Join the Mozilla’s Test Days event from 9–15 Jan to test the new Firefox address bar on Firefox Beta 135 and get a chance to win Mozilla swag vouchers! 🎁

Avatar for Username

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

이 쓰레드는 보존되었습니다. 만약 도움이 필요하시면 새로운 질문을 올려주세요.

Checksum for Firefox ESR 78.6.1 - Software Supply Chain Security

  • 4 답장
  • 1 이 문제를 만남
  • 4 보기
  • 최종 답변자: linden1

linden1
linden1
more options

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum.

Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395

This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/

Best practice would be to publish the official checksum along with the release notes.

Is there another way to close the loop on this?

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum. Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395 This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/ Best practice would be to publish the official checksum along with the release notes. Is there another way to close the loop on this?

글쓴이 linden1 수정일시

모든 댓글 (4)

linden1
linden1 질문자
more options

I have given up expecting an answer to this question.

I have asked a similar question: https://support.mozilla.org/en-US/questions/1327013

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

There are no checksums for the small installer, only for the full installer.

Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

linden1
linden1 질문자
more options

cor-el said
There are no checksums for the small installer, only for the full installer. Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

Yes.

I note downloading the latest from your link https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ yields SHA256 of: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E which matches the record https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS

However downloading from the main website https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr yields SHA256 of: 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size is different 53,121 KB vs 53,121 KB respectively. I would be more comfortable if the CDN version matched the main webpage version, or at least an explanation for it.

linden1
linden1 질문자
more options

@cor-el Yes, the issue could be characterized as why don't the SHA256 match between the main website and the CDN version.

Downloads of win64/en-US/Firefox Setup 78.8.0esr.exe from each location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr

SHA256 of each respectively are: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size of each respectively are: 53,121 KB 53,121 KB

Whilst the CDN matches the SHA on record @ https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS I'd prefer it it matched the download from the main site.