are thunderbird partial.mar.asc files available
Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux.
But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg.
Mozilla's signing key is already on my keyring and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar
Modified by JoeB
All Replies (6)
You should ask your question here; https://support.mozilla.org/en-US/products/thunderbird
Thanks, for moving this to the right section. Cor-el, what am I looking at in your link? There isn't any thunderbird-52.3.0.partial.mar.asc at your link. The (public) KEY file isn't the same as a signature (.asc) file.
Does Mozilla not sign Tb partial or full versions anymore? (they used to provide .asc files). They even provide signature (.asc) files for Fx nightlies.
Why would they bother to sign Firefox & not Thunderbird?
Should I file a bug on bugzilla, to possibly get an answer? Seems no one (yet) on Mozilla.org or Mozillazine knows why the .asc signature files were eliminated for Tb, but not for Fx.
I hope people aren't using this unsecured server to D/L - AND - not verify the files authenticity w/ gpg / pgp: http://download-origin.cdn.mozilla.net/pub/thunderbird/nightly/2017/09/2017-09-09-03-02-06-comm-central/.
There are checksum files available.
Use the HTTPS protocol. There are checksum files available here as well.
Why not use this link?
Thanks cor-el. No one can be "advanced" on all topics. Checksums are only useful for verifying there were no data errors in downloading a file. Checksums are not useful to verify that the file you downloaded is the same one that the developer made.
IOW, Checksums don't show (at all ) that the server wasn't hacked & a modified file replaced the original one. Which happens, even to large developers. More than people think.
I'm looking for digital signature *.asc files for Tb, the same as are available for Firefox. Even Fx nightlies.
Using GPG or PGP, the signature files are used to verify the file you got is from the developer & not tampered with by anyone else. They usually have the same name as the data file, with .asc or .sig added suffix.