Hacker News new | ask | show | jobs
by bigbango 4240 days ago
For those who like me are wary of running unverified binaries:

- checksums: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/late...

- signatures: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/late...

- signing key: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/lat...

edit: reformatting

2nd edit: added https
1 comments
skrebbel 4240 days ago
You're wary of running unverified binaries but you're OK when they're verified by a checksum downloaded over unencrypted HTTP?
link
bigbango 4240 days ago
Thanks, I was so focused on finding the files that I forgot.
link
MichaelGG 4239 days ago
The criticism is the same: You're worried about running binaries from a particular source, but will accept the signatures from the same source?
link
bigbango 4239 days ago
Yes, when I don't have any out of band method for obtaining the key.

Also, the sources aren't the same, the binary is downloaded from a mirror / CDN while the links I posted are from the main FTP server.

edit: grammar corrections

link