Is there any news concerning the payload analysis? Just curious to see if it can be correlated with something I have in my sshd logs (e.g. login attempt with specific RSA keys).
Firefox 66.0.3 here, and this has been the case also for me, i.e. everything is still working. After looking around for a while in bewilderment, I think that what's going is that they have remotely used the "studies" feature of Firefox to temporarily work around the problem.
Indeed, I see in about:studies,
hotfix-reset-xpi-verification-timestamp-1548973•Complete
This study sets app.update.lastUpdateTime.xpi-signature-verification to 1556945257
(unfortunately I can not see when it was run in about:studies)
i.e. this "study" has reset the timestamp of the last signature verification to this morning (when I have started Firefox). Since I read around that Firefox performs the check only every 24 hours, I guess that this is reason why we have not been experiencing the problem. We have now another day, after which we will have to reset the timestamp again (if it has not been solved upstream). The field is available/accessible also in about:config.
P.S. To be fairly honest, I was a bit surprised about the "studies" feature, I can not recall when it was introduced, but it is probably my fault for having overlooked it.
Of course, that fix only got to people who didn't disable the "studies" feature after Mozilla abused it to deploy a Mr Robot ad to all their users. Also, enabling it seems to require also agreeing to send telemetry information to Mozilla, so all the privacy-concious people who use extensions to protect their privacy will likely have it disabled as well.
