Where is the new PGP key for nightly 2021-05-26-21-17-56 and later?
Categories
(Release Engineering :: General, defect)
Tracking
(firefox91 fixed)
| Tracking | Status | |
|---|---|---|
| firefox91 | --- | fixed |
People
(Reporter: andersk, Assigned: bhearsum)
References
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Steps to reproduce:
Nightly 2021-05-26-09-48-46 and earlier were signed with the GPG key available at https://archive.mozilla.org/pub/firefox/releases/89.0b15/KEY, but nightly 2021-05-26-21-17-56 and later are signed with a different key that I can’t find on the website.
Actual results:
$ wget https://archive.mozilla.org/pub/firefox/releases/89.0b15/KEY
$ gpg --import KEY
$ wget https://archive.mozilla.org/pub/firefox/nightly/2021/05/2021-05-26-21-17-56-mozilla-central/firefox-90.0a1.en-US.linux-x86_64.tar.bz2
$ wget https://archive.mozilla.org/pub/firefox/nightly/2021/05/2021-05-26-21-17-56-mozilla-central/firefox-90.0a1.en-US.linux-x86_64.tar.bz2.asc
$ gpg --verify firefox-90.0a1.en-US.linux-x86_64.tar.bz2.asc
gpg: assuming signed data in 'firefox-90.0a1.en-US.linux-x86_64.tar.bz2'
gpg: Signature made Wed 26 May 2021 03:54:11 PM PDT
gpg: using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
gpg: Can't check signature: No public key
Expected results:
$ wget https://archive.mozilla.org/pub/firefox/nightly/2021/05/2021-05-26-09-48-46-mozilla-central/firefox-90.0a1.en-US.linux-x86_64.tar.bz2
$ wget https://archive.mozilla.org/pub/firefox/nightly/2021/05/2021-05-26-09-48-46-mozilla-central/firefox-90.0a1.en-US.linux-x86_64.tar.bz2.asc
$ gpg --verify firefox-90.0a1.en-US.linux-x86_64.tar.bz2.asc
gpg: assuming signed data in 'firefox-90.0a1.en-US.linux-x86_64.tar.bz2'
gpg: Signature made Wed 26 May 2021 04:19:44 AM PDT
gpg: using RSA key 097B313077AE62A02F84DA4DF1A6668FBB7D572E
gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353
Subkey fingerprint: 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D 572E
|
||
Comment 1•3 years ago
|
||
Fallout from a recent key rotation almost certainly.
|
Assignee | |
Comment 2•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #1)
Fallout from a recent key rotation almost certainly.
Definitely. We don't have a place that we publish the pubkey alongside nightly builds, as we do for releases. The new key is available at https://keys.openpgp.org/search?q=14F26682D0916CDD81E37B6D61B7B526D98F0353, and if you'd prefer to get it from a Mozilla hosted place, it can be found at https://archive.mozilla.org/pub/firefox/candidates/89.0-candidates/build2/KEY.
|
Reporter | |
Comment 3•3 years ago
|
||
Thanks. Could we get the key uploaded as KEY for nightly builds too, so there isn’t a delay in the future between when the key starts being used for signing and when it can be downloaded from Mozilla? This would be useful for nixpkgs-mozilla (see https://github.com/mozilla/nixpkgs-mozilla/pull/258).
|
|
Assignee | |
Comment 4•3 years ago
|
||
(In reply to Anders Kaseorg from comment #3)
Thanks. Could we get the key uploaded as KEY for nightly builds too, so there isn’t a delay in the future between when the key starts being used for signing and when it can be downloaded from Mozilla? This would be useful for nixpkgs-mozilla (see https://github.com/mozilla/nixpkgs-mozilla/pull/258).
Yeah, we should do that. I'm about to post a patch that should do it
|
|
Assignee | |
Comment 5•3 years ago
|
||
We got multiple instances of confusion because nightly builds were
signed with a new GPG key, but it was not published in an obvious place.
We already publish this alongside every beta and release candidate, as
well as to a GPG keyserver - but if you're just looking at nightly
builds, it's unclear what you should be verifying them with.
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
Description
•