[sbi]

I see that Mozilla is now signing hashes of Firefox downloads with a 4096-bit RSA key. But the key used to sign firefox-23.0.tar.bz2 (id 0x057CC3EB15A0A4BC) is only self-signed and was created three weeks ago. It's not on pgp.mit.edu. Is there any actual way to "validate the authenticity of these keys in an out-of-band manner" as the KEYS file recommends?

[zobzu]

the primary key is 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A not 5445 390E F5D0 C2EC FB8A 6201 057C C3EB 15A0 A4BC

if you search for the primary its there (at least it's on pgp.mit.edu as far as I can see) it's the primary that you need to trust for the trust to work

For FF 23:

gpg --verify SHA1SUMS.asc gpg: Signature made Tue 30 Jul 2013 09:32:39 PM PDT using RSA key ID 15A0A4BC gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A Subkey fingerprint: 5445 390E F5D0 C2EC FB8A 6201 057C C3EB 15A0 A4BC

gpg --sign-key 0x8AB132963A06537A

gpg --verify SHA1SUMS.asc gpg: Signature made Tue 30 Jul 2013 09:32:39 PM PDT using RSA key ID 15A0A4BC gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"

It is however, indeed, only self-signed right now as far as I can see.

[sbi]

Thanks; I had searched on pgp.mit.edu for the primary key but forgot to add the hex prefix 0x.

Curiously, the 1024 bit DSA key used for some previous releases (0x7f4d66451ebcab3a) has been signed by "Someone at Mozilla Should Sign the Release Key (so users can verify the key's owner!) <anonymous@lulz.example.com>".