Firefox

18929 readers

60 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago

MODERATORS

[email protected]

packages.mozilla.org: repo-signing-key.gpg (lemm.ee)

submitted 2 weeks ago by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

Hi there,

I wanted to migrate from the default Ubuntu Firefox snap installation to a deb-package-based one using the instructions on the official help site.

I do not just import keys without examining them first, so I had a look at the key from packages.mozilla.org:

pub  rsa2048/C0BA5CE6DC6315A3
     created: 2021-05-04  expires: never       usage: SC  
     trust: unknown       validity: unknown
 [ unknown] (1). Artifact Registry Repository Signer <[email protected]>

Now, what I don't understand is the identity containing a reference to Google instead Mozilla: "Artifact Registry Repository Signer [email protected]"

Could somebody help me understand that?

Thanks a lot in advance!

top 2 comments

sorted by: hot top controversial new old

[–] [email protected] 4 points 2 weeks ago (1 children)

Good question.

I see that the file served from https://packages.mozilla.org/apt/repo-signing-key.gpg is the same as the file at https://packages.cloud.google.com/apt/doc/apt-key.gpg

Apparently Mozilla outsources the operation of the Firefox APT repo to the Google Cloud "Artifact Registry" service 😦

[–] [email protected] 3 points 2 weeks ago

Well, perfect: I'm a Firefox user because I trust Google so much... 😉 ☹️