Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Checksum for Firefox ESR 78.6.1 - Software Supply Chain Security

  • 4 replies
  • 1 has this problem
  • 2 views
  • Last reply by linden1

more options

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum.

Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395

This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/

Best practice would be to publish the official checksum along with the release notes.

Is there another way to close the loop on this?

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum. Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395 This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/ Best practice would be to publish the official checksum along with the release notes. Is there another way to close the loop on this?

Modified by linden1

All Replies (4)

more options

I have given up expecting an answer to this question.

I have asked a similar question: https://support.mozilla.org/en-US/questions/1327013

more options

There are no checksums for the small installer, only for the full installer.

Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

more options

cor-el said

There are no checksums for the small installer, only for the full installer. Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

Yes.

I note downloading the latest from your link https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ yields SHA256 of: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E which matches the record https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS

However downloading from the main website https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr yields SHA256 of: 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size is different 53,121 KB vs 53,121 KB respectively. I would be more comfortable if the CDN version matched the main webpage version, or at least an explanation for it.

more options

@cor-el Yes, the issue could be characterized as why don't the SHA256 match between the main website and the CDN version.

Downloads of win64/en-US/Firefox Setup 78.8.0esr.exe from each location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr

SHA256 of each respectively are: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size of each respectively are: 53,121 KB 53,121 KB

Whilst the CDN matches the SHA on record @ https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS I'd prefer it it matched the download from the main site.