Most linux distribution place Thunderbird in their repository. That is really about as simple as you can get on Linux.

As for download from Thunderbird.net go, just how much simpler can it be than pick your language and operating system? https://www.thunderbird.net/en-US/thunderbird/all/ With the main page auto detecting based on IP geo location and browser id string.

As for MD5 checksums, are they really needed on encrypted connections (which the downloads are)given the known vulnerabilities of MD5 for anything but detecting corruption in transmission? I have not used them since the days of MVS

For TB 91.4: https://archive.mozilla.org/pub/thunderbird/releases/91.4.0/

Thanks all, I am sure there is a technical argument for using or not using these hashes, my understanding is they are there to verify the file you downloaded is the one intended, can't say I am a big fan of redirections to mirror sites or such, the programmes downloaded so far all had SHA1, SHA256 and MD5 all on the same download page.

Once I switch over to Linux (fully) this problem should disappear with the use of audited software hubs which is one of the main feature for me, trying to remember how to use CertUtil exact syntax can be a bit hit and miss.

Cheers

Talking of hit and miss, tried many configurations using CertUtil -hashfile command on Win 10 without success, variations of this (adding SHA1, 256 and so on) worked with several other files but Thunderbird not playing ball.

Cheers

CertUtil -hashfile Thunderbird Setup 91.4.0.exe

This is an example for TB 91.4.0 for Linux. The same information is available for Windows downloads, but you'll have to figure out yourself how to do this using Windows.

get the installer file thunderbird-91.4.0.tar.bz2 from https://archive.mozilla.org/pub/thunderbird/releases/91.4.0/linux-x86_64/en-US/

get the files KEY, SHA512SUMS, and SHA512SUMS.asc from https://archive.mozilla.org/pub/thunderbird/releases/91.4.0/

get the hash for the downloaded installer (thunderbird-91.4.0.tar.bz2) > sha512sum thunderbird-91.4.0.tar.bz2 cdb6b8a32053d84ffecb042135b9d6355fbf2095ae5d1fd9dee44663c0febf9af53bfc6b5e7bee01d9fae82383e1de4da2e73e342a8a693a0696bed0aa5cdace thunderbird-91.4.0.tar.bz2

alternatively use > openssl dgst -sha512 thunderbird-91.4.0.tar.bz2 SHA512(thunderbird-91.4.0.tar.bz2)= cdb6b8a32053d84ffecb042135b9d6355fbf2095ae5d1fd9dee44663c0febf9af53bfc6b5e7bee01d9fae82383e1de4da2e73e342a8a693a0696bed0aa5cdace

verify the hash above is listed in SHA512SUMS > cat SHA512SUMS | grep linux-x86_64 | grep en-US | grep tar.bz2 cdb6b8a32053d84ffecb042135b9d6355fbf2095ae5d1fd9dee44663c0febf9af53bfc6b5e7bee01d9fae82383e1de4da2e73e342a8a693a0696bed0aa5cdace linux-x86_64/en-US/thunderbird-91.4.0.tar.bz2

import KEY into your gpg keyring > gpg --import KEY gpg: key 61B7B526D98F0353: 24 signatures not checked due to missing keys gpg: key 61B7B526D98F0353: "Mozilla Software Releases <release@mozilla.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1

verify the detached signature SHA512SUMS.asc has been created with KEY > gpg --verify SHA512SUMS.asc SHA512SUMS gpg: Signature made Sat 04 Dec 2021 06:16:29 PM CET gpg: using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 Subkey fingerprint: 4360 FE21 09C4 9763 186F 8E21 EBE4 1E90 F6F1 2F6D

Cheers Chris, appreciate you taking the trouble to write that up.

Its an age since I used the GPG keyring but will have a go, thanks again.