Verifying Firefox Download Integrity
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
The new GPG subkey’s fingerprint is ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274, and it expires 2025-05-04.
But when i import this key(certificate) with gpg4win it shows me this fingerprint: 14F26682D0916CDD81E37B6D61B7B526D98F0353 which is the same one listed here: https://ftp.mozilla.org/pub/firefox/releases/114.0.1/KEY
Both keys have the same fingerprint when i import them from either of the above websites, why does the key from the first link not match what the website says?
When i use the sha512.asc to verify the integrity of the downloaded firefox installer which i got here: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release https://ftp.mozilla.org/pub/firefox/releases/114.0.1/SHA512SUMS.asc Then the result is invalid. - See attachment below.
All Replies (7)
How do i verify the integrity of firefox?! This must be a joke or something, i tried all three options now, downloaded firefox plus the public key plus the sha512sum.asc and neither of all those options can be verified.
Typical for mozilla isn't it.
No reply? So it's totally normal for mozilla to host browsers without providing the ability to verify the integrity. Great.
Can't get any better from here
Note that is some cases you may get a Firefox installer with an extra __MOZCUSTOM__ section that that thus has a different SHA256 sum and breaks the checksum test.
- https://support.mozilla.org/en-US/kb/desktop-attribution-privacy
- /questions/1327013 SHA256 checksum for Firefox downloads
See also attribution:
See also attribution and distributionId:
- https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/data/environment.html#attribution
- Bug 1630809 - Support partner repacks which add attribution to Windows full installers
Edeziri
I've read through all the links you sent, from my understanding the MOZCUSTOM section should only apply to firefox ESR versions, unless this has changed now.
I can only repeat myself now, when downloading the public firefox signing key from https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ and importing it via GPG4Win, the key fingerprint is as follows: 14F26682D0916CDD81E37B6D61B7B526D98F0353 This key-fingerprint DOES NOT match they one shared on the above link from mozilla, which is: 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274 Simply straight forward question, WHY is that? Why would mozilla host site dedicated for one purpose, to provide a signing key and it's according fingerprint, when they fingerprint does not even match. I can't think of many reasons other than,
• Mozilla just doesn't give a sh!t. • Something has been compromised. • Mozilla is trying to provide a false sense of security by providing a signing key, but those who take effort to match the keys fingerprint will face the reality that the fingerprint doesn't match.
It cannot be asked to much for average users as my myself that we can verify the integrity of our downloaded firefox installers, yes or no?
I AM NOT here to have a debate that goes on and on and nothing comes out of it, i want to know right now what is going on and how can i finally verify the integrity of my download firefox installer.
Alright.
I still don't have an anser to the question i originaly asked, WHY does mozilla show a fingerprint for they public key on their website that DOES NOT match the downloaded key's fingerprint, what the fk? No explanation whatsoever, this is crap, hope you are okay with me sharing this to a broad audience on youtube. Such ignorance and stupidity from mozilla must be exposed.