為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Verifying Firefox Download Integrity

  • 7 回覆
  • 0 有這個問題
  • 1 次檢視
  • 最近回覆由 38345718546

more options

https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/

The new GPG subkey’s fingerprint is ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274, and it expires 2025-05-04.

But when i import this key(certificate) with gpg4win it shows me this fingerprint: 14F26682D0916CDD81E37B6D61B7B526D98F0353 which is the same one listed here: https://ftp.mozilla.org/pub/firefox/releases/114.0.1/KEY

Both keys have the same fingerprint when i import them from either of the above websites, why does the key from the first link not match what the website says?

When i use the sha512.asc to verify the integrity of the downloaded firefox installer which i got here: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release https://ftp.mozilla.org/pub/firefox/releases/114.0.1/SHA512SUMS.asc Then the result is invalid. - See attachment below.

https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ The new GPG subkey’s fingerprint is ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274, and it expires 2025-05-04. But when i import this key(certificate) with gpg4win it shows me this fingerprint: 14F26682D0916CDD81E37B6D61B7B526D98F0353 which is the same one listed here: https://ftp.mozilla.org/pub/firefox/releases/114.0.1/KEY Both keys have the same fingerprint when i import them from either of the above websites, why does the key from the first link not match what the website says? When i use the sha512.asc to verify the integrity of the downloaded firefox installer which i got here: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release https://ftp.mozilla.org/pub/firefox/releases/114.0.1/SHA512SUMS.asc Then the result is invalid. - See attachment below.
附加的畫面擷圖

所有回覆 (7)

more options

How do i verify the integrity of firefox?! This must be a joke or something, i tried all three options now, downloaded firefox plus the public key plus the sha512sum.asc and neither of all those options can be verified.

Typical for mozilla isn't it.

more options

No reply? So it's totally normal for mozilla to host browsers without providing the ability to verify the integrity. Great.

more options

Can't get any better from here

more options

Note that is some cases you may get a Firefox installer with an extra __MOZCUSTOM__ section that that thus has a different SHA256 sum and breaks the checksum test.

See also attribution:


See also attribution and distributionId:

由 cor-el 於 修改

more options

I've read through all the links you sent, from my understanding the MOZCUSTOM section should only apply to firefox ESR versions, unless this has changed now.

I can only repeat myself now, when downloading the public firefox signing key from https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/ and importing it via GPG4Win, the key fingerprint is as follows: 14F26682D0916CDD81E37B6D61B7B526D98F0353 This key-fingerprint DOES NOT match they one shared on the above link from mozilla, which is: 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274 Simply straight forward question, WHY is that? Why would mozilla host site dedicated for one purpose, to provide a signing key and it's according fingerprint, when they fingerprint does not even match. I can't think of many reasons other than,

• Mozilla just doesn't give a sh!t. • Something has been compromised. • Mozilla is trying to provide a false sense of security by providing a signing key, but those who take effort to match the keys fingerprint will face the reality that the fingerprint doesn't match.

It cannot be asked to much for average users as my myself that we can verify the integrity of our downloaded firefox installers, yes or no?

I AM NOT here to have a debate that goes on and on and nothing comes out of it, i want to know right now what is going on and how can i finally verify the integrity of my download firefox installer.

more options

I still don't have an anser to the question i originaly asked, WHY does mozilla show a fingerprint for they public key on their website that DOES NOT match the downloaded key's fingerprint, what the fk? No explanation whatsoever, this is crap, hope you are okay with me sharing this to a broad audience on youtube. Such ignorance and stupidity from mozilla must be exposed.