Why aren't there any (example): thunderbird-52.2.1-52.3.0.partial.mar.asc files to verify file integrity, like are available for firefox ?
At https://ftp.mozilla.org/pub/firefox/rel ... _64/en-US/
there is a firefox-52.0.2-53.0.partial.mar
and a
firefox-52.0.2-53.0.partial.mar.asc file,
to test the integrity using gpg in Linux?
I see a "KEY" file in the same location as thunderbird partial.mar update files.
So far, not found how to use that KEY file to actually verify the integrity, using gpg - if it's possible.
Mozilla's signing key is already on my keyring & I verify Firefox downloads just fine.
why no <thunderbird release>.asc file to verify integrity?
-
- Posts: 845
- Joined: January 25th, 2007, 2:49 pm
- Location: So. U.S.A.
-
- Posts: 32
- Joined: April 12th, 2017, 2:57 pm
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: why no <thunderbird release>.asc file to verify integrit
I'm not sure. I think that feature was quietly dropped for production builds and only retained for nightly builds. I found http://forums.mozillazine.org/viewtopic ... #p14759723 in the Thunderbird Builds forum which states "It's stopped because Mozilla changed the compression format in the MAR files which the old updates can't handle. This needed special treatment with an intermediate update. They will be enabled soon."
I don't see any .asc or .mar files for http://download-origin.cdn.mozilla.net/ ... n32/en-US/ but do see .asc and .mar files in the nightly builds at http://download-origin.cdn.mozilla.net/ ... m-central/
I don't see any .asc or .mar files for http://download-origin.cdn.mozilla.net/ ... n32/en-US/ but do see .asc and .mar files in the nightly builds at http://download-origin.cdn.mozilla.net/ ... m-central/
-
- Posts: 845
- Joined: January 25th, 2007, 2:49 pm
- Location: So. U.S.A.
Re: why no <thunderbird release>.asc file to verify integrit
Haircut - I knew someone would mis-read my question. You linked to the Firefox file, not Thunderbird.
@tanstaafl - isn't that referring to Tb v57? The response you quoted from p.5 of your link,
Maybe you also misread, but Firefox 55 - stable release still offers the partial.mar.asc files.
So do Fx 57 Nightlies, still have Fx 57 partial.mar.asc files - https://ftp.mozilla.org/pub/firefox/nig ... 1-18-date/
Looking at even older Tb versions, they stopped posting the Tb partial.mar.asc files way back. Not sure, but by Tb 45, partial.mar.asc files seem to be gone.
I see the KEY file (all caps) for Tb 52.x has the same Mozilla key id (D98F0353) and fingerprint as the "Mozilla public key" you'd d/l from public key servers or from Mozilla.
But, if I understand (likely not) the KEY file is their Public Key (which I already have). I need their signature file, that is unique to the exact Tb or Fx download.
@tanstaafl - isn't that referring to Tb v57? The response you quoted from p.5 of your link,
was answering the question / statement on p.4,stopped because Mozilla changed the compression format in the MAR files
Also, he was asking about auto updates, not where are the Tbird .asc files to verify downloads.Is anyone getting automatic Daily updates for Win 32? When Thunderbird 56 became the new Beta and Thunderbird Daily became v57 my auto updates stopped?
Maybe you also misread, but Firefox 55 - stable release still offers the partial.mar.asc files.
So do Fx 57 Nightlies, still have Fx 57 partial.mar.asc files - https://ftp.mozilla.org/pub/firefox/nig ... 1-18-date/
So if ? you meant dropping .asc files had to do w/ changing compression, I don't know if that applies, as they still have them for Firefox 57.File firefox-57.0a1.en-US.linux-i686.tar.bz2
File firefox-57.0a1.en-US.linux-i686.tar.bz2.asc
Looking at even older Tb versions, they stopped posting the Tb partial.mar.asc files way back. Not sure, but by Tb 45, partial.mar.asc files seem to be gone.
I see the KEY file (all caps) for Tb 52.x has the same Mozilla key id (D98F0353) and fingerprint as the "Mozilla public key" you'd d/l from public key servers or from Mozilla.
But, if I understand (likely not) the KEY file is their Public Key (which I already have). I need their signature file, that is unique to the exact Tb or Fx download.
If they completely stopped signing Tb downloads, I'm not sure why they still list their public key with every TB version. Maybe because the KEY file "was already there" & they just didn't drop it when they stopped publishing signature files.the file owner publishes a file and a corresponding PGP signature (*.asc) separately.
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: why no <thunderbird release>.asc file to verify integrit
I said nothing about Firefox.
-
- Posts: 845
- Joined: January 25th, 2007, 2:49 pm
- Location: So. U.S.A.
Re: why no <thunderbird release>.asc file to verify integrit
I know. You said it might be because of changing compression format (from the link).
But, they still - do - have the signature .asc files for Fx 57. Just pointing out they didn't stop signature files for Fx (at all, much less due to compression format). The other linked post wasn't talking about Tb signature files. It was talking about auto updates - I think. Anyway, I imagine they use the same compression on Fx & Tb. AFAIK, digitally signing a file (or not) has nothing to do with compression used.
I think on the link http://download-origin.cdn.mozilla.net/ ... m-central/, what you see is checksum.asc.
That's not the same. That's only useful for verifying the checksums, not the authenticity of an Fx or Tb file.
I'm surprised Mozilla still uses an unsecured connection for downloads. The http://download-origin.cdn.mozilla... An unsecured connection and no signature files.
But, they still - do - have the signature .asc files for Fx 57. Just pointing out they didn't stop signature files for Fx (at all, much less due to compression format). The other linked post wasn't talking about Tb signature files. It was talking about auto updates - I think. Anyway, I imagine they use the same compression on Fx & Tb. AFAIK, digitally signing a file (or not) has nothing to do with compression used.
I think on the link http://download-origin.cdn.mozilla.net/ ... m-central/, what you see is checksum.asc.
That's not the same. That's only useful for verifying the checksums, not the authenticity of an Fx or Tb file.
I'm surprised Mozilla still uses an unsecured connection for downloads. The http://download-origin.cdn.mozilla... An unsecured connection and no signature files.
- James
- Moderator
- Posts: 28004
- Joined: June 18th, 2003, 3:07 pm
- Location: Made in Canada
Re: why no <thunderbird release>.asc file to verify integrit
That is one of the cdn's and this is https https://download-origin.cdn.mozilla.net/