- Archived
Verifying Firefox Download Integrity
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ The new GPG subkey’s fingerprint is ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3… (read more)
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
The new GPG subkey’s fingerprint is ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274, and it expires 2025-05-04.
But when i import this key(certificate) with gpg4win it shows me this fingerprint: 14F26682D0916CDD81E37B6D61B7B526D98F0353 which is the same one listed here: https://ftp.mozilla.org/pub/firefox/releases/114.0.1/KEY
Both keys have the same fingerprint when i import them from either of the above websites, why does the key from the first link not match what the website says?
When i use the sha512.asc to verify the integrity of the downloaded firefox installer which i got here: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release https://ftp.mozilla.org/pub/firefox/releases/114.0.1/SHA512SUMS.asc Then the result is invalid. - See attachment below.