No public key for Firefox funnelcake.
When I download the latest version of Firefox from "https://www.mozilla.org/en-US/firefox/all/#en-US" It downloads Funnelcake.Sha 512 9afd084156f5fda909cc51b2ebf539e75f788fa4c80b78445797ceb845041c0838e287493a0f849d1f357ecf7493efc1adabc786eb53b80fbeff6e433cbb2506
When I go to "https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/" to verify via PGP I only see the the "Firefox 40.3.dmg.asc" but no public key like other releases. If I try to validate the "Firefox 40.3.dmg.asc" using the "Mozilla software release public key" it does not authenticate. But If I go to Firefox 40. it autheticates usung PGP and it has the public key in the folder "https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/40.0/" Anyone know why?
Modified by James
Additional System Details
- The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
Did some research, and got very hungry looking thru all those cakes.
You are not alone.
Funnelcake builds are an experiment for (new) Firefox users that offer a different Firefox version for testing the user experience.
I don't think that there are checksums available for such special builds, they are only available for the official releases.
There are more such builds planned:
- Bug 1202786 - Create funnelcake builds for OSX EN with a 2nd Tab at FirstRun.
- Bug 1205743 - Create funnelcake builds for Firefox 41.0 to understand SEM acquired users
- Bug 1184279 - Create funnelcake builds to test Firefox homepage variations
Please do not comment in bug reports
Then why is there a Firefox 40.3.dmg.asc file which is a signature file used with PGP?
OK, I missed the .asc file.
I see this on Linux in a terminal window with the KEY file present in the Firefox 40.0.3 release folder.
gpg --import <KEY gpg: key D98F0353: public key "Mozilla Software Releases <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg -v --verify "Firefox 40.0.3.dmg.asc" Version: GnuPG v2.0.14 (GNU/Linux) gpg: armor header: gpg: assuming signed data in `Firefox 40.0.3.dmg' gpg: Signature made Tue 15 Sep 2015 12:47:04 AM CEST using RSA key ID 5E9905DB gpg: using subkey 5E9905DB instead of primary key D98F0353 gpg: using PGP trust model gpg: Good signature from "Mozilla Software Releases <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 Subkey fingerprint: F2EF 4E6E 6AE7 5B95 F11F 1EB5 1C69 C4E5 5E99 05DB gpg: binary signature, digest algorithm SHA1
This doesn't tell me how to verify Funnel cake via PGP?