(In reply to bhearsum@mozilla.com (:bhearsum) from comment #10) > After a bit more examination, it appears that we did not actually break stub installs here due to the fact that [the verification is run against one of the signed plugins](https://searchfox.org/mozilla-central/rev/b41bb321fe4bd7d03926083698ac498ebec0accf/browser/installer/windows/nsis/stub.nsi#836-838), not against the full installer itself. > > This means that unless we resign _that_ plugin and land it at the same time, that we can't update the issuer pin in the stub. This, as it turns out, is also wrong. `download.exe` is [the full installer that we download](https://searchfox.org/mozilla-central/rev/634e3a3b7408bc834445f89bc15a5d0995322b88/browser/installer/windows/nsis/stub.nsi#713). When I tested last night I didn't see any issues with stub installs though, which is a bit confusing - I would've checked those to fail with a certificate check error.
Bug 1889299 Comment 12 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to bhearsum@mozilla.com (:bhearsum) from comment #10) > After a bit more examination, it appears that we did not actually break stub installs here due to the fact that [the verification is run against one of the signed plugins](https://searchfox.org/mozilla-central/rev/b41bb321fe4bd7d03926083698ac498ebec0accf/browser/installer/windows/nsis/stub.nsi#836-838), not against the full installer itself. > > This means that unless we resign _that_ plugin and land it at the same time, that we can't update the issuer pin in the stub. This, as it turns out, is also wrong. `download.exe` is [the full installer that we download](https://searchfox.org/mozilla-central/rev/634e3a3b7408bc834445f89bc15a5d0995322b88/browser/installer/windows/nsis/stub.nsi#713). When I tested last night I didn't see any issues with stub installs though, which is a bit confusing - I would've expected those to fail with a certificate check error.