Mozilla now signs Firefox downloads

Mozilla now signs Firefox downloads

  • Comments 13

A little bird recently told me some good news -- Mozilla Firefox is now digitally signed by "Mozilla Foundation." This means that Windows customers who want to download the self-installing executable with Internet Explorer can do so and be sure that what they downloaded was indeed Firefox and not some corrupt (or tampered with) download:

signed download image

The cert was apparently issued just a couple of days after someone blogged about this issue... but maybe that's just a co-incidence ;-)

  • First reaction: Oh (expletive deleted). Moz is using Authenticode too.

    On further study: So they forked out the cash to Verisign for a signing key pair. Issued on Christmas eve 2004. They didn't bother reading about timestamping, too. If anyone in the Mozilla camp happens to read this, it's pretty easy to timestamp using either signcode.exe (old, going away soon) or signtool.exe (newer, gonna be here for a while). Currently Verisign offers a free timestamping service. Here's the URL to pass to one of this signing tools: http://timestamp.verisign.com/scripts/timstamp.dll

    Only the big self-extracting .exe is signed. This should make their "switch" user experience better when users download the .exe they won't get the nasty warning about unsigned content anymore.
    The files inside aren't Authenticode signed. We can assume they're good when they're extracted, but to determine whether or not your Firefox install has been tampered with after the fact still meeans manually checking the file hashes vs the known-good ones.

    I think this means that Mozilla devs are using tools from Microsoft now. ;-)
  • Also, so that nobody thinks I was trying to criticize Mozilla, Firefox, FOSS, or whatever: that wasn't my intention. I wasn't trying to troll. Because I work on code signing I was interested to see what was signed (using the stuff I work on) and how.
    Additionally, I should point out that IMO Windows does a really bad job of letting the average user know which files they can trust, which ones they can't, and why. I'm not trying to throw stones at anyone from my own glass house.
  • Great work mr detective! The issue was known since 2004! In december 2004 someone from blogs.msdn was telling that he can't trust FF, because it's not signed. Others reported it long before that too.
    BTW: This page has broken layout (comment writing block). How many days will it take you to correct this issue? And will it be coincidence, as I told you about it?
  • Yet another reason to use it? :) *duck*
  • Maybe you should have another blog targetting opera next time?
  • Hmmm, godaddy.com offer free certificates to open source projects.

    https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp

    Also
    http://weblogs.mozillazine.org/gerv/archives/007798.html
    is an interesting idea about simplifying some signed download processes. Once again Mozilla innovates with browser UI ideas!
  • hey, constructive criticism always helps. Enough blog posts like yours and Firefox will be even better than it is.
  • hmm seeing so much "bashing post" of firefox, and IE still doesn't even get better, I guess IE developers like to critize a lot, wonder when they going to support fully CSS and webstandards.
  • If you can't beat it, join it. ;)
  • i beat my meat :/
  • Hey Pete! check out iris' artwork from 98! cool eh? Hi Iris!
    http://www.duke.edu/web/museo/spring98/iris.html
  • Why aren't you posting anything any more?
  • Honestly dude, you are one of the most idiotic people I know. You obviously don't know S*** about computers, and you only argued the bad points of firefox. If you went to argue the bad points of Ie, well lets just say i dont think anybody would have enough time to read the article...I also see they paid you to do this. S*** if somebody paid me I could argue the bad points of anything!
Page 1 of 1 (13 items)