bad PGP/GPG signatures for all Win32 Mozilla firefox partial.mar files
I checked the .asc signature for the Mozilla 12.0 update firefox-11.0-12.0.partial.mar and came up with:
Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2 BAD signature from "Mozilla Software Releases <releases@mozilla.org>"
The MD5, SHA1 and SHA512 checksums come back OK.
Wót Carolina Calling
Wšykne wótegrona (5)
Hello carolinacalling,
I'm sorry to hear that you are experiencing some issues with the Mozilla Firefox installation and would like to apologize for the long wait time. It seems like you are trying to download Firefox from an unofficial website (Cygwin). The signature problem doesn't seem to be some big trouble, but I would rather download the web browser from the official download page to ensure stability and security of your web activities.
If you have any more inquiries regarding this matter, please feel free to write them in a reply below.
Thank you for your valuable time and your great patience and all your interest in Mozilla Firefox. Surf safe and have a great day!
An interesting interpretation of the facts...
Cygwin, an OpenSource project of Red Hat Inc., (available at http://cygwin.com) is:
• a collection of tools which provide a Linux look and feel environment for Windows. • a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality.
Now, using these tools, specifically the rsync tool (which uses the rsync TCP/IP protocol), I downloaded the update MAR file from the OFFICIAL site using the Rsync address:
rsync://releases-rsync.mozilla.org::mozilla-releases/firefox/releases/12.0/update/win32/en-US/firefox*.mar*
(This is equivalent to: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/12.0/update/win32/en-US/)
This retrieved:
firefox-11.0-12.0.partial.mar
firefox-11.0-12.0.partial.mar.asc
firefox-12.0.complete.mar
firefox-12.0.complete.mar.asc
The .asc extension is short for ASCII (alternatively, this could be, by convention, .sig,) and contains the digital signature generated using the "Mozilla Software Releases" PGP'/GPG key, DSA key ID C52175E2. PGP/GPG are authentication tools that use the RSA encryption algorithm to generate digital signatures that guarantee the veracity of a file or message. The signature for firefox-11.0-12.0.partial.mar does NOT verify. The output of GPG is:
+ gpg --verify firefox-11.0-12.0.partial.mar.asc firefox-11.0-12.0.partial.mar
...
gpg: Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2
gpg: BAD signature from "Mozilla Software Releases "
Official MD5, SHA1 and SHA512 checksums are also available for this file and its signature. They DO verify properly. For example:
+ md5sum -c .md5sum (.md5sum is extracted from MD5SUMS)
...
update/win32/en-US/firefox-12.0.complete.mar: OK
update/win32/en-US/firefox-12.0.complete.mar.asc: OK
update/win32/en-US/firefox-11.0-12.0.partial.mar: OK
update/win32/en-US/firefox-11.0-12.0.partial.mar.asc: OK
Would someone, please, check why a bad PGP/GPG signature for this file is being distributed? All the Mozilla12.0 partial.mar signatures I've checked (en-{GB,US,ZA}, zh-{CN,TW}) are bad.
To continue this little saga, the latest Firefox, 13.0, continues to have the same problem with the partial.mar files. (BTW, Thunderbird has this problem, too!) I.E, the file firefox-12.0-13.0.partial.mar.asc has a bad signature in all the cases I checked (en-{GB,US,ZA},zh-{CN,TW},ru,fr). Again, all the checksums verify.
Can someone on the release team (logistics?), please, please, please, generate correct PGP/GPG signatures for the partial.mar files (in Firefox and Thunderbird).
Wót Carolina Calling
Yet again, for Firefox 13.0.1, the partial mar files do not verify against the asc files. This is true for all the cases I checked (en-{GB,US,ZA},zh-{CN,TW},ru,fr,hu). The only Thunderbird 13.0.1 partial mar file I checked (en-US) also failed. As before, the MD5, SHA1 and SHA512 checksums of the incorrect asc files verify.
I find it odd that having these asc files verifying isn't a release criteria....
Wót Carolina Calling
Did the MD5 values check out? Could you display what MD5 values you received from the site?