Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

are thunderbird partial.mar.asc files available

  • 6 replies
  • 1 has this problem
  • 1 view
  • Last reply by JoeB

more options

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux.

But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg.

Mozilla's signing key is already on my keyring and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Why aren't there (or are there) .asc signature files available for thunderbird partial updates, like for Firefox? Here, https://ftp.mozilla.org/pub/firefox/releases/53.0/update/linux-x86_64/en-US/ there are firefox-52.0.2-53.0.partial.mar AND firefox-52.0.2-53.0.partial.mar.asc files, to verify integrity of downloads using gpg in Linux. But no such .asc files for Thunderbird partial.mar updates, though some really old posts (Tb 1.x or 3.x) indicated there (may) used to be. There are KEY files (all caps) with the Thunderbird files, but I've not found anything on using them with gpg. Mozilla's signing key is <b>already on my keyring</b> and verifying Fx downloads is easy. I believe that signing key also covers Tbird, but the way I learned it, you need a ".asc" or ".sig" file to use with gpg. Such as: ~/$ gpg --verify firefox-52.0.2-53.0.partial.mar.asc firefox-52.0.2-53.0.partial.mar

Modified by JoeB

All Replies (6)

more options

You should ask your question here; https://support.mozilla.org/en-US/products/thunderbird

more options
more options

Thanks, for moving this to the right section. Cor-el, what am I looking at in your link? There isn't any thunderbird-52.3.0.partial.mar.asc at your link. The (public) KEY file isn't the same as a signature (.asc) file.

Does Mozilla not sign Tb partial or full versions anymore? (they used to provide .asc files). They even provide signature (.asc) files for Fx nightlies.

Why would they bother to sign Firefox & not Thunderbird?

more options

Should I file a bug on bugzilla, to possibly get an answer? Seems no one (yet) on Mozilla.org or Mozillazine knows why the .asc signature files were eliminated for Tb, but not for Fx.

I hope people aren't using this unsecured server to D/L - AND - not verify the files authenticity w/ gpg / pgp: http://download-origin.cdn.mozilla.net/pub/thunderbird/nightly/2017/09/2017-09-09-03-02-06-comm-central/.

more options
more options

Thanks cor-el. No one can be "advanced" on all topics. Checksums are only useful for verifying there were no data errors in downloading a file. Checksums are not useful to verify that the file you downloaded is the same one that the developer made.

IOW, Checksums don't show (at all ) that the server wasn't hacked & a modified file replaced the original one. Which happens, even to large developers. More than people think.

I'm looking for digital signature *.asc files for Tb, the same as are available for Firefox. Even Fx nightlies.

Using GPG or PGP, the signature files are used to verify the file you got is from the developer & not tampered with by anyone else. They usually have the same name as the data file, with .asc or .sig added suffix.