Firefox 115.0.x fails a checksum test when extracting.
As many users do, I download the full FireFox package directly from the Mozilla FTP server and extract the contents of the EXE for checking and direct copying into a custom configured target directory. I do this for a number of reasons which will not be detailed here.
The the setup files for the latest version of the ESR release are failing the checksum test during extraction. This is not isolated to this version as the 114.x.x and 113.x.x version files also seem to be effected by this problem.
Checksum failures directly indicate that the files extracted can not be trusted.
@FireFox Dev team, Please investigate this issue and resolve as soon as possible.
Thank You!
An gyara
All Replies (12)
On Windows you can get a special version with a Unique Download Identifier (__MOZCUSTOM__).
cor-el said
On Windows you can get a special version with a Unique Download Identifier (__MOZCUSTOM__).
That's interesting, but doesn't seem related to this problem.
The files from https://archive.mozilla.org/pub/firefox/releases/115.0.3esr/win64/ should not have the mentioned above thing you may get (for Windows) if you downloaded from say https://www.mozilla.org/firefox/enterprise/
lexluthermiester said
I download the full FireFox package directly from the Mozilla FTP server
There is no FTP server as Mozilla disabled the ftp:// protocol on servers back on Aug 5th, 2015. If you mean the http://ftp.mozilla.org then that is not FTP as FTP used to be ftp://ftp.mozilla.org
James said
There is no FTP server as Mozilla disabled the ftp:// protocol on servers back on Aug 5th, 2015. If you mean the http://ftp.mozilla.org then that is not FTP as FTP used to be ftp://ftp.mozilla.org
The following is the only place I download FireFox from; https://ftp.mozilla.org/pub/firefox/releases/
James said
The files from https://archive.mozilla.org/pub/firefox/releases/115.0.3esr/win64/ should not have the mentioned above thing you may get (for Windows) if you downloaded from say https://www.mozilla.org/firefox/enterprise/
As mentioned above, the archive site is not used and will not be used for certain reasons. Additionally, I use the 32bit and 64bit versions of FireFox side-by-side for reasons I'm not going to detail here. Both setup files for each version are exhibiting the same checksum error problem as are all of the setup files for 115.0.2, 115.0.1 and 115.0.0. It is possible that the checksum failure is taking place on version 116.x.xb versions, however I never touch the beta builds.
For reference, the latest Thunderbird builds do not exhibit the checksum failure. https://ftp.mozilla.org/pub/thunderbird/releases/
This problem seems limited to the recent builds of FireFox.
An gyara
James said
It is the reason though.
I have doubts of this. The reason is, earlier versions of FireFox do not exhibit the checksum failure. For example; https://ftp.mozilla.org/pub/firefox/releases/102.13.0esr/ None of these EXE's fail the checksum test.
The problem is not the download method, it is a change made to the files themselves when compiled, one that is disrupting the checksum calculations.
An gyara
Not sure why you are avoiding the archive.mozilla.org when I have never seen anything of concern about it over the years here and at mozillaZine forums. Mozilla prefers people link to say archive.mozilla.org or https://download-installer.cdn.mozilla.net/pub/firefox/releases/ to reduce the load on the (not ftp) https://ftp.mozilla.org
Keep in mind that there is Fx 115.0.2 for Release and Fx 115.0.2 for ESR for example so they will each have their own checksum. Right now there is actually a 115.0.3 ESR but not for Release channel currently as it is still at 115.0.2
As said if the (full offline) Firefox setup .exe from Mozilla.org website has the Unique Download Identifier then that can explain the different checksums.
If you download from a mozilla org page you may get the small online stub installer and not the full offline setup as you can get from www.mozilla.org/firefox/all/ . This of course is not a issue for macOS or Linux users.
James said
Keep in mind that there is Fx 115.0.2 for Release and Fx 115.0.2 for ESR for example so they will each have their own checksum. Right now there is actually a 115.0.3 ESR but not for Release channel currently as it is still at 115.0.2
https://ftp.mozilla.org/pub/firefox/releases/115.0.3esr/
James said
As said if the (full offline) Firefox setup .exe from Mozilla.org website has the Unique Download Identifier then that can explain the different checksums.
If that was the problem, then all EXE files for all versions of the FireFox download section would be affected. This has been tested to show not being the the case. Only the most recent versions are affected, from 112.x.x forward.
cor-el said
See also:
That might be part of the problem, seems plausible. Only the Dev team would know for sure. They really need to be the ones looking into this, specifically the persons responsible for compiling the setup package.
More than a decade ago, this same problem was happening. It took some time but the Dev team figured it out, updated all the setup files and the problem was solved. I suspect that it might be a similar problem.
Update on the situation, the newest release of the ESR 102.14.0, both 32 and 64 bit, pass the check-sum test when extracted.
The newest 115.1.0 ESR does not.
See screenshot. So this problem continues. It affecting the 115.x.xESR package, but not the older 102.x.xESR package.
@Devs, This seems less like a compiler problem and more like a payload problem. Please resolve this issue soon.
An gyara
Update, version 115.3.1esr, both 32bit and 64bit are still failing checksum testing. This continues to be true regardless of the location the files are downloaded from. As before, the 102.X.X ESR version do not fail checksum tests.
@Mozilla Devs, This needs to be resolved as moving forward to the 115 ESR versions is important for users and a failing checksum is a deal breaker.
An gyara