Signature and MD5SUM for German 3.0.0.19 installer do not verify

RESOLVED FIXED

Status

Release Engineering
General
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: Andreas Heinlein, Assigned: lsblakk)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
Build Identifier: 

For the german win32 installer of Firefox 3.0.0.19 (http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/Firefox%20Setup%203.0.19.exe), the release signature in the same directory does not verify, and the MD5 sum a few directories above does not match the actual checksum of the downloaded file. Either the installer is corrupt or the checksums/signatures need to be updated.

Reproducible: Always

Steps to Reproduce:
1. Download installer and signature
2. gpg --verify Firefox\ Setup\ 3.0.19.exe.asc
3. 
Actual Results:  
"invalid signature"

Expected Results:  
"good signature"
John, cc'ing you since I'm not sure where this bug should be moved to since it is a releng bug.
Component: Installer → Release Engineering
Product: Firefox → mozilla.org
QA Contact: installer → release
Version: unspecified → other

Comment 2

8 years ago
For reference:
* bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed
* https://wiki.mozilla.org/Releases/Firefox_3.0.19/BuildNotes
(In reply to comment #2)
> For reference:
> * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed

The ones 3.0.19-real are, actually.
(In reply to comment #3)
> (In reply to comment #2)
> > For reference:
> > * bug 556222 - Firefox 3.0.19 Windows installers are not digitally-signed
> 
> The ones 3.0.19-real are, actually.

But I bet we didn't regenerate the *SUMS files afterwards.
(Reporter)

Comment 5

8 years ago
The 3.0.19-real releases are signed, however the signature is two days older (2010-03-29) than the released exe (2010-03-31), not only the german but at least also the english exe.
Looks like someone made a last-minute change and forgot to update the signatures.
(Assignee)

Updated

8 years ago
Assignee: nobody → lsblakk
(Assignee)

Comment 6

8 years ago
signatures are updated - http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(In reply to comment #5)
> The 3.0.19-real releases are signed, however the signature is two days older
> (2010-03-29) than the released exe (2010-03-31), not only the german but at
> least also the english exe.
> Looks like someone made a last-minute change and forgot to update the
> signatures.

(In reply to comment #6)
> signatures are updated -
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/

Andreas: thanks for catching that and sorry for the mistake. Please reopen this bug if you see any other problems, ok?
(In reply to comment #6)
> signatures are updated -
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.0.19-real/win32/de/

Just like the first time we had to fix 3.0.19, we cannot replace files pushed to mirrors. Not all mirrors will update. I've found multiple mirrors which still have the old signatures:
http://mozilla.cs.utah.edu/pub/mozilla.org/firefox/releases/3.0.19-real/win32/
http://mirror-fpt-telecom.fpt.net/mozilla/firefox/releases/3.0.19-real/win32/
http://mozilla.patan.com.ar/firefox/releases/3.0.19-real/win32

It's not a lot, but if we want to fix this fully, we need to push to a different directory.
(Assignee)

Comment 9

8 years ago
pushed to 3.0.19-real-real, bouncer updated.
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.