mozilla
are there checksums available ?
hello,
in github runner images team we are looking into improving supply chain. are there checksums avaialble (or something else maybe) ?
cheers
We have those only for the Linux platforms at the moment. For MacOS and Windows the builds are signed and as such we didn't see a need. I assume you need them for all platforms? Which kind of checksum is preferred?
as for checksum algo, our security engineers approved SHA256 or SHA512
If you are looking for Linux only then the PGP signatures that we ship beside the binaries aren't enough or you cannot use due to restrictions?
we missed PGP signatures. can you help with the URL ?
we download gecko driver from github releases
Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the .asc extension: geckodriver-v0.33.0-linux32.tar.gz.asc.
If that is all what you need and it works feel free to close the issue. Thanks!
Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the
.ascextension: geckodriver-v0.33.0-linux32.tar.gz.asc.If that is all what you need and it works feel free to close the issue. Thanks!
@whimboo If I understand correct, it is file signature (I am little bit confuse, because it usually have .sig extension). Anyway it`s acceptable checksum alternative. Can you please help with receiving "public pgp signature". Do you have some guideline or documentation for it? Thank you
Please check the assets for each release like: https://github.com/mozilla/geckodriver/releases/tag/v0.33.0. There you will find files with the
.ascextension: geckodriver-v0.33.0-linux32.tar.gz.asc. If that is all what you need and it works feel free to close the issue. Thanks!@whimboo If I understand correct, it is file signature (I am little bit confuse, because it usually have .sig extension). Anyway it`s acceptable checksum alternative. Can you please help with receiving "public pgp signature". Do you have some guideline or documentation for it? Thank you
We basically just use what our CI system generates. And so far this exact question didn't come up yet.
@bhearsum could you give some insights in how to get the public GPG key that is used to generate the signature files (.asc) so that the downloaded geckodriver binary can be verified? Thanks!
It looks like those are signed with the same key as Firefox, which can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.
It looks like those are signed with the same key as Firefox, which can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.
I am tried to validate with provided pub keys, but receive error that is key is expired.
gpg: Signature made Mon Apr 3 00:01:05 2023 CEST
gpg: using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D
gpg: Good signature from "Mozilla Software Releases <[email protected]>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353
Subkey fingerprint: 4360 FE21 09C4 9763 186F 8E21 EBE4 1E90 F6F1 2F6D
Yeah. Those packages were built and signed about a month before that GPG key expired - so as far as I know that's expected.
The next version that is built and published will be signed with a newer key (also available in the KEY file).
Hm, that opens the question if we really should use the PGP key for the signature file or just create our own checksum file based eg on SHA512. This would not cause issues like above when users will try to download a recent or older geckodriver release.
@jgraham what do you think?
They provide quite different properties, right?
The PGP signature should allow you to validate that the binary you have is identical to one that was signed by Mozilla.
A checksum only really allows validating that you didn't get a corrupted download (because if you trust that what you download from the release page is real/correct then you can just directly check against that to ensure you have the correct binary; if you don't trust that you also can't trust the checksum, so it doesn't add any additional value).
It looks like the keys are typically valid for two years. I think the only reason this affects geckodriver more than Firefox is that we have a more irregular release schedule. But maybe we can figure out a way to re-sign the current version with the new key if the key used at the time of initial release expires?
@bhearsum is re-signing possible? I assume we would have to check-out the revision of mozilla-central that we originally used for the release, but it's not clear if the new PGP key will be used by the signing tasks.
@bhearsum is re-signing possible? I assume we would have to check-out the revision of mozilla-central that we originally used for the release, but it's not clear if the new PGP key will be used by the signing tasks.
New signing tasks would get new signatures with the recent keys, yes.
It looks like those are signed with the same key as Firefox
Wouldn't it be useful to explicitly add this to the README?
can be found in dirs like https://archive.mozilla.org/pub/firefox/releases/118.0/KEY or at https://keys.openpgp.org/search?q=release%40mozilla.com.
Since keys change, for convenience it would be nice to add the Firefox key straight to the each release, or at least link to them on the Mozilla website. Nobody has to do additional web searches or dig through GitHub issues to find this
So the KEY files seem to have been updated back to the 114.0 release:
https://archive.mozilla.org/pub/firefox/releases/114.0/KEY https://archive.mozilla.org/pub/firefox/releases/113.0/KEY
But in regards of referencing the up-to-date key we probably want to add a link to the PGP key at keys.openpgp.org instead.
Not sure if we should re-build geckodriver releases and modify the binaries at a later time. It would be better to just get a new release of geckodriver out as built with the new key.
@bhearsum what do you think?
Does anyone have a link to example code demonstrating how to fetch the tarball and verify its signature from a Dockerfile?
Here you go:
RUN DEBIAN_FRONTEND=noninteractive apt update \
&& apt install -y --no-install-recommends \
wget \
gnupg \
ca-certificates \
xz-utils \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*
ARG VERSION_GECKODRIVER="0.31.0"
ARG BINARY="https://github.com/mozilla/geckodriver/releases/download/v${VERSION_GECKODRIVER}/geckodriver-v${VERSION_GECKODRIVER}-linux64.tar.gz"
ARG SIGNATURE="${BINARY}.asc"
ARG FINGERPRINT="14F26682D0916CDD81E37B6D61B7B526D98F0353"
WORKDIR /app
RUN gpg --keyserver hkps://keys.openpgp.org --recv-keys ${FINGERPRINT} \
&& wget --show-progress --progress=bar:force:noscroll ${SIGNATURE} ${BINARY} \
&& gpg --status-fd 1 --verify ${SIGNATURE##*/} ${BINARY##*/} 2>/dev/null | grep -q "^\[GNUPG:\] VALIDSIG.*${FINGERPRINT}\$" || exit 1 \
&& tar -xzvf ${BINARY##*/} \
&& rm ${BINARY##*/} ${SIGNATURE##*/}
