You would use a program that can compute the "hash" of the downloaded file and compare the resulting value with the .asc file. If they match, the file was not corrupted during the downloading process and presumably is authentic. (Presumably because if someone could replace the download they probably could replace the .asc file, too...)

As for how to do it, it's a bit over my head. Here are some Google results to help in your quest: https://www.google.com/search?q=mac-os-x+sha512sum

After looking at the files on the server, it seems that the comparison value for any given download is in the large file without the .asc extension. I don't know what the .asc file is for.

See also:

• http://en.wikipedia.org/wiki/Comparison_of_file_verification_software

The .asc is ASCII  ?

The .asc files contain a PGP signature, so I assume that you use them PGP software to verify the file without the .asc

The .ASC should be used to validate a file. However I cannot determine what file as it is located in the main directory. Someone must know how it is used?

mace2 asked -

"How can I use Pretty good privacy to verify the installation of Firefox?" over here - https://support.mozilla.org/en-US/questions/1021002

I locked that thread to keep this discussion in one thread

I could not find any information on verifying Firefox using PGP. This should involve the SHA512SUMS.ASC file which is validated with Firefox's public key. since Mozilla provides the .asc file their should be a method?

I assume that you can validate the SHA512SUMS with the SHA512SUMS.asc signature file, so you know that the checksums are correct.

This works for me on Linux:

gpg --import <KEY
gpg: key 3A06537A: public key "Mozilla Software Releases <releases@mozilla.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg -v --verify SHA512SUMS.asc
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
gpg: armor header: 
gpg: assuming signed data in `SHA512SUMS'
gpg: Signature made Tue 26 Aug 2014 08:29:37 AM CEST using RSA key ID 15A0A4BC
gpg: using subkey 15A0A4BC instead of primary key 3A06537A
gpg: using PGP trust model
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B90 598A 745E 992F 315E  22C5 8AB1 3296 3A06 537A
     Subkey fingerprint: 5445 390E F5D0 C2EC FB8A  6201 057C C3EB 15A0 A4BC
gpg: binary signature, digest algorithm SHA1

And after validating the SHA512SUMS file signature one can verify the actual download.

The SHA512 hash for the en-US 32-bit Linux build from the file is: 923c296dc0152c571d712bc4fbdcbdb7e16a9a74ae62635a065592ce4a37eb0615ec1dedc99c6042a8de481ad3c6007357caf5d1aa889274bee91c4e20b9ccf8 linux-i686/en-US/firefox-32.0.2.tar.bz2

verifying the hash of the downloaded file: > sha512sum firefox-32.0.2.tar.bz2 923c296dc0152c571d712bc4fbdcbdb7e16a9a74ae62635a065592ce4a37eb0615ec1dedc99c6042a8de481ad3c6007357caf5d1aa889274bee91c4e20b9ccf8 firefox-32.0.2.tar.bz2

So there is no direct validation for the actual Firefox executable?

I have a problem with verification. I am using Mozilla Public Key but when I down load and verify the SHASUM512.ASC it fails. Using a Mac

Macintosh:Firefox Mac$ gpg -v --verify SHA512SUMS.asc Version: GnuPG/MacGPG2 v2.0.17 (Darwin) gpg: armor header: gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Mon 25 Aug 20:43:13 2014 EDT using RSA key ID 15A0A4BC gpg: using subkey 15A0A4BC instead of primary key 3A06537A gpg: using PGP trust model gpg: BAD signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: binary signature, digest algorithm SHA1

After downloading both files again I got validation for the file.

Macintosh:Firefox Mac$ gpg -v --verify SHA512SUMS.asc Version: GnuPG v2.0.14 (GNU/Linux) gpg: armor header: gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Mon 25 Aug 20:43:15 2014 EDT using RSA key ID 15A0A4BC gpg: using subkey 15A0A4BC instead of primary key 3A06537A gpg: using PGP trust model gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A

    Subkey fingerprint: 5445 390E F5D0 C2EC FB8A  6201 057C C3EB 15A0 A4BC

gpg: binary signature, digest algorithm SHA1