Die Funktionalität dieser Website ist durch Wartungsarbeiten eingeschränkt, die Ihr Erlebnis verbessern sollen. Wenn ein Artikel Ihr Problem nicht löst und Sie eine Frage stellen möchten, können Sie unsere Gemeinschaft über @FirefoxSupport auf Twitter, /r/firefox oder Reddit fragen.

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Weitere Informationen

are thunderbird partial.mar.asc files available

  • 6 Antworten
  • 1 hat dieses Problem
  • 1 Aufruf
  • Letzte Antwort von JoeB

more options

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux.

But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg.

Mozilla's signing key is already on my keyring and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux. But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg. Mozilla's signing key is <b>already on my keyring</b> and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Geändert am von JoeB

Alle Antworten (6)

more options

You should ask your question here; https://support.mozilla.org/en-US/products/thunderbird

more options
more options

Thanks, for moving this to the right section. Cor-el, what am I looking at in your link? There isn't any thunderbird-52.3.0.partial.mar.asc at your link. The (public) KEY file isn't the same as a signature (.asc) file.

Does Mozilla not sign Tb partial or full versions anymore? (they used to provide .asc files). They even provide signature (.asc) files for Fx nightlies.

Why would they bother to sign Firefox & not Thunderbird?

more options

Should I file a bug on bugzilla, to possibly get an answer? Seems no one (yet) on Mozilla.org or Mozillazine knows why the .asc signature files were eliminated for Tb, but not for Fx.

I hope people aren't using this unsecured server to D/L - AND - not verify the files authenticity w/ gpg / pgp: http://download-origin.cdn.mozilla.net/pub/thunderbird/nightly/2017/09/2017-09-09-03-02-06-comm-central/.

more options
more options

Thanks cor-el. No one can be "advanced" on all topics. Checksums are only useful for verifying there were no data errors in downloading a file. Checksums are not useful to verify that the file you downloaded is the same one that the developer made.

IOW, Checksums don't show (at all ) that the server wasn't hacked & a modified file replaced the original one. Which happens, even to large developers. More than people think.

I'm looking for digital signature *.asc files for Tb, the same as are available for Firefox. Even Fx nightlies.

Using GPG or PGP, the signature files are used to verify the file you got is from the developer & not tampered with by anyone else. They usually have the same name as the data file, with .asc or .sig added suffix.