Closed Bug 557463 Opened 11 years ago Closed 11 years ago

Signature and MD5SUM for German 3.0.0.19 installer do not verify

Categories

(Release Engineering :: General, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: aheinlein, Assigned: lsblakk)

References

()

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
Build Identifier: 

For the german win32 installer of Firefox 3.0.0.19 (http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/Firefox%20Setup%203.0.19.exe), the release signature in the same directory does not verify, and the MD5 sum a few directories above does not match the actual checksum of the downloaded file. Either the installer is corrupt or the checksums/signatures need to be updated.

Reproducible: Always

Steps to Reproduce:
1. Download installer and signature
2. gpg --verify Firefox\ Setup\ 3.0.19.exe.asc
3. 
Actual Results:  
"invalid signature"

Expected Results:  
"good signature"
John, cc'ing you since I'm not sure where this bug should be moved to since it is a releng bug.
Component: Installer → Release Engineering
Product: Firefox → mozilla.org
QA Contact: installer → release
Version: unspecified → other
For reference:
* bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed
* https://wiki.mozilla.org/Releases/Firefox_3.0.19/BuildNotes
(In reply to comment #2)
> For reference:
> * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed

The ones 3.0.19-real are, actually.
(In reply to comment #3)
> (In reply to comment #2)
> > For reference:
> > * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed
> 
> The ones 3.0.19-real are, actually.

But I bet we didn't regenerate the *SUMS files afterwards.
The 3.0.19-real releases are signed, however the signature is two days older (2010-03-29) than the released exe (2010-03-31), not only the german but at least also the english exe.
Looks like someone made a last-minute change and forgot to update the signatures.
Assignee: nobody → lsblakk
signatures are updated - http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to comment #5)
> The 3.0.19-real releases are signed, however the signature is two days older
> (2010-03-29) than the released exe (2010-03-31), not only the german but at
> least also the english exe.
> Looks like someone made a last-minute change and forgot to update the
> signatures.

(In reply to comment #6)
> signatures are updated -
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/

Andreas: thanks for catching that and sorry for the mistake. Please reopen this bug if you see any other problems, ok?
(In reply to comment #6)
> signatures are updated -
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/

Just like the first time we had to fix 3.0.19, we cannot replace files pushed to mirrors. Not all mirrors will update. I've found multiple mirrors which still have the old signatures:
http://mozilla.cs.utah.edu/pub/mozilla.org/firefox/releases/3.0.19-real/win32/
http://mirror-fpt-telecom.fpt.net/mozilla/firefox/releases/3.0.19-real/win32/
http://mozilla.patan.com.ar/firefox/releases/3.0.19-real/win32

It's not a lot, but if we want to fix this fully, we need to push to a different directory.
pushed to 3.0.19-real-real, bouncer updated.
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.