Welcome to MSDN Blogs Sign in | Join | Help

Mozilla now signs Firefox downloads

A little bird recently told me some good news -- Mozilla Firefox is now digitally signed by "Mozilla Foundation." This means that Windows customers who want to download the self-installing executable with Internet Explorer can do so and be sure that what they downloaded was indeed Firefox and not some corrupt (or tampered with) download:

signed download image

The cert was apparently issued just a couple of days after someone blogged about this issue... but maybe that's just a co-incidence ;-)

Published Saturday, March 26, 2005 9:52 PM by ptorr
Filed under:

Comments

# re: Mozilla now signs Firefox downloads

First reaction: Oh (expletive deleted). Moz is using Authenticode too.

On further study: So they forked out the cash to Verisign for a signing key pair. Issued on Christmas eve 2004. They didn't bother reading about timestamping, too. If anyone in the Mozilla camp happens to read this, it's pretty easy to timestamp using either signcode.exe (old, going away soon) or signtool.exe (newer, gonna be here for a while). Currently Verisign offers a free timestamping service. Here's the URL to pass to one of this signing tools: http://timestamp.verisign.com/scripts/timstamp.dll

Only the big self-extracting .exe is signed. This should make their "switch" user experience better when users download the .exe they won't get the nasty warning about unsigned content anymore.
The files inside aren't Authenticode signed. We can assume they're good when they're extracted, but to determine whether or not your Firefox install has been tampered with after the fact still meeans manually checking the file hashes vs the known-good ones.

I think this means that Mozilla devs are using tools from Microsoft now. ;-)
Saturday, March 26, 2005 8:07 PM by Drew

# re: Mozilla now signs Firefox downloads

Also, so that nobody thinks I was trying to criticize Mozilla, Firefox, FOSS, or whatever: that wasn't my intention. I wasn't trying to troll. Because I work on code signing I was interested to see what was signed (using the stuff I work on) and how.
Additionally, I should point out that IMO Windows does a really bad job of letting the average user know which files they can trust, which ones they can't, and why. I'm not trying to throw stones at anyone from my own glass house.
Saturday, March 26, 2005 8:07 PM by Drew

# re: Mozilla now signs Firefox downloads

Great work mr detective! The issue was known since 2004! In december 2004 someone from blogs.msdn was telling that he can't trust FF, because it's not signed. Others reported it long before that too.
BTW: This page has broken layout (comment writing block). How many days will it take you to correct this issue? And will it be coincidence, as I told you about it?
Sunday, March 27, 2005 11:01 AM by random stumbler

# re: Mozilla now signs Firefox downloads

Yet another reason to use it? :) *duck*
Sunday, March 27, 2005 3:42 PM by -

# re: Mozilla now signs Firefox downloads

Maybe you should have another blog targetting opera next time?
Sunday, March 27, 2005 11:13 PM by Junfeng Zhang

# re: Mozilla now signs Firefox downloads

Hmmm, godaddy.com offer free certificates to open source projects.

https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp

Also
http://weblogs.mozillazine.org/gerv/archives/007798.html
is an interesting idea about simplifying some signed download processes. Once again Mozilla innovates with browser UI ideas!
Monday, March 28, 2005 4:59 PM by Ching

# re: Mozilla now signs Firefox downloads

hey, constructive criticism always helps. Enough blog posts like yours and Firefox will be even better than it is.
Tuesday, March 29, 2005 1:06 PM by Frank

# re: Mozilla now signs Firefox downloads

hmm seeing so much "bashing post" of firefox, and IE still doesn't even get better, I guess IE developers like to critize a lot, wonder when they going to support fully CSS and webstandards.
Monday, April 04, 2005 11:15 AM by whatever

# re: Mozilla now signs Firefox downloads

If you can't beat it, join it. ;)
Thursday, April 07, 2005 11:48 PM by Don Wilson

# re: Mozilla now signs Firefox downloads

i beat my meat :/
Saturday, April 09, 2005 9:32 PM by Nickoladze

# re: Mozilla now signs Firefox downloads

Hey Pete! check out iris' artwork from 98! cool eh? Hi Iris!
http://www.duke.edu/web/museo/spring98/iris.html
Thursday, April 21, 2005 5:54 PM by MichaelT

# re: Mozilla now signs Firefox downloads

Why aren't you posting anything any more?
Wednesday, May 25, 2005 2:09 PM by Anonymous

# re: Mozilla now signs Firefox downloads

Honestly dude, you are one of the most idiotic people I know. You obviously don't know S*** about computers, and you only argued the bad points of firefox. If you went to argue the bad points of Ie, well lets just say i dont think anybody would have enough time to read the article...I also see they paid you to do this. S*** if somebody paid me I could argue the bad points of anything!
Tuesday, July 12, 2005 5:57 PM by Brian
New Comments to this post are disabled
 
Page view tracker