- Solved
- Archived
GPG key for signing Firefox Releases
Hello, trying to verify the integrity of firefox-118.0.1.tar.bz2 I realized the GPG key has changed. The following blog post details the change and shows the new key: ht… (read more)
Hello, trying to verify the integrity of firefox-118.0.1.tar.bz2 I realized the GPG key has changed.
The following blog post details the change and shows the new key: https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
But when I download the key using the link provided (which points to keys.openpgp.org) the key I get is different from the key posted on the Mozilla blog page.
What is even more strange, is that the key from keys.openpgp.org declares in the comment that 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 is the fingerprint of the key (the same that is posted on the Mozilla blog) but it can't be because the key different.
So my questions: 1) Why Mozilla is posting a link to a key that is different? 2) Why keys.openpgp.org shows the correct fingerprint with a different key?
And, in the end, which key should I trust and why.
Thanks.