Closed Bug 1833280 Opened 2 years ago Closed 2 years ago

Firefox public key from keys.openpgp.org different than from openpgp.org

Categories

(Release Engineering :: Release Automation, enhancement)

Product:
Release Engineering
Component:
Release Automation
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: bendov, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

The public key for Firefox 113.0.1 on keys.openpgp.org is different (unless just replaced) & won't work to verify the downloaded firefox.
Even though CLI $ gpg --verify firefox-113.0.1.tar.bz2.asc firefox-113.0.1.tar.bz2
returns:
"Signature made Thu 11 May 2023 03:55:45 PM CDT"
"using RSA key ADD7079479700DCADFDD5337E36D3B13F3D93274"
"Can't verify signature - no public key."

Gpg can't use the file imported from openpgp.org. It doesn't recognize that it has the correct subkey data. The openpgp.org file (earlier today) has obvious DIFFERENCES in the block, from the files on ftp.mozilla.org or blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases.

When the key is imported from keys.openpgp.org, gpg can't / won't verify the signature on Firefox 113, saying, "no public key."

Actual results:

GPG (CLI in Linux) can't verify any Firefox 113.x.x downloads with public key imported from keys.openpgp.org.

Expected results:

The public key files (for same key ID) from any source, should be identical files & produce same gpg verification results.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core

Not sure which component is that but Gtk/Widget surely not.

Component: Widget: Gtk → General
Product: Core → Firefox Build System
Component: General → Release Automation: Signing
Product: Firefox Build System → Release Engineering
Version: Firefox 102 → unspecified

I can't reproduce.

$ gpghome=$(mktemp -d)
$ gpg --homedir $gpghome --keyserver keys.openpgp.org --recv-keys 14F26682D0916CDD81E37B6D61B7B526D98F0353
gpg: keybox '/tmp/tmp.o9OJmpGVyd/pubring.kbx' created
gpg: /tmp/tmp.o9OJmpGVyd/trustdb.gpg: trustdb created
gpg: key 61B7B526D98F0353: public key "Mozilla Software Releases <release@mozilla.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ wget https://archive.mozilla.org/pub/firefox/releases/113.0.1/linux-x86_64/en-US/firefox-113.0.1.tar.bz2
--2023-05-17 15:25:53--  https://archive.mozilla.org/pub/firefox/releases/113.0.1/linux-x86_64/en-US/firefox-113.0.1.tar.bz2
Resolving archive.mozilla.org (archive.mozilla.org)... 2600:1901:0:b9fd::, 34.117.35.28
Connecting to archive.mozilla.org (archive.mozilla.org)|2600:1901:0:b9fd::|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 79793237 (76M) [application/x-tar]
Saving to: ‘firefox-113.0.1.tar.bz2’

firefox-113.0.1.tar.bz2                     100%[========================================================================================>]  76.10M   103MB/s    in 0.7s    

2023-05-17 15:25:54 (103 MB/s) - ‘firefox-113.0.1.tar.bz2’ saved [79793237/79793237]

$ wget https://archive.mozilla.org/pub/firefox/releases/113.0.1/linux-x86_64/en-US/firefox-113.0.1.tar.bz2.asc
--2023-05-17 15:25:55--  https://archive.mozilla.org/pub/firefox/releases/113.0.1/linux-x86_64/en-US/firefox-113.0.1.tar.bz2.asc
Resolving archive.mozilla.org (archive.mozilla.org)... 2600:1901:0:b9fd::, 34.117.35.28
Connecting to archive.mozilla.org (archive.mozilla.org)|2600:1901:0:b9fd::|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [text/plain]
Saving to: ‘firefox-113.0.1.tar.bz2.asc’

firefox-113.0.1.tar.bz2.asc                 100%[========================================================================================>]     833  --.-KB/s    in 0s      

2023-05-17 15:25:55 (10.4 MB/s) - ‘firefox-113.0.1.tar.bz2.asc’ saved [833/833]

$ gpg --homedir $gpghome --verify firefox-113.0.1.tar.bz2.asc 
gpg: assuming signed data in 'firefox-113.0.1.tar.bz2'
gpg: Signature made Thu May 11 22:55:45 2023 CEST
gpg:                using RSA key ADD7079479700DCADFDD5337E36D3B13F3D93274
gpg: Good signature from "Mozilla Software Releases <release@mozilla.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 14F2 6682 D091 6CDD 81E3  7B6D 61B7 B526 D98F 0353
     Subkey fingerprint: ADD7 0794 7970 0DCA DFDD  5337 E36D 3B13 F3D9 3274

How exactly did you import the key?

Flags: needinfo?(bendov)
Severity: -- → N/A
Priority: -- → P3
Priority: P3 → --

I can't repro either

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bendov)
Resolution: --- → WORKSFORME
Component: Release Automation: Signing → Release Automation
You need to log in before you can comment on or make changes to this bug.