Pesquisar no apoio

Evite burlas no apoio. Nunca iremos solicitar que telefone ou envie uma mensagem de texto para um número de telefone ou que partilhe informações pessoais. Por favor, reporte atividades suspeitas utilizando a opção "Reportar abuso".

Saber mais

are thunderbird partial.mar.asc files available

  • 6 respostas
  • 1 tem este problema
  • 1 visualização
  • Última resposta por JoeB

more options

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux.

But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg.

Mozilla's signing key is already on my keyring and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux. But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg. Mozilla's signing key is <b>already on my keyring</b> and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Modificado por JoeB a

Todas as respostas (6)

more options

You should ask your question here; https://support.mozilla.org/en-US/products/thunderbird

more options
more options

Thanks, for moving this to the right section. Cor-el, what am I looking at in your link? There isn't any thunderbird-52.3.0.partial.mar.asc at your link. The (public) KEY file isn't the same as a signature (.asc) file.

Does Mozilla not sign Tb partial or full versions anymore? (they used to provide .asc files). They even provide signature (.asc) files for Fx nightlies.

Why would they bother to sign Firefox & not Thunderbird?

more options

Should I file a bug on bugzilla, to possibly get an answer? Seems no one (yet) on Mozilla.org or Mozillazine knows why the .asc signature files were eliminated for Tb, but not for Fx.

I hope people aren't using this unsecured server to D/L - AND - not verify the files authenticity w/ gpg / pgp: http://download-origin.cdn.mozilla.net/pub/thunderbird/nightly/2017/09/2017-09-09-03-02-06-comm-central/.

more options
more options

Thanks cor-el. No one can be "advanced" on all topics. Checksums are only useful for verifying there were no data errors in downloading a file. Checksums are not useful to verify that the file you downloaded is the same one that the developer made.

IOW, Checksums don't show (at all ) that the server wasn't hacked & a modified file replaced the original one. Which happens, even to large developers. More than people think.

I'm looking for digital signature *.asc files for Tb, the same as are available for Firefox. Even Fx nightlies.

Using GPG or PGP, the signature files are used to verify the file you got is from the developer & not tampered with by anyone else. They usually have the same name as the data file, with .asc or .sig added suffix.