You've asked about this before.

• [/questions/1020249] How to use the SHA512SUMS.ASC

Do you have a problem with finding the .asc file?

Is this about the Firefox 31.4.0 ESR version or about another Firefox version?

• http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/31.4.0esr/

• http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/latest-esr/
• http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/latest-prior-esr/

I am using Firefox 31.4 ESR and I do not get successful verification using shasum1.asc or shasum256.asc from http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/31.4.0esr/.

Is this a problem with verifying the SHA512SUMS file with the check sums or with verifying the Firefox tar.bz2 archive?

Works fine for me.

What do you get?

sha512sum -b firefox-31.4.0esr.tar.bz2 0604424eb99fa2b8cc3bb78b29284936925b4077afa1eebe7fa7453a9ead1e91d541578e954cd11da42fe4902d38693c33713de83458b6792801e4d3df1a13ba *firefox-31.4.0esr.tar.bz2

sha1sum -b firefox-31.4.0esr.tar.bz2 1a1c6406dc6cc89c540105d34683672030ad2757 *firefox-31.4.0esr.tar.bz2

The Firefox tar.bz2 archive? are for linux are they not? I am using the shasum1.asc or shasum256.asc as the signature. Can you also provide the publi key signer for Firefox? I beileve it to be releases@mozilla.org

Yes, I'm on Linux. I haven't checked the MAC Firefox DMG file(s), but I assume that those are OK as well.

The KEY file is available from the same directory where the .asc files are stored.

Don't you still have that KEY file from your previous question thread?

Confirm what is the signing name of the public key?

Confirm which of the sign files shasum1.asc or shasum256.asc should be used ? Shasum1 key value is

Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAABAgAGBQJUq8UhAAoJEAV8w+sVoKS8aTIP/Al30xRFgL7NKbnANzavK/Cm YviQUkJHdux2PeBSyWgwGjb3skiQRPpKEOzZ0+Jv2zmI/9BpupCYPIkLFq0D9d+6 kEnC+nFezVS7IUDh46MLL6cSv8OraRDqKRJXapZotpEd62zch+nZJsb5vOsW12Wd 9YcE7f/0h75KcuzxZ2VK0a78JObm5xcMIIa/R+iDsV1LAEYTDj10o2LrKhJkYD3d BIc8EPHaqXeHRhwTt1K7YO0TuXKJEYuhG32jVKWwU6QSAmIuAGSnM60U46fVIde6 /z41rWZmL5kIRwzZWORHdG9HJvP0CIU/TA9kDKyo7bS+PrHMeLQ8omxAEjLBbM6P aUfRd3Qp5rmIp45/dXCmEb5uYZ3HJwmt4EZ7mtxi9rTiCE5wqlRwQySz62YAI8wU iZQ/sAw2NkFLZLjP+FsvLwGFAu1AekX8TX8OMredzSW/VzmxJUgXG6OjmpHoPtTk /awliL6Tr+SfLaA9zlnWuFk1YSCVj4vIK5Pd3X+NmeVa/hXjw9tiq+LA/p9+L996 FXj5f+CMCOmivQHmKxloA1Cozb5q6wUf9mZtU2SeSckoH4jfWRRtICUW9r6D9k6a eBYk5JhBU73MYyFt7b9+mL5A2gWZ8KGJGuHIw51d0cR+MHfmv+CLK45c2xOLe0Pd qaj/+4LO8rZq0z3HIlbU =dXvG

Shasum512.asc value is

Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAABAgAGBQJUq8UkAAoJEAV8w+sVoKS8ZmEP/RDrO15NufQabW0dtdDmjL1l zMDNZMVhdTNQx5TuQxAzDaAoT3NH9PfobgEgtU2kt/l9fFT8XIHHCBdg6Jci5PvR tLG9EyPqcjNxehvyykMlxoO0ajOu3Asm0tZbBCxJ8d5kpzN5eZjHOIKuH4mv9VEs cSjy022ZwhWqiH81tAdItJlo0kfxJpJXbkVfmtNQQkNL7yYcrJI/FsGlIq39xyd8 1LvkvwswSeOYkL8fgMcXvxO4RxZlR8nbd+GIbAzHp3ztl5XYRuMeekLA6igyq3JX rdHQXGt1xe4n0lGWNzPwY8YKG7D/ku9RTfH2b78IQLmm5+G4BZoaEAFXjtsBacoe kZOem1M1PtVq4A0e7mQNnEGGXz4zLFm8t+g1TXV8FM+dN3K6OXGAXXgA+Yt9LY// DR4ESNHS1/sC3pdAtynfg3MtV5yXmDOZKwx2ew1EYEsc7OD9QmYQW+sIkOi8nFgH TxU1udep/ZjerMABu1lZoy8WAX29DmheYkTn95oCTHLBh//03FWc76/ENT2cqZVV GYS1SRgLtnENXmi2CazVB80o6zOFGLfnL272fHhhr/zMqtWxtPd0WekIVxhA0dhg GBvPu6YyjyUXQQqxc/gz86IJus/tHkfd5RhCMbFlU3RNBZLo8SXmJXYlk8xcZtH2 b3m3ifyXU6sSIkkxorp1 =WMMi

I am not able to verifiy firefox31.4 ESR for the Mac

You first need to install the PGP certificate in the KEY file as that is used to verify the other .asc signature files.

You can find directions in your previous thread.

As I said the PGP key is what I want a confrimation. Can you give me the PGP key signer?

Here is the failure verification message I receive using the above information.

localhost:Firefox Mac$ gpg --verify Sha512SUMs.asc Firefox* gpg: Signature made Tue 6 Jan 06:21:08 2015 EST using RSA key ID 15A0A4BC gpg: BAD signature from "Mozilla Software Releases <releases@mozilla.org>" [unknown]

Do you have both files SHA512SUMS.asc and SHA512SUMS in the same folder?

I see this:

gpg -v --verify SHA512SUMS.asc
Version: GnuPG v2.0.14 (GNU/Linux)
gpg: armor header: 
gpg: assuming signed data in `SHA512SUMS'
gpg: Signature made Tue 06 Jan 2015 12:21:08 PM CET using RSA key ID 15A0A4BC
gpg: using subkey 15A0A4BC instead of primary key 3A06537A
gpg: using PGP trust model
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B90 598A 745E 992F 315E  22C5 8AB1 3296 3A06 537A
     Subkey fingerprint: 5445 390E F5D0 C2EC FB8A  6201 057C C3EB 15A0 A4BC
gpg: binary signature, digest algorithm SHA1

sha512sum -b "Firefox 31.4.0esr.dmg"
f541452eef28f759bf803cc26a2b1baa84ac66631ab91c9130c74ebbc6c46f3b413e9351a0967beb14b54f8227fb4cc33759d8140f94554acec9cc4de0efc2d0 *Firefox 31.4.0esr.dmg

Your "gpg -v --verify SHA512SUMS.asc" command has not validated Firefox.

I am using Gpgtools with the public key releases@mozilla.org and I am also not getting validated.

What is the PGP key signer?

In Corels demonstration you only compare the signature "gpg -v --verify SHA512SUMS.asc" where is the other component ?

Has anyone successfully performed PGP verification of Firefox