How to use the SHA512SUMS.ASC
When I go to download a firefox version from the site "https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/24.8.0esr/" for example there is a SHA521SUMS.ASC file which I understand can be used to authenticate the validity of a file. What file is the SHA512SUMS.ASC used against for verification?
All Replies (13)
You would use a program that can compute the "hash" of the downloaded file and compare the resulting value with the .asc file. If they match, the file was not corrupted during the downloading process and presumably is authentic. (Presumably because if someone could replace the download they probably could replace the .asc file, too...)
As for how to do it, it's a bit over my head. Here are some Google results to help in your quest: https://www.google.com/search?q=mac-os-x+sha512sum
After looking at the files on the server, it seems that the comparison value for any given download is in the large file without the .asc extension. I don't know what the .asc file is for.
The .asc is ASCII ?
The .asc files contain a PGP signature, so I assume that you use them PGP software to verify the file without the .asc
The .ASC should be used to validate a file. However I cannot determine what file as it is located in the main directory. Someone must know how it is used?
mace2 asked -
"How can I use Pretty good privacy to verify the installation of Firefox?" over here - https://support.mozilla.org/en-US/questions/1021002
I locked that thread to keep this discussion in one thread
I could not find any information on verifying Firefox using PGP. This should involve the SHA512SUMS.ASC file which is validated with Firefox's public key. since Mozilla provides the .asc file their should be a method?
I assume that you can validate the SHA512SUMS with the SHA512SUMS.asc signature file, so you know that the checksums are correct.
This works for me on Linux:
gpg --import <KEY gpg: key 3A06537A: public key "Mozilla Software Releases <releases@mozilla.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg -v --verify SHA512SUMS.asc Version: GnuPG/MacGPG2 v2.0.17 (Darwin) gpg: armor header: gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Tue 26 Aug 2014 08:29:37 AM CEST using RSA key ID 15A0A4BC gpg: using subkey 15A0A4BC instead of primary key 3A06537A gpg: using PGP trust model gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A Subkey fingerprint: 5445 390E F5D0 C2EC FB8A 6201 057C C3EB 15A0 A4BC gpg: binary signature, digest algorithm SHA1
Modified
And after validating the SHA512SUMS file signature one can verify the actual download.
The SHA512 hash for the en-US 32-bit Linux build from the file is: 923c296dc0152c571d712bc4fbdcbdb7e16a9a74ae62635a065592ce4a37eb0615ec1dedc99c6042a8de481ad3c6007357caf5d1aa889274bee91c4e20b9ccf8 linux-i686/en-US/firefox-32.0.2.tar.bz2
verifying the hash of the downloaded file: > sha512sum firefox-32.0.2.tar.bz2 923c296dc0152c571d712bc4fbdcbdb7e16a9a74ae62635a065592ce4a37eb0615ec1dedc99c6042a8de481ad3c6007357caf5d1aa889274bee91c4e20b9ccf8 firefox-32.0.2.tar.bz2
So there is no direct validation for the actual Firefox executable?
I have a problem with verification. I am using Mozilla Public Key but when I down load and verify the SHASUM512.ASC it fails. Using a Mac
Macintosh:Firefox Mac$ gpg -v --verify SHA512SUMS.asc Version: GnuPG/MacGPG2 v2.0.17 (Darwin) gpg: armor header: gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Mon 25 Aug 20:43:13 2014 EDT using RSA key ID 15A0A4BC gpg: using subkey 15A0A4BC instead of primary key 3A06537A gpg: using PGP trust model gpg: BAD signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: binary signature, digest algorithm SHA1
After downloading both files again I got validation for the file.
Macintosh:Firefox Mac$ gpg -v --verify SHA512SUMS.asc Version: GnuPG v2.0.14 (GNU/Linux) gpg: armor header: gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Mon 25 Aug 20:43:15 2014 EDT using RSA key ID 15A0A4BC gpg: using subkey 15A0A4BC instead of primary key 3A06537A gpg: using PGP trust model gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A
Subkey fingerprint: 5445 390E F5D0 C2EC FB8A 6201 057C C3EB 15A0 A4BC
gpg: binary signature, digest algorithm SHA1