why no <thunderbird release>.asc file to verify integrity?

[phkhgh]

Why aren't there any (example): thunderbird-52.2.1-52.3.0.partial.mar.asc files to verify file integrity, like are available for firefox ?

At https://ftp.mozilla.org/pub/firefox/rel ... _64/en-US/
there is a firefox-52.0.2-53.0.partial.mar
and a
firefox-52.0.2-53.0.partial.mar.asc file,
to test the integrity using gpg in Linux?

I see a "KEY" file in the same location as thunderbird partial.mar update files.
So far, not found how to use that KEY file to actually verify the integrity, using gpg - if it's possible.

Mozilla's signing key is already on my keyring & I verify Firefox downloads just fine.

[Haircut]

err,
https://ftp.mozilla.org/pub/firefox/rel ... al.mar.asc

[tanstaafl]

I'm not sure. I think that feature was quietly dropped for production builds and only retained for nightly builds. I found http://forums.mozillazine.org/viewtopic ... #p14759723 in the Thunderbird Builds forum which states "It's stopped because Mozilla changed the compression format in the MAR files which the old updates can't handle. This needed special treatment with an intermediate update. They will be enabled soon."

I don't see any .asc or .mar files for http://download-origin.cdn.mozilla.net/ ... n32/en-US/ but do see .asc and .mar files in the nightly builds at http://download-origin.cdn.mozilla.net/ ... m-central/

[phkhgh]

Haircut - I knew someone would mis-read my question. You linked to the Firefox file, not Thunderbird.

@tanstaafl - isn't that referring to Tb v57? The response you quoted from p.5 of your link,

stopped because Mozilla changed the compression format in the MAR files

was answering the question / statement on p.4,

Is anyone getting automatic Daily updates for Win 32? When Thunderbird 56 became the new Beta and Thunderbird Daily became v57 my auto updates stopped?

Also, he was asking about auto updates, not where are the Tbird .asc files to verify downloads.

Maybe you also misread, but Firefox 55 - stable release still offers the partial.mar.asc files.
So do Fx 57 Nightlies, still have Fx 57 partial.mar.asc files - https://ftp.mozilla.org/pub/firefox/nig ... 1-18-date/

File firefox-57.0a1.en-US.linux-i686.tar.bz2
File firefox-57.0a1.en-US.linux-i686.tar.bz2.asc

So if ? you meant dropping .asc files had to do w/ changing compression, I don't know if that applies, as they still have them for Firefox 57.

Looking at even older Tb versions, they stopped posting the Tb partial.mar.asc files way back. Not sure, but by Tb 45, partial.mar.asc files seem to be gone.

I see the KEY file (all caps) for Tb 52.x has the same Mozilla key id (D98F0353) and fingerprint as the "Mozilla public key" you'd d/l from public key servers or from Mozilla.
But, if I understand (likely not) the KEY file is their Public Key (which I already have). I need their signature file, that is unique to the exact Tb or Fx download.

the file owner publishes a file and a corresponding PGP signature (*.asc) separately.

If they completely stopped signing Tb downloads, I'm not sure why they still list their public key with every TB version. Maybe because the KEY file "was already there" & they just didn't drop it when they stopped publishing signature files.

[tanstaafl]

I said nothing about Firefox.

[phkhgh]

I know. You said it might be because of changing compression format (from the link).
But, they still - do - have the signature .asc files for Fx 57. Just pointing out they didn't stop signature files for Fx (at all, much less due to compression format). The other linked post wasn't talking about Tb signature files. It was talking about auto updates - I think. Anyway, I imagine they use the same compression on Fx & Tb. AFAIK, digitally signing a file (or not) has nothing to do with compression used.

I think on the link http://download-origin.cdn.mozilla.net/ ... m-central/, what you see is checksum.asc.
That's not the same. That's only useful for verifying the checksums, not the authenticity of an Fx or Tb file.

I'm surprised Mozilla still uses an unsecured connection for downloads. The http://download-origin.cdn.mozilla... An unsecured connection and no signature files.

[James]

That is one of the cdn's and this is https https://download-origin.cdn.mozilla.net/