搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

are thunderbird partial.mar.asc files available

  • 6 回覆
  • 1 有這個問題
  • 1 次檢視
  • 最近回覆由 JoeB

more options

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux.

But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg.

Mozilla's signing key is already on my keyring and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux. But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg. Mozilla's signing key is <b>already on my keyring</b> and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

由 JoeB 於 修改

所有回覆 (6)

more options

You should ask your question here; https://support.mozilla.org/en-US/products/thunderbird

more options
more options

Thanks, for moving this to the right section. Cor-el, what am I looking at in your link? There isn't any thunderbird-52.3.0.partial.mar.asc at your link. The (public) KEY file isn't the same as a signature (.asc) file.

Does Mozilla not sign Tb partial or full versions anymore? (they used to provide .asc files). They even provide signature (.asc) files for Fx nightlies.

Why would they bother to sign Firefox & not Thunderbird?

more options

Should I file a bug on bugzilla, to possibly get an answer? Seems no one (yet) on Mozilla.org or Mozillazine knows why the .asc signature files were eliminated for Tb, but not for Fx.

I hope people aren't using this unsecured server to D/L - AND - not verify the files authenticity w/ gpg / pgp: http://download-origin.cdn.mozilla.net/pub/thunderbird/nightly/2017/09/2017-09-09-03-02-06-comm-central/.

more options
more options

Thanks cor-el. No one can be "advanced" on all topics. Checksums are only useful for verifying there were no data errors in downloading a file. Checksums are not useful to verify that the file you downloaded is the same one that the developer made.

IOW, Checksums don't show (at all ) that the server wasn't hacked & a modified file replaced the original one. Which happens, even to large developers. More than people think.

I'm looking for digital signature *.asc files for Tb, the same as are available for Firefox. Even Fx nightlies.

Using GPG or PGP, the signature files are used to verify the file you got is from the developer & not tampered with by anyone else. They usually have the same name as the data file, with .asc or .sig added suffix.