Closed Bug 684434 Opened 13 years ago Closed 13 years ago

Some GPG detached signatures (asc) missing for Firefox 6.0.1, 7.0b3, & 6.0.2 build2

Categories

(Release Engineering :: General, defect, P2)

x86
Linux
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: nanotube, Assigned: nthomas)

References

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

Tried to verify the integrity and authenticity of firefox 6.0.1 release tarball.


Actual results:

Releases prior to 6.0.1 came with a detached gpg signature file, so that the tarball could be verified for integrity and authenticity. (example: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0/linux-i686/en-US/ and note the .asc file). 6.0.1 however has no .asc file for it (examine the content of http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0/linux-i686/en-US/ ). it is not even included in the upper-level SHA1SUMS file.

So, I failed to find a method to verify the integrity or authenticity of the release archive.


Expected results:

I should have found the .asc file as usual, right next to the .bz2, and been able to verify the signature. 

Please push out the signatures for the released files asap!
I tried asking about this on irc.mozilla.org/#firefox IRC, but was directed to file a report on bugzilla. Hope this is an appropriate section to file this in.
Moving to installer as it's the closest component I could think of
Component: General → Installer
QA Contact: general → installer
Component: Installer → Release Engineering
Product: Firefox → mozilla.org
QA Contact: installer → release
Version: 6 Branch → other
Confirmed on the master copy of the 6.0.1 files. We have asc files on the win32 installers and the two SUMS files, but not for Mac or either Linux. 

RelEng, I bet this is a result of the signing issues, where signed-build1/ was moved away and we forgot to rsync linux + mac over from unsigned-build1/ (the last line of the download target at http://hg.mozilla.org/build/tools/file/tip/release/signing/Makefile#l180)

Fx 3.6.21 and 3.6.22 build2 are OK, but 6.0.2 build2 has the same problem.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Missing methods to verify release integrity and authenticity → Some GPG detached signatures (asc) missing for Firefox 6.0.1 & 6.0.2 build2
Summary: Some GPG detached signatures (asc) missing for Firefox 6.0.1 & 6.0.2 build2 → Some GPG detached signatures (asc) missing for Firefox 6.0.1, 7.0b3, & 6.0.2 build2
I think I've fixed 6.0.2 build 2.
Looks good to me. I'll get the other two releases tomorrow, if no-one beats me to it.
Assignee: nobody → nrthomas
Priority: -- → P3
6.0.1 has been fixed and pushed to the mirrors.
Priority: P3 → P2
7.0b3 has been fixed, even though we didn't actually release that.

Bug 634270 tracks the underlying issue.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Problem reappears in 7.0.1.
(This probably isn't too surprising as according to Comment 9 the underlying problem isn't solved yet. I thought, it might make some sense to report nevertheless. Hope, this was all right.)
(In reply to Peter Mattern from comment #10)
> Problem reappears in 7.0.1.
> (This probably isn't too surprising as according to Comment 9 the underlying
> problem isn't solved yet. I thought, it might make some sense to report
> nevertheless. Hope, this was all right.)

Fixing up 7.0.1 is tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=690730
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.