Checksum for Firefox ESR 78.6.1 - Software Supply Chain Security
With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum.
Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395
This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/
Best practice would be to publish the official checksum along with the release notes.
Is there another way to close the loop on this?
Edeziri
All Replies (4)
I have given up expecting an answer to this question.
I have asked a similar question: https://support.mozilla.org/en-US/questions/1327013
There are no checksums for the small installer, only for the full installer.
Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?
cor-el said
There are no checksums for the small installer, only for the full installer. Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?
Yes.
I note downloading the latest from your link https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ yields SHA256 of: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E which matches the record https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS
However downloading from the main website https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr yields SHA256 of: 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D
File size is different 53,121 KB vs 53,121 KB respectively. I would be more comfortable if the CDN version matched the main webpage version, or at least an explanation for it.
@cor-el Yes, the issue could be characterized as why don't the SHA256 match between the main website and the CDN version.
Downloads of win64/en-US/Firefox Setup 78.8.0esr.exe from each location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
SHA256 of each respectively are: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D
File size of each respectively are: 53,121 KB 53,121 KB
Whilst the CDN matches the SHA on record @ https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS I'd prefer it it matched the download from the main site.