Closed Bug 774199 Opened 10 years ago Closed 10 years ago

Bad gpg signatures on partial mar files

Categories

(Release Engineering :: General, defect)

x86
All
defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: nthomas, Assigned: nthomas)

Details

(Whiteboard: [signatures])

Attachments

(2 files)

eg:
nthomas@upload1:/pub/mozilla.org/firefox/candidates/14.0.1-candidates/build1/update/win32/en-US$ for f in *asc; do echo $f; gpg --verify $f; echo; done
firefox-13.0.1-14.0.1.partial.mar.asc
gpg: Signature made Mon 16 Jul 2012 12:07:05 AM PDT using DSA key ID C52175E2
gpg: BAD signature from "Mozilla Software Releases <releases@mozilla.org>"

firefox-13.0.2-14.0.1.partial.mar.asc
gpg: Signature made Fri 13 Jul 2012 05:23:31 PM PDT using DSA key ID C52175E2
gpg: BAD signature from "Mozilla Software Releases <releases@mozilla.org>"

firefox-14.0.1.complete.mar.asc
gpg: Signature made Fri 13 Jul 2012 05:20:59 PM PDT using DSA key ID C52175E2
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9D03 193D 6BDC 541B D796  C4E4 7F4D 6645 1EBC AB3A
     Subkey fingerprint: 247C A658 AA95 F617 1EB0  F13E A7D7 5CC7 C521 75E2

The 1st partial listed was manually generated, the 2nd was generated by a build slave.
This is also true for 11.0/12.0/13.0. Strange that it affects completes and not partials.
Oops, I meant that it's strange that this affects partials and not completes.
Assignee: nobody → nrthomas
Whiteboard: [signatures]
Attached patch en-US fixSplinter Review
Attachment #647367 - Flags: review?(rail)
Attached patch locales fixSplinter Review
Attachment #647368 - Flags: review?(rail)
Attachment #647367 - Flags: review?(rail) → review+
Attachment #647368 - Flags: review?(rail) → review+
Will verify in releases starting in the next day or so, but since this matches what we do for completes lets call it FIXED.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
en-US:

$ wget -q ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/15.0b3-candidates/build1/update/linux-i686/en-US/firefox-15.0b2-15.0b3.partial.mar ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/15.0b3-candidates/build1/update/linux-i686/en-US/firefox-15.0b2-15.0b3.partial.mar.asc

$ gpg --verify firefox-15.0b2-15.0b3.partial.mar.asc 
gpg: Signature made Tue 31 Jul 2012 07:15:12 PM EDT using DSA key ID C52175E2
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9D03 193D 6BDC 541B D796  C4E4 7F4D 6645 1EBC AB3A
     Subkey fingerprint: 247C A658 AA95 F617 1EB0  F13E A7D7 5CC7 C521 75E2

localized:

$ wget -q ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/15.0b3-candidates/build1/update/linux-i686/fr/firefox-15.0b2-15.0b3.partial.mar.asc ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/15.0b3-candidates/build1/update/linux-i686/fr/firefox-15.0b2-15.0b3.partial.mar    

$ gpg --verify firefox-15.0b2-15.0b3.partial.mar.asc
gpg: Signature made Tue 31 Jul 2012 07:20:59 PM EDT using DSA key ID C52175E2
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9D03 193D 6BDC 541B D796  C4E4 7F4D 6645 1EBC AB3A
     Subkey fingerprint: 247C A658 AA95 F617 1EB0  F13E A7D7 5CC7 C521 75E2

The warning can be ignored since I haven't set a trust level for the key.
Status: RESOLVED → VERIFIED
Woot!
This made it into production yesterday afternoon.
Product: mozilla.org → Release Engineering
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.