From dschultheis I recently downloaded a file located at the following URL: https://ftp.mozilla.org/pub/firefox/releases/45.0.2/win64/en-US/Firefox%20Setup%2045.0.2.exe When using GnuPG v2.1.9 software to verify this file, using the Public key provided at: https://ftp.mozilla.org/pub/firefox/releases/45.0.2/KEY and the PGP signature at: https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS.asc .......I received the following error message from the GPG software: “gpg: Signature made 04/11/16 17:50:33 Eastern Daylight Time using RSA key ID 5E9905DB gpg: BAD signature from "Mozilla Software Releases <firstname.lastname@example.org>" [unknown] Is the correct PGP key/detached signature listed on the FTP server, or are these files not the ones intended for verifying file integrity and authentication? --- kmoir: I reran the checksums job for 45.0.2 and verified the checksums are both the same on candidates and releases. However, gpg marks the signatures as invalid. I checked 45.0.1 and the same issue is there. I seem to recall a bug around this, let me look
Summary: 45.0.2 signature invalid when verifying with gpg → 45.0.2/45.01 signature invalid when verifying with gpg
Works fine for me. Here are the steps to reproduce. $ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/win64/en-US/Firefox%20Setup%2045.0.2.exe $ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS.asc $ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/SHA512SUMS $ wget https://ftp.mozilla.org/pub/firefox/releases/45.0.2/KEY $ sha512sum Firefox\ Setup\ 45.0.2.exe 8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24 Firefox Setup 45.0.2.exe $ grep 8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24 SHA512SUMS 8dc906bbe5ccca42a255c5426950c686fedfdd07b03e42d29741315edb30af9f536b1ab5dce6ef03e3c2dd5360abc7f28420a7d2b30b89d1ce16f254d67a1f24 win64/en-US/Firefox Setup 45.0.2.exe # Just to make sure I use clean profile $ mkdir gpg-homedir $ chmod 700 gpg-homedir $ gpg --homedir gpg-homedir --import KEY gpg: keyring `gpg-homedir/secring.gpg' created gpg: keyring `gpg-homedir/pubring.gpg' created gpg: gpg-homedir/trustdb.gpg: trustdb created gpg: key D98F0353: public key "Mozilla Software Releases <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --homedir gpg-homedir --verify SHA512SUMS.asc gpg: assuming signed data in `SHA512SUMS' gpg: Signature made Mon 11 Apr 2016 05:50:33 PM EDT using RSA key ID 5E9905DB gpg: Good signature from "Mozilla Software Releases <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 Subkey fingerprint: F2EF 4E6E 6AE7 5B95 F11F 1EB5 1C69 C4E5 5E99 05DB
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.