Updated PGP key does not match KEY file distributed with downloads
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
People
(Reporter: mtrea, Unassigned)
Details
Steps to reproduce:
Compare the key associated with the latest beta release: https://ftp.mozilla.org/pub/firefox/releases/139.0b1/KEY or the one before it (https://ftp.mozilla.org/pub/firefox/releases/138.0b1/KEY) with the key listed in the latest blog post: https://blog.mozilla.org/security/2025/04/01/updated-gpg-key-for-signing-firefox-releases-2/
Actual results:
The keys differ. Note that I'm comparing the contents between "-----BEGIN PGP PUBLIC KEY BLOCK-----" and "-----END PGP PUBLIC KEY BLOCK-----".
Expected results:
The keys should match. For example, the last time I updated the keys in 2023, I compared https://ftp.mozilla.org/pub/firefox/releases/114.0b4/KEY with the key listed in https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ and found them to be an exact match.
|
Reporter | |
Updated•22 days ago
|
|
||
Comment 1•22 days ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox for Android::General' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
|
Reporter | |
Updated•22 days ago
|
|
||
Comment 2•21 days ago
|
||
The difference is that the blog post excludes a number of now-expired subkeys.
|
|
Reporter | |
Comment 3•21 days ago
|
||
Got it, thanks Julien. I suspected this was due to my own misunderstanding, rather than something malicious or a mistake on Mozilla's part, but it's great to get the confirmation.
Description
•