Download Mozilla programs only from Mozilla.org to prevent fakes. I have never seen hash sums.

Hi FredMcD,

Thanks for your reply. I get what your saying and agree that making sure you download from Mozilla.org should ensure your download results are perfectly safe. However, many truly open software providers ensure their downloads are able to be verified by users who wish to do so. Open software providers usually go out of their way to promote users doing this practice, and make their hash sums readily available/easy to find.

When an organization does not follow this practice or makes finding them a very obscure or difficult process, it is hard not to be skeptical or ask why they wouldn't want users to be able to verify that what they are downloading is at least what the software provider is saying they have provided to them. Especially when an organization claims to be part of the open software community. I would like to see Mozilla be more open to users being able to verify what they are downloading, if for no other reason than to give them that curtesy for the sake of showing their openness with their software.

I've called the big guys to help you. Good luck.

Hashes are provided for each release, along with the detached signature. https://ftp.mozilla.org/pub/firefox/releases/43.0.4/

This is an example for the 32 bit Linux version.

> openssl dgst -sha512 firefox-43.0.4.tar.bz2 SHA512(firefox-43.0.4.tar.bz2)= e8189b1e0aa9edd1bc8b00db7ca1e39a133b03ae720b1d25f6430789f4cedb0542c2884e4c7fad8598503eae241f575839b6cfb2029c49b36c9fa5fbdc4b2e18

Compare the calculated hash with the one provided in SHA512SUMS.

Then verify the authenticity of SHA512SUMS. > gpg --verify SHA512SUMS.asc SHA512SUMS gpg: Signature made Wed 06 Jan 2016 06:54:21 AM CET using RSA key ID 5E9905DB gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353

    Subkey fingerprint: F2EF 4E6E 6AE7 5B95 F11F  1EB5 1C69 C4E5 5E99 05DB

You can obtain the needed key from the keyserver. Note, you need to import the key into your keyring. https://gpg.mozilla.org/pks/lookup?search=0x5E9905DB&op=get

It's all there, even though it may not be obvious. With a little more research you could have saved some unsubstantiated accusations in your last post.

Hey christ1,

I appreciate your reply, and as usual communicating through email sometimes doesn't accurately portray the true spirit or tone of what is being communicated.

It would be nice to see the hashes along side the firefox downloads, or somewhere more obvious where most users can easily see them. I searched for "mozilla firefox hashes/checksums/etc." along with a multitude of other search terms both outside of mozilla, mozillazine, mozilla's developer site, and within the mozilla website. After digging through many links that looked like they may be related I found very little except for one link, but that was for hashes from the mid 2000's...? I found the developer section but still did not find these hashes. I must have overlooked how to get to them, however, shouldn't it be much easier than having to dig this deep, or insult a top contributor in order to get a link to them?  : )

At any rate, thanks for helping me out. I do appreciate it.

See also:

• http://hearsum.ca/blog/mozilla-software-release-gpg-key-transition.html

Thanks cor-el.

Your reply is helpful, however I would not have known to go to "Ben's Home on the Web" to look for this information from looking around the Mozilla website. A standard user would have a real difficult time finding this information, which is mostly what caused me to ask my original question.

Thanks for your help.

I got that link from a bug report that was about to renew an expired gpg key that they had 'forgotten' about. They noticed that in May 2015 that it would expire in July and still managed to let that happen...

• bug 1139929 - renew gpg signing key

It would be nice to see the hashes along side the firefox downloads, or somewhere more obvious where most users can easily see them.

I tend to agree that the process to verify downloads isn't as straight forward as you may wish. On the other hand consider this. Firefox is made available for three platforms (Windows, MacOS, Linux), there are 32 bit and 64 bit versions, and there are about 90 localized builds. You can do the math yourself how many different builds have to be made available for download. My best guess is that very few people actually verify the download file. I'm not one of them, I do usually use the built-in update mechanism.

So providing checksums for that many builds the way you wish probably isn't feasible. It needs to be manageable from a release engineering perspective, and it needs to be done in a secure way.

Posting a checksum on the very same web site where you download the binary from sounds ridiculous to me. If the binary would be manipulated, what makes you certain the checksum isn't?

So after all, I guess with the way they came up with to verify downloads makes a whole lot of sense considering all the above. And even though it may not be obvious how to do it, one always can ask.

If you think your question has been answered, you may want to mark this topic as 'Solved'. Thank you.

Hello christ1,

Your points are very valid. Most people do not verify downloads, know how, and many have never heard of such a thing. Most probably wouldn't be very interested in doing this either : )

Most Gnu/Linux distros provide checksums for Mac/Windows/Linux platforms with both 32bit & 64bit systems for each variety of versions & releases, and a variety of specific OS applications like server/desktop/mobile, etc. I just don't want to see firefox take on the same attitudes of presumption toward its users like adobe, microsoft, etc. do, where users are expected to accept whatever they provide without any effort on their part to demonstrate openness to their users.

Your right that the security of the hash sums is ultimately based on the idea that you should be able to trust the site hosting them, not that it provides absolute security, but I would rather see a software provider is wanting/attempting to show that they desire to be strait forward about what users are downloading from them.

Ok, so my main issue has been that I tried to research where to find these hash sums for firefox downloads, and did not see where to find links to them apart from you helpfully providing them. Unless I really missed it (which of course is possible) it was not obvious where on Mozilla, etc. links to hash sums are, and apart from you and others helping provide links I don't think most users would be able to find them if they wanted to on their own. That hash sums could be separate from the downloads is a good idea but still can't we make it easier to get to them, rather than have to get a top contributor involved to get that answer?

Thanks for your help christ1.