45.0.2/45.01 signature invalid when verifying with gpg

RESOLVED WORKSFORME

Status

Release Engineering
Releases
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: kmoir, Assigned: kmoir)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

2 years ago
From dschultheis

I recently downloaded a file located at the following URL: https://ftp.mozilla.org/pub/firefox/releases/45.0.2/win64/en-US/Firefox%20Setup%2045.0.2.exe

 
When using GnuPG v2.1.9 software to verify this file, using the Public key provided at:

https://ftp.mozilla.org/pub/firefox/releases/45.0.2/KEY

 

and the PGP signature at:

https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS.asc

 

.......I received the following error message from the GPG software:

“gpg: Signature made 04/11/16 17:50:33 Eastern Daylight Time using RSA key ID 5E9905DB

gpg: BAD signature from "Mozilla Software Releases <release@mozilla.com>" [unknown]

 

Is the correct PGP key/detached signature listed on the FTP server, or are these files not the ones intended for verifying file integrity and authentication?

---

kmoir: I reran the checksums job for 45.0.2 and verified the checksums are both the same on candidates and releases.  However, gpg marks the signatures as invalid.  I checked 45.0.1 and the same issue is there.  I seem to recall a bug around this, let me look
(Assignee)

Updated

2 years ago
Assignee: nobody → kmoir
(Assignee)

Updated

2 years ago
Summary: 45.0.2 signature invalid when verifying with gpg → 45.0.2/45.01 signature invalid when verifying with gpg
Works fine for me. Here are the steps to reproduce.

$ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/win64/en-US/Firefox%20Setup%2045.0.2.exe
$ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS.asc
$ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS
$ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/KEY

$ sha512sum Firefox\ Setup\ 45.0.2.exe
8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24  Firefox Setup 45.0.2.exe

$ grep 8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24 SHA512SUMS
8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24  win64/en-US/Firefox Setup 45.0.2.exe

# Just to make sure I use clean profile
$ mkdir gpg-homedir
$ chmod 700 gpg-homedir
$ gpg --homedir gpg-homedir --import KEY
gpg: keyring `gpg-homedir/secring.gpg' created
gpg: keyring `gpg-homedir/pubring.gpg' created
gpg: gpg-homedir/trustdb.gpg: trustdb created
gpg: key D98F0353: public key "Mozilla Software Releases <release@mozilla.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --homedir gpg-homedir --verify SHA512SUMS.asc 
gpg: assuming signed data in `SHA512SUMS'
gpg: Signature made Mon 11 Apr 2016 05:50:33 PM EDT using RSA key ID 5E9905DB
gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 14F2 6682 D091 6CDD 81E3  7B6D 61B7 B526 D98F 0353
     Subkey fingerprint: F2EF 4E6E 6AE7 5B95 F11F  1EB5 1C69 C4E5 5E99 05DB
(Assignee)

Comment 2

2 years ago
thanks rail!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.