User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:184.108.40.206) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8 Build Identifier: For the german win32 installer of Firefox 220.127.116.11 (http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/Firefox%20Setup%203.0.19.exe), the release signature in the same directory does not verify, and the MD5 sum a few directories above does not match the actual checksum of the downloaded file. Either the installer is corrupt or the checksums/signatures need to be updated. Reproducible: Always Steps to Reproduce: 1. Download installer and signature 2. gpg --verify Firefox\ Setup\ 3.0.19.exe.asc 3. Actual Results: "invalid signature" Expected Results: "good signature"
John, cc'ing you since I'm not sure where this bug should be moved to since it is a releng bug.
8 years ago
For reference: * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed * https://wiki.mozilla.org/Releases/Firefox_3.0.19/BuildNotes
(In reply to comment #2) > For reference: > * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed The ones 3.0.19-real are, actually.
(In reply to comment #3) > (In reply to comment #2) > > For reference: > > * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed > > The ones 3.0.19-real are, actually. But I bet we didn't regenerate the *SUMS files afterwards.
The 3.0.19-real releases are signed, however the signature is two days older (2010-03-29) than the released exe (2010-03-31), not only the german but at least also the english exe. Looks like someone made a last-minute change and forgot to update the signatures.
signatures are updated - http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/
(In reply to comment #5) > The 3.0.19-real releases are signed, however the signature is two days older > (2010-03-29) than the released exe (2010-03-31), not only the german but at > least also the english exe. > Looks like someone made a last-minute change and forgot to update the > signatures. (In reply to comment #6) > signatures are updated - > http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/ Andreas: thanks for catching that and sorry for the mistake. Please reopen this bug if you see any other problems, ok?
(In reply to comment #6) > signatures are updated - > http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/ Just like the first time we had to fix 3.0.19, we cannot replace files pushed to mirrors. Not all mirrors will update. I've found multiple mirrors which still have the old signatures: http://mozilla.cs.utah.edu/pub/mozilla.org/firefox/releases/3.0.19-real/win32/ http://mirror-fpt-telecom.fpt.net/mozilla/firefox/releases/3.0.19-real/win32/ http://mozilla.patan.com.ar/firefox/releases/3.0.19-real/win32 It's not a lot, but if we want to fix this fully, we need to push to a different directory.
pushed to 3.0.19-real-real, bouncer updated.