Firefox » Invalide signatur-filer i distribution?

mikini
 
Indlæg: 1
Tilmeldt: ons 15. nov 2017 10:43

Invalide signatur-filer i distribution?

Indlægaf mikini » ons 15. nov 2017 10:49

Hejsa.

Havde problem med at tjekke signaturer på de binære filer i firefox-distributionen på Linux.

Kunne ikke finde et sted at reportere, så indsendte nedenstående feedback på https://support.mozilla.org/da/kb/insta ... linux:fx56

Kender I svaret, eller kender det rigtige sted at stille spørgsmålet?

Havde dog tillid efter at have tjekke SHA256-summene ;).

Mikkel

---
I've downloaded Quantum/57 from tar and see firefox.sig and firefox-bin.sig files in the root of the firefox folder. Those look like PGP signature files, but trying to verify the binaries using gpg fails;

gpg --verify firefox.sig
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

I assume those should verify but can find no indication of whether I should expect these to be valid PGP signatures, so I'm of course reluctant to execute these.

---

$ wget https://ftp.mozilla.org/pub/firefox/rel ... SHA256SUMS
$ sha256sum firefox-57.0.tar.bz2
c2cae016089e816c03283a359c582efab3bca34e6048ecc2382b43c1eb342457 firefox-57.0.tar.bz2
$ grep c2cae016089e816c03283a359c582efab3bca34e6048ecc2382b43c1eb342457 SHA256SUMS
c2cae016089e816c03283a359c582efab3bca34e6048ecc2382b43c1eb342457 linux-x86_64/en-US/firefox-57.0.tar.bz2

Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0