         "addonsPublicIntermediate",
diff --git a/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-1.xpi b/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-1.xpi
new file mode 100644
index 0000000000000000000000000000000000000000..da27ea6441f3d817bd2442ec24f517af8261778d
GIT binary patch
literal 4420
zcma)AcQhQ{x}8y?3`z7Z1i|PbI-^AIT}EfLi8dIF9uh=E89}tDqZ3Ar-b;u?2@*-P
zAUY8<qF%Z0zIX5az5CXB-&x;3XPs}aea?5zT4!%V9YP{n002M=h)qe?vQr@^C!quY
z>}~=8e`fX6OqGSS^wmW?y@TC7JRF35{T#kpprl`%&gZ?GqZG#>lfS-n^%#*gnsFMT
z*JgHlcNZt5b1hXnfDXGi@=CJ+=H1_;{Gy8Lx)$eVQ2ByPF1|gYJ>tA(0eOCbs@YqA
zld*mgo_BijWr2mG{#Eppj>#{6xiNdFrefw1L*!V+4PZ1P0ickh9z#sNgaHB*AZgvd
zVRyhvB^!jpA6i5Ch$tR)_cT!(D3JgT?V$F9szpC)_Vn}3MWx9dogb}`1SJ6o$(?n{
z{qVoI^O2h2irf&DNVyS~SYlBPWAzuud6TJwC2rynv<b(7CeU+fcXMZVC%(xC2lC~W
zUGV|nh5_;DU%z$8RxVY^RJn(#a&k1kUHIBU+DB5(tP$~%XLg*E(J}*P5iLK5l0(m&
z!+%`X4qdvdaif4y)??DnIqmK8`m6h>-o$4Q*aKU-&p`web<(umIIf_WJmBTtJ3oSL
zjY#?d4_)$K*Ew23imJcnMkC_-Oisi3_EQ(SE=%dy$P4|bc_}r+7r5GLQ`;at6H`p8
z6#Iw$$Bv}m^cf2?Xa*VfG<+$pzc|DZ4c|=Zx&(?+l4{3rD8=qEall9!e<`Kp3(9tU
zgvxUo)|(~`arISu5ZANQ&@D*QZneprtPC*>ZW)fT9;s*VoCT&3Sm^=7)j*#9vH^r#
zGfwa@3_2h<1MJxzpLj1YJ{>0!7uaL)qrd)sQ^MwR0}3&cuT;4~{l0Y^pF+O8gA{ig
z^PbH;(e@Lgk)Z0(3RJz@|9Mr_+j5^TcDN-BEk-JEu(e!mJ0V_F!;qQD3}VB|+WPG8
z_H4}u){{_~#NALWIOFo17e1V)fZEN}vTTd_56$0A4(t+Z32cME!ik9=&1q9<|4I<)
znlS3^^+)gaI_kLhZnm1wZ1(f+sFif=YOA_CPsy!=xZ>Vm9s(1WqLv*%^S{_ZDr8mq
zPt0hdyPO$SYsQhb=Fg#**lF7=L*ljv!qzJV3>Px?Uz&s2o(h|`eznQ%&4gK1Tg1Dk
zV$Gc!ATE<sg`2BVa692%MXj7RtliLaCO6-*$@{kh@LAX6qNGmb7zH4?dAidC5HF-C
z-IC$2BFqFMDghahlz^;IcXZSRe?o%J>fYw-M8(}4J9^>R32PSW_q}kJ)7%XRCUE4O
zC}zx^R(RTFqieROfdfk@KJS~aq|e=OYGRefZ7+c)KgE)1i^%*Onpx<)X`XmiwshJk
z)3v!<H7RFp^ac0m?RnctQ6PmZ5eed<mtb{rr?SFDxH?_AN+=Z(`L#!vMnxZr`fI0c
z!$a%|Wf|YRlAC5cY8vwDU$b7S?4{ng=Y87E^q^89JRNA%PUjERt3$*6rwSDk?*M~Q
z;1h~8u=vb1KH8XtB-l||c0zVH3rVmz4}AyFq=k=VuyLE{;H=#&J-$i3Rd?$VGdTG9
zd%wsZkW<zJNs)J52xD73MqqdomXaIMdyAA^qlm|KB#|%kjrc=8Za7Xb$rCQSPTf1%
zR}SKAmG;FBz!*Q^66g%1j)rA!8GoyHFu(q6gu~)<6aLsmtR7eNDp7L1WYLx=OLNSo
zc%_U9<@M}rQE)X#jTiHhcUzESKJd_Q8#`yr6ALs(S$aCj{=f$Xlxpiiw@ei^1f3gh
zqMr!Bvk}1yD>daka*YSn5EY9y_$C8;cd!W8rk5?ttMsX9Ta&0Cj_t$n-^)xvqu=;h
z(HDjt7MsxD7m+FNLefcTpWr6RgkrsWvNsPE^j7QyB~%EveD0~^wWDkoE-I|2_9^;w
zsn>(n>i7LK(ku?t<Q}5XhfxQ^4{DxD?ewv`Ywvx3{rcng-mH_!oLl;cu9Oeu%Z^xf
z+d`0t2R@iLuUhguj~%+RqF|^qLh_4}K*A)Q6BE2ny&}yqBt6h*>6Hw>bS2d&{nk{n
zTSa#AET^U;mIlE*+Z?G^U`~Ix)yv@a%eTb~^3bh*m)E!>xkNMC3>iY$v7%DUyGsr~
zJ^|97ctHnQ*w45KffNvs01}rom2{t6y4Y)Mfi!nf?L@y@JCb0xr9BGWUU)_Yyrn!4
z(Q}!let0PsL}Iq|Q8oO#V6@vq`WtnyPs`xf5v|i})s5>lGADLi<p$CrR;e}tv;stf
z3yQ%$m*|6zXLqW5bUqE<W4lY}bX)3W3A(A#FQbzhJMFE?$UihdDYvP-c`BjYBJ0YZ
z33(f$S$JAITSit=s+Mlm8<j|UT3EN3{q(oPNjAY(d3AFc0)<bWbnL}h_{|^5-};kg
zKa=--Ou^n8rSEDfLD5umePPyb6mC<YJ0#FpHK`NYZWgiouzqm1qA=19(_sx$)d#<-
zG+v%Hm_M9C$mPDK%vq36>utUetAe2J7|)aj+K}B(Gtxp#sNIT&r*l;ml-IB{7CPMM
zZfdA=SkU#1dK_CLsP4oY;ko<1fypP)3z3&|e24L44`k4jJ_$=5e?D0#MqT@&?Pvee
zF^Mkusk1B-MwI`vK{($88oWv}e-KX7WfU5dGeuEv!wR$DGPV?cMxigVFl*H{;2#D>
zdW+uXQh$fR4mNcj_*GsAZNEy%d_8fnxDIFND}CCokVW=G&bL^gbDfoTbULi+XnY}L
zP_r~!MshG=rgO%VqFS8R;Ne>X(qQk2Be0<$Kn(kV1)~_U(uy*fs+@^m8@K(aL`yiw
zeP`7wMK`%iuhMcrv@knQmNne<8&Jpwsq_29a>D|9K7^Yht|E7^>bk|3*r&gf&#U&s
zhhL@CqRn6ICf}FMAS$L%0*>f3KuKRQtx}I0fR8a0P|M2MzeIjbPS8oZ8})b~QIw_|
zP@4KE+TG2q;KLr~PB+2I<2sVZa<v&_X~pAGK|P}@L@x{wWCMf~s~WyWmi~%2bN!xl
zERDqLDXmro#`%Y>+8Fit7H;p9ME&@&Ty`nSliXvk1k{g6DZEj#4UcvZMT|Rn0fCAY
zmfM%r>VheeJSV8PzokRYqvtxCyDAQFaZk$^5b>NT9a;v0u3jCI=myjjzXuYNPLmSq
z^Rz{d`#ZvVI@F7zqEc;mX3-9$6C5jI7t88n)aZz0j#(W&ZaPjgrBul;t*A5uzth+p
z6tfX$4VtVo>9vK{>-bfH1)=iipO38HTfjgLUp#MHe8SltRgS{4Vk9NmY~|r)Be(eN
z6#A?%#6(?|Fa3!Q$`i0ETAa&w-nbAruN>aVZbHrJ;G<kN74t%hgB4t>qWk74Xxfua
zY=}hAoLT5+ZEtu-3dAUaUzMEFb}n;EVi6Gcj&qF4IPFGXrToGA#?cgyv*S}ce5PgE
z^mtBq{@#AMIM!y3P2TT17_G}6q`5KaS#HugN<80&==p^4om7D%%j3x|o@X}hxZrr3
zO|Yq20<yYdx4Q9J**%R9lDH*Yj*m0epi)5*A~N&N1|7J_17c9DCA0+lx@kp5xB|sC
zEOc-;y;}aUd+N?8g$t%uzKFYdsUnu~D?P)BSj1Wr(p{@gaACE8Rmlg6zi2R5Myg;}
z(l>OII6J#QQ`VN8FSNbqk4@7~nxLrIPW!u2g{dSqigj%e27^OmAwIB01D9c{-opxS
z{6{FevE=gM-9hbrL`K-Uxwl1}TvGGuuKn1SQm4E_<lS>k8ry457R-rmUPDzb5xxM3
z2iQzUSE{`6=M#g);Scq(^$7z@9|-T?IB%9n?TW$XnOJu!be~UA(c<w1*B3AO3wk&&
z#0~(35RB*-&cHJLF+%{0^72hZ>l?w#b6(G4WlnBYgVbXp-7F+eD8pVecQKT@9>(-D
zZ7Y`DSXazz^{df~LtK7u68<Xaus;AxG~`V5T5yD}9yES-6LiQ;EAc*>R<SP8h{M9r
zkI-+46FA}DKhF0rwi5%}$6o>_QT5ylq30=uiSnF}VgwW(EFajz^CuU5`Oz-CMob$I
z9h#*HvPe3rMx`%Xe{JY~unb_X)HFuGe6IV}S0=L?jm$R?i<`#`OeIY;yFPy$fOxoN
zpQj1ek!1@sIcu;X`PKkdZj60_?2D05f&A29ED)#1M6}T)lFF0%Fg;*OFHOD8d77=t
zBp$MZ@7k&38H98^NdJWy_Res{Q>wt7@89;B6%Tv6pCzK>^e_t|`9k*C*ptK3TueGG
z9-ZV{ZK!l@`DkqPPMVW6ek^(;AVbPj4lmDBEdr~ke7|NOb5UY{kNqS#k;%^f%sSCm
z^;y?U+Uk9l0_3}HKRv&b+1F?nKGO%9>xQoOYO{`_B_8$-`ATsoqry_F3Td6P$kti4
z7OW-5`z9TIgM^}D;S7PENbV_f`7s}n9*i@r6JMw)RrH*QWaoUFtxxiXVho#aYp+ZJ
z-OAkLta?C>J3V=Z(>F8bGTHqy<u%hBcERe6TpAJT^m8{tAXNaU=HA0R3F~q9&9s<I
zGd)KZMN=55Y|#VsVV{-4+8Q56UUW-q;l?6RtNIdX_&>slHYQ!mLmT#18wdcX5&{5}
z07ihPgO|IDv!A~(+|S#~%#;{FICo@ai3|b(fJ8@E>;A5}FvdMzy`mHyc!4TwX{Acf
z&kmp6si(YXROZ<-C6w-`DlI3N#YNbuOidW?^aekLL$2cVrSkDhb)Gr#T8j;z2V^hN
z)jwtOg&iv1hK}E%tf5V`dc)=J|M-39<3=p4Qg--rBXIlDd(Q-(U9uc94(_t&B#BTK
zg75Ov@ZO3FhdrL2>;^~YPSCN09sn8E9Zc};o`U+}bq^wKw;SlkVCW;|WS!;RdCTP6
z7QGY8=ul1mZ=^_0e|e2@qfAh7&JYUMF($Kh7R)wx|IJ){aI(H+^#==Dv-=i<)e#EG
zD(t|$VVV*WnInM<-*4woNaxEiht1js6U@gil9rP>xKqfxJ{B=%mFQ0z8WA%~&Mot1
zXs7ROpXZ?a)lB-_qjSw3iLycxNqQ*h&GTpXMx#aik&SF?!`k{F9^^V~Zp8#4Wtg6e
zz4gy#{86#_)25`+SL!w6D*s)@{&!bAT@LleMs;<BgeNF<guvrt@9T|4r^OeSf9j0s
zH5v~;(cW~XTVF@Kft5tl%B~f!GdQQizSCRrAGf{)6NN}K`vRF-Z=wW<H4YQ5e#mcc
z^Y&FWwD(7rE$$cZfAP1n5>D1`snF&P<0@SY^_-20wBFNXSUKCj|GEOa*IrnxX(cQS
z_;=Fn&)Op4SA<blNpqF|OM3gcfW~#->j?4-X@C4T(m#=6ACV)v23MOo`m-y-yH&KI
zU&qeL!DC#$1gVobQQ*|`+ZBQeY@VKPq7+yu#nM<9txQ`ms1|7qH-jvRtJ|q5G=_mO
z#<kQX__Hqpcts6JKuh?4`vO<|{vMH6SNT6sy>bcuAh7=f;Xgf)KXreKYahv6`3?WC
z=kixle{J(0$UhMY9K8Oor2g6Tzasqg%>S$Y4?@U|e?|C*`Qhhcs6%}1&my9$!FWZV
K{>mo-0R9GI_6TSI

literal 0
HcmV?d00001

diff --git a/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-2resigned1.xpi b/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/disable_ctrl_q_and_cmd_q-2resigned1.xpi
new file mode 100644
index 0000000000000000000000000000000000000000..d0aecc858c7b0be988bbed67a5519b56a9ac4b39
GIT binary patch
literal 7664
zcmaKxWmFyAl7=C;26s7laCaxcor4B<x8UyX?(QDkB}j00Curc{?hN0Wx%ZQqJGIyT
zv3vEduBz_UtDgNTNJBtkfWf|xe;U&J1#5j9a}#3+M+OTATbsyuVcTscl%ThfA#CJW
zGwc)nfig4|Tg>nkUc6%x^?t+egHy13-D;GodF8S0UTJP;<Jh_w1!Rq2H&$deJpM(2
z)fQmOJu_+LimVF3`N+3`1qUMStWS`Zuts-Y8@wS_<<Q#`Fw>F%_gF&sYXLto6Gq>!
znxE;GocIY6FkNf?nqCWnT?FBWUT~jq3%N{W(%Wm{xV9lxhvr+?!bIo>_Wkm$)5bQR
ze~_%wi)w6A?z1YmTj9=sU>H#iR66wRyP)ZxYr+T`bC-WnVQv_hlf0d5mdlvdH2sC?
zG#xycx{Y0O7&YdUSBPyD1D{waa;K&t=o4saSE^=fF|_K+<)~`7LB!oqc;`)SP?v+N
z`<Vo2%z7f@<O%QXAjj^4E0U<!SedoQ+kdqA_85Z~{EHO~?CniK8U{AYaHow691KkJ
z0~naXe=IrHd&y-*m4)dg<-`~bZ5@mm{`CSbWyeNkr0E%^k)-KqCdMY~m6+yOx3({(
z$7CCohJvJyj4=-m>|2eB12A~@3lFf3lZ|$<G^rsyxbXa8$$+d3D4N*$Kc#*Yu&}iQ
z2Inj4<^=n=Xt;VB$Z0!9=*KyS*XNTF^1-VY@*89}E12jiSw5}J440Dj(GN`4l5>%M
z7VIYNC#RsLo1!D98x-WCou8ghjzB>9SAI9gOShTt(bvAu|C}G{|H{w7+;lF<gDcSu
zfAAo!fO2O_M%`kFNk8L)5AicSBlj2f3W-RiDCV$KTvp(h5yYRh#Y?*=+(|%dRMPxi
z6pf|?Lsjzj<*DG(eh*payY+RKn!D~h_nNy0(1X_9i%0d-lSlR0-RVu3iNWty31)N%
zKQu(B#9Y+_z!n%mw1OYCFV{6ZSy_T3G7MPwCmbB`DoC|l)KdvIqSI68Dsc8a-+>+6
z4yLyrq2y>n`JMwfby6Q9Y!+zh%OfeihvstnK2g&U-vf_8dfO@ctGk^?hZn~+F8_j8
zE963?>Lg;Jt$9ek?9g5l#rtkfpt>+$Y-x1Bm=K->grK0#5m$mB=_iKgnh9~}o8$vc
zTCM8u8YoG7pwS)pGU3sj+)GIBDISHVJ4;RQ(kh-I1k7(s9NmrI-Gp-?tDgqjp%j<`
zA*&G~DD3F8KEUW9QFvT#8!d7sNuY*Rp}UlHnCKF&J7y3FOyO{Bp%0a>wfU?zCJA@a
zr$Z2*U>jx!+t`PZK7S9b_O_E;UGRT6RWboJ)~%us**1YXgFrb;MG9V)YR;Z-p0&+g
z_eO(6uUF`*CC$aV^yS4xk1<cF(CkF5W5rQc!KgLp(cHn^-tjXJV(DvdJbK$wzYRA6
zRuMZNWrBXW%PitcZq9!e*;p=WvZ(v!be30d&!y3<BviCiU|>htJUlYezq;qtFXG*X
zm1p9siT1tD^@p3P{*bKNN2ice7Z5z@VUz<Zu`Dpp#z|Izb8e=TSHSZlPA3^5EF+T<
z7jF_>s^6K5y36gn9E8T$C8HSysFCj~^P|ruTBm%EUdRmG^)kKlKu||}Im_MBRwpa5
z4dzqjY$S_5ve7|2`vG^k=zfjmwm8*{tW9OP?d+F0syty<KoxTt)u~5-MX7gx;_$OV
zzT+<)?OT8DYLf{(arb@zwv}~sPS_&_a%0(HzH(l{=A@>f-N9i~UH=hOy91~Xam(e~
z*PBi1rCVa6-lZTm25*p4L#HZP^Y!Psz3SB2?2;o8z7Iq6s?+6d^Qxhwvbj;Dx1rap
zW5RUjG;1FJK<$Ivu^jdeBx*Zz4TF#Oi=MX1&p7k@-SpF^uZHQ>x@Q~uL{0rwM{*UJ
zPHPtnfF|?OL6m4PJ)thhP#6j!#L`f)mYM-FMZgEJWFZP}YKR^*v@l-?GX>d+$8V~T
zwPrz#(_rvH!T^B`^C~nYBuRz(*A^4Wi_ye~v3dT)=byC-3-xdcTI4kevD*X+nV6C-
zikzp^G=%%Xcu6Tb0Mv*j{E5vm%m@Uz*BDtwaIh(i&TZd0xY!9>=vaxm^bL}@(C+D_
z`^_rTF%#T+C_iNZD%j_*3^Ac=A9!|G{CLnvlg4+#xwKG4ZFG`<hx%R(Cge65o%q<?
zJ7AFRGOVB7YL{PJm-Dy}%!{*rMTikSCHp8|(=gXy1Apo`DR`_`PsY6x%{BM=v3x_`
z*sG?fGh*dP?y(KqwyWL7E&_C(ImNu3)6kIkk}t4t9*JC>e~x%!4&F6Ic9mC~WND!F
zOa=YZDP7@i==F4znrzR*Bq?DjW4M`Q=@+J{WO|8bp_{>yh~?Toa`!x@J^K?5Ztm&n
zh9&XPKnrp6qjk^IYXA<qnCcuEz2h>EQ;^IHPKPMV1+X+o{;eN4jc}VH&Z_#<#r8WX
zIDHzc(_}<fr=e`1v7}X4WvMC36q(?TEB1AEY!Dd6Nqc~!?Ua=feL#R<M2T<PvRd_R
zS7?kQP1-i@=CRt4BV6wb=ZBs-fn%yu`@jzz9s4%VY5LB#rnlSZASIXMf_?9Le#VVh
z(F2ao^%mVSX}V<D>-mOU=amJ61P^J(^=D-T(K#k+pBm+|@>%1p@n!w)^2+)j1`?)`
zpXyJ$RmAw)IQf0Ks!XTXH}3c@0|)J|PU0-ZG19&_9)(;nn4qF|n*jz-69&|e1Fi0V
zYe8yN^v+HnMkP4mX`^8+(zBU)3!+dW3h^98RdEQnQpT#LokuxEEhJ{c4y-(7BFS^5
z(zs%NzVo~n&IwFuYx@al>6|lnhR?rzY~!#AQ<ll8ai(;e*LbZ02Ejwf?inC^JQf-S
zQz>(0=&%u1kUA8}=NoB63KW7<f|lAM83h5~|6>rAe5aL{i-eDF^@X8FT<CZbtjqy)
zW++IPN`q-5)7NT{1JgdLm$aX@emOVA;z`6pK*t!KN85?g`BYEX_{hN)B5o(|<y#AW
zg!&~sZydDbQ|2Ej6fjAHvH0+apdsK#0Ix|7TL=kM*V2XO9ZEs7BHMZhB*^;)Axs%6
zZWvi8m!)b4R(1XW1+IsZp)awBfcID~Ek(sw9UW&8kfTlAR093E$_0SXZ0$!4l24Mh
zb75?7L~`TKZ0O2#5>w~WNvbw*9p2FiT5wNfYRF1sWB?xs@<G;;ArE~cXz`KMJlSKL
z2b(8-6R^D-#aE8Y-m)2Hh)%<eFq!bDlcoPS1CSn?$u#cWRwoEF1Gu6XXexQB6CjWF
z_a+*T6hA!Hd5#?>6R;wiO&Da{+l>j|Zaz<UBYeWIJmm1(Zb$AEXC~LzfUa>zh&Quq
z;WG#?ynOZpDsenqn&2+G9h}dC+Lrq72go&Fn~TzDIfyjj3MV!<>0jV6nKI|0qzCj&
z2`--ra;=U$@dPE|YRnR+;CRhEmLEnWjy(38u7({<x5)5&gAD?Pp4ioKf%$=4ADo}A
zcOX2ve|G~F?qxN(sg*bsRD_nhZS#k}-@Fu~ocSRul~Q@ef2HvACg@&HLK8lBvJw=V
zZ1XE$!$Et!zh2{sqlwX-rX;jwHOV*a?3_Vr&R9jjs6>toBRh##41r4(wMJfiAftWk
zxoDoyjiV7v>fCJ{6{{eaVPN3FB4~51;=TiYby}s<>YG5ceLCI_$HQ?9Vzg0|?cZd}
z7?nA8U4ZR#KUXfntd@H^MD#?TV|sfo7l)`4UNBz1sJ3OleP~j!mb{)^4$h%DM?9@S
zrcXGx9B0{4<~>8_-BzxOW9ROrq#f_-!YHB2zh(nTU*CyTv?!`AV^H#0k2C8&N;}WV
zJ(u5hjOBbPIg7nR-DX~1NkeKi*Qeh%O8HLYeLKseSt&dT6*{;{x?00Nx3sL^%6k+7
zr0u}EyT{iKznzF?S2kA?C~4w4;U;2peUl7qU=QnA10iGDe(G*h$B=#b{lY*d)$|eT
zP2{%%p<WG02Az^l4v9N?a)JG6a8nI`?4p6X+-t81<bO#Y%Dgtsh8VuUpC)62=#FOe
zRyzHQ!ebwM_~FW(?7H(Xs~wn=cIG%cU$qI=8OrM8i?_=<F+OAYhWoGH&k&D#wG$2u
zj0Exj>-{kP+WY;ht!1z_Nt}?5$rnQDx!}$5Z&!p&5=Hx16*0LtEfg>+yEp$SY6b~5
z$J>D5z+iu?NJ;XA_Tdo5e<!rA3p)t|`^(<IkJz2a&qQUOuU-U34S+S>Og<4i$#ArK
zwi24NO22!YnJ@c99&gK~&uyXyAko#Pq_pS{gX!PL&XQ}rwai&hAI@iKROqd2vlmxh
z9U0bVjm^OJkAZnD?K@0YxySC<v%{ph<2o$b4#GZ$bU{Gjf*+#~sI`X+;;9_61(9O?
znArU{I~J%B_~9F&V1YLyXs=tJ*B_`>&yCytU`0ZrAx_#1IVD3v>wF$@pG69}9wexe
z`cPI2>(;DYuJ#@jdc;f;nmFk<9QV7%Rt@Vamfy6@Wgr#h5%e<S?K6y$aK5OT>RPjX
zL^A$qulo)V|BVyL47J?M@2kuA`JdZu^uLwd*4^C7N}s{O1b#whQkssMUTXetFadvS
z$2R9QEF=F;88`of8?{Py6D(}whz!!~^YX}YO)}SG)e@}ZF^(>9cVkUZ=FBYYeRCKn
zILX$THQFjzu_p#fIyi>~wx@VRdZ$U*sX1o})(Ww^=!uFJS_-@IXO^P_Q17Jq-$_K{
z799t^hZy@l|8o+5|8D*#iEj@2b180I$}gLPS<96P?8Djg8k73R_UOwj!^srWI0-*l
z`f%9eQm2`y1F<v>em7x_ph?yhDx1|(8HI@$Oa9t#U3)ogf8@Wr;q&2Nba<KYIlFT6
znY?k!0eMb<9(@u0*fE-=DxHp5@U{Z?m>^ArgL~Kz!2mX~=t0WsA40+cIt1y2kRh@l
zSrmu>5Vce=$Pju=)z&eru00_fXn;ps;+~LQutO*m#-S+xc7Q@J6E>9u8pb9DUvIDa
zH!fx-6e>%(V#ow)E}A$Qe>UNpahjU%GrB6Qm7T}n@XMTt-R7}Qq>pi-<boPhANIIV
z<$V){g2o~2^vkBsF!_*YdLAC*CG+rvH;MCvi|>Vbh0?m8wxPcSMaP@xL3SMKV)1dq
zCT;{T^!nn^6G{+6=mTP`%}!*?UKrtKCZE%Hb^WDrOl+XT{7EzXfjChVA#tT#q>{IQ
zIJ*zqFw>hm`D3qE@MzFb-Bh~|aqvpuNpCVgn)_04!mr@SOLxi=g>F!s2!_=NiFYfA
z45Ub&GGS){Q2vOiYm;X<Lf?9DnY@u>!FT+a^}q%J!VFKh!!Jn-Vay;#RZ+8GIh&nu
zrEK$X2<7-r8k)3E&GuhM-~5aSaMECTtykT+&7R`)3)Bp2D_-@NEevo#MGgV0X3=E@
z+~rj<a;%*URLAGSJmkp|3@-DWbGYh&JG&aU3h4tC+Qyk;?KY=-iu8}&mldDFC16Y0
zk*d2&W5130sUsQrS%TZPU79L>EBkn~vD^}NvIkd{Tp`Wky-DZt%He`HU`0B$JyxBW
zDdMnmcf~<Yd)d|Nh<baQnz?vskc}@dfc_<Ytsb(*{C1<UW~giK$P)EXYYn?mFgxSY
z&s5Tz?WB@K$#z7#AX(e9mK@lpEJib|)Z7PJ7uc-K+?)x0Ne^t!%T7(ocsdDAbm;y?
zmhx5hcz;=34J&KFYqxXp4JXkHfBm|)sJyOb1p{w&ipk5V?<PA(k2z>Pv15uy*I|K@
z=ktucK8C^3)2cwWvp>BvMPha&=wX4`YL?iJ4pqZFUK6k~7bk|_D(>JlK<m20bo-oL
za(Bj1f>r}Pk!t-hi>6ek&tgCo%M7!c&jCSS#U_o%KXQs+yk11$BHAE}W^br-;iFoF
zcXQLP0d`O%8&IzGU|;NVN;6Z(D9x&o*u(KOs@H489eD%Dl;26^o>D&sC;jMp^+n&r
zbaS;5AsGj`Xu~zV0%OI2lrbms#Kt9b<jmw_00e;$Q729zwy&mw9X7Q$*pd)ni)q44
z!4*hLdM`wTkwOD6M9TfkPQm1=m`?-|BMJ+ZT_b623n=@N-rA_fUt=C0?7@%VZi@$r
zYO^IA%qlDn6EZy@47~y^&KwJFlp8VIi+UX+f`h^b{|kxD(+={3oU|@}Nz~x|<F=>c
z4I(TLqyl!x;w8y%|9c;t37;q99?ot9&+XY!Pis23v+oBKdF?T)V#_?HCWkUnFviFb
zbl95`$~WkWOy9h#e;{}$>NIYtf;{2g=taJOJnCLhsaMx(vg11tim4MsRqjTdY{N60
zVpNPVzuXmwIP)wS`LN4M^ra+mmZw@wOYs_OMYlS+O;F#NapDDIQfFS?<#eo3q>2G=
z*zrQA@sat-*jQ19(gD7+ob~MylYAGGIOerjWwa~;t#R;fyMrEAG3b4k80!_TtH-vK
z`<f&zC>uUsU{AeLnMLBiOyKL3n}$=yuFeTSVFcsJ-4FV-K-mWoteKNuuoTx7T?{|`
zY^={(F9?IM#Fo~!Nz5Nm>Nlm~$Aq2y8DS}k(Q@N{z*|j;)9<b;CEZnCqht^mpAkWO
ztt_lgxw9FynUlOE(dqG6+v?`FHDubxe!5b0(736Zm!+vApId5N`gMlx=b6ji_pa(<
z77tsGTR*bB{xp@YEM;FNm0uT>{s)g*xw4N!+CP932xRB9{f?l3b&<Q(>d~%#rz>8Z
zc3#IM-3-F))%C10{GJQrv#zB*@x?Do8yX+9CkWJzN29f3(xh)v=c}^TYkL|FPc!75
z-6k%6h@dQPQKzO|Yf5K-!QFRkRR}w5zg3kYOWw^dlX$J$U?-JwpwIt?DRBg^v#@Iu
z58HnKy_D@_uK63@Z`HN>B%Y#L4<sYI@&Lr$g)>J#1UtJIUUkwp`BqX0DX)X@PeC%p
z<vaFAKYTLg?S*$`zY6gHp!<D&bcj}`z6y@M0Zw0Rg<5qzL&v3PIBBATax62v&ZiB{
zA6usRi$Z@Cp9|**X(d(Nb+K&Zc7<#QRA7O|Y|@jwB8M`Z=CY_3jmNInyR{~*Xe(Mc
zBU;Q#m_7pePR5){Cb*xDdlvKi!mmq9Lj1+$@Tpdc>lUGA8PGSM%wX7qUZMv(*851b
z8NSW180@Q943;b<`r*DUE3HUhCU~d^1<O=VLr+Y|N50|@iVP3q$DDn-*gWJ-9uuLu
zvAU?qZ&yX8-*3Xfw<K)J3DX*tPC+RnB*%QZ!m3)Pvq$0`rUu~OJReE@IuKmOfG%MA
zfY%g#vFa=tI-i4Q4gC|}5Qgm1Mc=wIV$re37Dk5W@r(gXZQa&-5aTS-&Ttjdk)Llz
z^vAZjJE^<0>b@w{E{wk<gFQ)h1g(>(0B^rx!x~JzLsEY?8YF^~sl{aUWU=KsmW3-_
zv~qetu%mB7@l|If!yd0fpQg3TUD7ta#`w*$W!vu+WAuh+gi56@YtZsQ>LgvE;%K9K
zbqR!b$Uraw8nIetd%cObxoHbaC3A`F1wzWQP!ChdLs;=m2GQW^S@>RZW&iWWu#BU$
znVH$6LjSkuHkVljIUO>N^s=S7sk*8B89r~n1x<_;)2OrWi;*SU8A~^Ax-Q7`YNmno
zJ^SPyM3OS$yr+V$LY$rf%IgWLjYe*II^5O9EiQ{LxlF$G00=#Q&kQCMF@P`^nAI~p
z4j5GUD_pAV3#}nXh@=IA2*$-^U>>%&DGEPKp>7mbtM=PQ)K?a%{IWHg;rJAW{tE4~
z;iB2Ag4djoY;dq#j_@amN_Lbdr;olupTcMe3X}qn*xBEnew%OGr@Kn!iZPMEu65(e
z<LN`4j<drU<Ido@vV=(i6z4fZu*H!IP`rQTA$~sc;dq8%>dea4UeH1*U##f3Fi<o&
zp_t!0xw@DMX|xt2A!Kj^_mKTqn8}<%begoezD4!DezK=m$I&umBf3_8awG{P;UWGd
zdjctQb7_dkQqP&yn41=XL9gv92tkWA#}bb>+c4_|V)U>Dp!C+e{i9zT^VKA)oI5)`
z(E~*s%%!fw)nA@2W1@E9=gQTbttCap0zwA(2;niUrXr0<cl`|z{q{vR9k;r_1kk-;
zZnEySz0;0D`|}t>cGFa^DT60ijX%3~-bJL9F}XNE<4(PU-G2O<p^bkWu6*Ck%JtU}
z^&;6JFrotPz@j|4HtU8^tmK;<bX$p8Isb1|Sl-^X6r)Wwv%31LLTX~1We6CqGXdgQ
z0VBAFit$)PK|QB*!n#G>w8WP44l}|jZnj&=F!y1zjVTXls;q3bRoy3)Lp|pds-l`*
z_i^Hf`5A++&0W@IXo)Av0y12BB+AqFx<2a8N<70xxz!>&Ev9YV*Z%(A@*Zyz*XE1B
zHs@(2+lMvo!X~KiHQGtRK3Jb+1eEfx&c`UDh;*X^C6(JWzWUU0NX{At*1L-&X?7z8
zhdh$eVNy0*kPz<d1vU7y?<tc@%gwsddB&4%$LJKxu->d?*L)g5806t$`P}c3kMT5E
z@Ksxe_yKUg?0|HONo!3p`>Otl+2oo-r;Uv4luoZQ3mb-c%N+nwjRXM}tMiZ(kdwnP
z*sVIA*_XQ%1GM{nFpi%1tSBt<++At4LX`U)L-PSmG*reZk=z3{gr>^VJf3koao?15
zbl-c$2%Ov>d<WnpGdghgluzd7=qi7+2qa_qoRj~X0W%L~1P7a(bq9e43ZHV<VM-;$
zf+vTOMsWJXtiv|rNG7A@F?-36!<LwS{=#1q7BOl=2*G}8U}d&C$nMDuI-~ad2^&k6
zvWWk(CbJSZIl26qiJVC_JMO#<#KhWQZsqZbdqS|QFyFgK@P+H`R-1xvpfkL0vbsBN
zoCDvjZy;l;8c43(Z(>WYrFyfKMPRIbUhZ&jwb*1C#=NQKL$W%Y|6?Cq3z6z4YoXY4
zeA~3+;SBw#)^ahkH%V$U=K30viEB{n(^l|UE52jU@6Ti@y{N=d5gM!$E|Gll0-r~j
z``NqJ@rX_gU*rHw*^)*BWXWIb;T4Hp@E=<i-I{=rbRJbpTnGM->Cr8?r?lE3`@NEP
z^T+<Qr7PCX`Ql!+<IZBMWj|_%cBt7vX=NJ$C+rW6HGP8K#o%*7(g|uN!8-zI-WuGt
zKa0<R&w+wn{8!<v_d+6LCpRb{e^BX&k|7V=2L;JP!|NH+9qo$*{tDf}^2`+RIUQ)~
zF+#*~iQaHyQk7j(!=J!lhpbDA!R6!EQQR>T2hOK?%sRw#u3$6fm__HCX0Oz03*}~7
zrZeaHUq{XKIV4DOAtyj_R#{--hTy;vh$fig+qIDZb4dFu<!_blXO>+B=@`GbB(Hm^
zQr-E8*tR$LfAO4C5Mx#JAFAQI%%dO;{s9B*Phs(|`qv+~{N4V29Po$C_|L6>m6rYx
z$o@2kcl!Om<+6YJ`0EkHA0pJB27DLf{_f*llKSWNzvA{EJo=}}zn^*hd;7oBur~Rp
zhrhD!A6WjU^}d(mPY?fw^nW_|YjOV`LJ0Ez;ou#R6{Mk{|9A}a`v`cilp4VwtN#L|
CBNa9P

literal 0
HcmV?d00001

diff --git a/toolkit/mozapps/extensions/test/xpcshell/test_signed_verify.js b/toolkit/mozapps/extensions/test/xpcshell/test_signed_verify.js
index e801485c73f4..a7a9313d0974 100644
--- a/toolkit/mozapps/extensions/test/xpcshell/test_signed_verify.js
+++ b/toolkit/mozapps/extensions/test/xpcshell/test_signed_verify.js
@@ -23,7 +23,7 @@ function verifySignatures() {
   });
 }
 
-createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "4", "4");
+createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "4", "48");
 
 add_setup(async () => {
   await promiseStartupManager();
@@ -537,3 +537,49 @@ add_task(useAMOStageCert(), async function test_disable() {
   await addon.uninstall();
   AddonManager.removeAddonListener(listener);
 });
+
+// Regression test for https://bugzilla.mozilla.org/show_bug.cgi?id=1954818
+//
+// Do NOT remove this test or the XPI files. If this test becomes obsolete due
+// to dropped support for these XPI files (e.g. if support for add-ons with
+// SHA-1 signatures were to be dropped entirely), don't forget to delete
+// addons-public-2018-intermediate.pem (undo the patch to bug 1954818).
+add_task(async function test_xpi_signed_in_or_before_feb_2018() {
+  // Disable schema warnings for two reasons:
+  // - The "commands" property in the manifest is not supported on Android.
+  // - The resigned version "2resigned1" results in the following warning:
+  //   "version must be a version string consisting of at most 4 integers of at
+  //   most 9 digits without leading zeros, and separated with dots"
+  ExtensionTestUtils.failOnSchemaWarnings(false);
+
+  async function checkAddonIsValid(xpiPath) {
+    let { addon } = await promiseInstallFile(do_get_file(xpiPath));
+    Assert.notEqual(addon, null);
+    Assert.equal(addon.signedState, AddonManager.SIGNEDSTATE_SIGNED);
+    Assert.ok(addon.isActive);
+    Assert.equal(addon.appDisabled, false);
+    await addon.uninstall();
+  }
+
+  // The test extension is chosen such that it was signed before 2018, because
+  // that was signed with CN=production-signing-ca.addons.mozilla.org
+  // instead of CN=signingca1.addons.mozilla.org (used after 8 feb 2018).
+  //
+  // "disable-ctrl-q-and-cmd-q@robwu.nl" is a simple extension consisting of
+  // one manifest.json. It was signed in 2016, and later resigned in 2024
+  // because of enforcing stronger signatures (starting with bug 1885004).
+
+  info("Checking add-on signed before 2018, 2016-12-22");
+  // Pre-2018 signed extensions only used SHA-1, so we need to relax the weak
+  // signature policy so we can verify that the signature validation passes.
+  // Otherwise installation may fail due to the restrictions from bug 1885004.
+  const resetWeakSignaturePref =
+    AddonTestUtils.setWeakSignatureInstallAllowed(true);
+  await checkAddonIsValid(`${DATA}/disable_ctrl_q_and_cmd_q-1.xpi`);
+  resetWeakSignaturePref();
+
+  info("Checking add-on signed after 2018, 2024-04-25");
+  await checkAddonIsValid(`${DATA}/disable_ctrl_q_and_cmd_q-2resigned1.xpi`);
+
+  ExtensionTestUtils.failOnSchemaWarnings(true);
+});