We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Avatar for Username

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Подробнее

Эта тема была архивирована. Если вам нужна помощь, задайте новый вопрос.

New PGP keyy?

  • 2 ответа
  • 1 имеет эту проблему
  • 13 просмотров
  • Последний ответ от rjmx

rjmx
rjmx
more options

I have an automated process to download new Mozilla releases: It downloads them, downloads the SHA file, checks the SHA file's PGP signature, then checks the file's SHA hash.

Today, while downloading Firefox 89.0, It bombed out, telling me that the signing key is "4360FE2109C49763186F8E21EBE41E90F6F12F6D", and that I don't have that public key.

No problem, I thought. Mozilla's probably just got a new signing key. I'll just grab a copy from the keyservers.

But I can't. It doesn't appear on any of the three keyservers I tried (MIT, PGP Global Directory, or key-server.io). Have I missed something? If it's only available on the Mozilla website, that doesn't sound very safe. PGP public keys are supposed to be, well, publicly available.

So where's the key?

I have an automated process to download new Mozilla releases: It downloads them, downloads the SHA file, checks the SHA file's PGP signature, then checks the file's SHA hash. Today, while downloading Firefox 89.0, It bombed out, telling me that the signing key is "4360FE2109C49763186F8E21EBE41E90F6F12F6D", and that I don't have that public key. No problem, I thought. Mozilla's probably just got a new signing key. I'll just grab a copy from the keyservers. But I can't. It doesn't appear on any of the three keyservers I tried (MIT, PGP Global Directory, or key-server.io). Have I missed something? If it's only available on the Mozilla website, that doesn't sound very safe. PGP public keys are supposed to be, well, publicly available. So where's the key?

Все ответы (2)

TyDraniu
TyDraniu
  • Top 10 Contributor
more options

See https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/

PS. TL;DR

Изменено TyDraniu

rjmx
rjmx Задавший вопрос
more options

Ah. I see. Thanks.

So that temporarily solves the problem.

However, publishing it only on the mozilla website is not safe. An attacker could mirror the entire Mozilla website, then add their own malicious code to, say, Firefox, and sign it with another key, even putting that key in the KEY file. They could could redirect people to their website, say with a DNS hack, and we'd be none the wiser.

Why is it so difficult to upload the updated key to public keyservers?