How to verify offline Firefox installer using its .asc file
I have downoloaed Firefox offline installer (a .xz file) from here:
https://download-installer.cdn.mozilla.net/pub/firefox/releases/139.0b9/linux-x86_64/en-GB/
I have also downloaded a .asc file, presumably a pgp signature.
Now both files are saved locally in my computer.
Assuming Linux latest release, how do I verify the contents of the offline installer file (.xz) from the Linux Terminal? I have install gpg tools. And commands like ```gpg``` are available.
What I did so far:
gpg --show-keys --with-fingerprint firefox-139.0b9.tar.xz.asc
with this output:
gpg: no valid OpenPGP data found.
Do you really want us to verify the contents of the installers you provide? A sha256 sum would be great, though not as secure, for when the GPG predictably fails for the ordinary user due to its huge and useless complexity and bureaucracy.
Chosen solution
If you haven't done so already, you need to import Mozilla's gpg key for signing releases: https://blog.mozilla.org/security/2025/04/01/updated-gpg-key-for-signing-firefox-releases-2/
Save the key and import it into your gpg keyring using
gpg --import <filename>
Then you can do
gpg --verify firefox-139.0b9.tar.xz.asc firefox-139.0b9.tar.xzRead this answer in context 👍 1
All Replies (4)
Chosen Solution
If you haven't done so already, you need to import Mozilla's gpg key for signing releases: https://blog.mozilla.org/security/2025/04/01/updated-gpg-key-for-signing-firefox-releases-2/
Save the key and import it into your gpg keyring using
gpg --import <filename>
Then you can do
gpg --verify firefox-139.0b9.tar.xz.asc firefox-139.0b9.tar.xz
Thank you pernt,
I have followed your reply to import the keys 1. download the PUBLIC KEY from the site you mentioned into a local file 2. gpg --import <localPKfile>
That was succesful. Then I tried to verify:
gpg --verify firefox-139.0b9.tar.xz.asc firefox-139.0b9.tar.xz
and it says
gpg: Signature made Fri May 16 15:04:42 2025 EEST gpg: using RSA key 09BEED63F3462A2DFFAB3B875ECB6497C1A20256 gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353
Subkey fingerprint: 09BE ED63 F346 2A2D FFAB 3B87 5ECB 6497 C1A2 0256
Is this a good sign?
Does it mean that the local file, its asc signature and the keys fetched for mozilla all agree but there is no way to know that the local file belongs to mozilla?
> Is this a good sign?
Yes. It confirms that the signature is valid and from a key in your keyring, probably the one you imported.
> WARNING: This key is not certified with a trusted signature! Does it mean that the local file, its asc signature and the keys fetched for mozilla all agree but there is no way to know that the local file belongs to mozilla?
The warning means that the imported key is not signed locally by you. Simply importing it does not do that for you.
You can search online for commands to run, but basically what you might want to do is list your keys, then look at the fingerprint for the Mozilla key, compare it to the fingerprint on a trusted Mozilla source (probably their website), and if if matches you can sign it. After doing so you should not see that warning anymore.
You can also skip this if you are comfortable with the verification you have performed without having signed Mozilla's key locally.
Modified by pernt
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.