We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Checksum for Firefox ESR 78.6.1 - Software Supply Chain Security

  • 4 个回答
  • 1 人有此问题
  • 2 次查看
  • 最后回复者为 linden1

more options

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum.

Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395

This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/

Best practice would be to publish the official checksum along with the release notes.

Is there another way to close the loop on this?

With concerns about supply chain security, I would like the ability to ensure that the file download matches a recognized checksum. Downloading from: https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/ yields checksum SHA256 55249C4861FE521CB32D72785481A146B64812AF2ECE7341FAAA5C79ABC0F395 This does not match any of the checksums available at: https://archive.mozilla.org/pub/firefox/releases/78.6.1esr/ Best practice would be to publish the official checksum along with the release notes. Is there another way to close the loop on this?

由linden1于修改

所有回复 (4)

more options

I have given up expecting an answer to this question.

I have asked a similar question: https://support.mozilla.org/en-US/questions/1327013

more options

There are no checksums for the small installer, only for the full installer.

Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

more options

cor-el said

There are no checksums for the small installer, only for the full installer. Are you sure you got the full Firefox installer and not the small stub installer that downloads additional files from internet ? Did you compare the file size (51 MB) ?

Yes.

I note downloading the latest from your link https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ yields SHA256 of: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E which matches the record https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS

However downloading from the main website https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr yields SHA256 of: 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size is different 53,121 KB vs 53,121 KB respectively. I would be more comfortable if the CDN version matched the main webpage version, or at least an explanation for it.

more options

@cor-el Yes, the issue could be characterized as why don't the SHA256 match between the main website and the CDN version.

Downloads of win64/en-US/Firefox Setup 78.8.0esr.exe from each location: https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/win64/en-US/ https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr

SHA256 of each respectively are: CF9E4278D38DC7665C4877DEDCD5EB869206619A8F7EEBE7DECE0A3EB490790E 09103F716E60E98D9F444E0E93E37048D0BA1FC80B68EDA85A038CE65F2C348D

File size of each respectively are: 53,121 KB 53,121 KB

Whilst the CDN matches the SHA on record @ https://download-installer.cdn.mozilla.net/pub/firefox/releases/78.8.0esr/SHA256SUMS I'd prefer it it matched the download from the main site.