Firefox

18664 readers

29 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago

MODERATORS

k_o_t@lemmy.ml

packages.mozilla.org: repo-signing-key.gpg (lemm.ee)

submitted 1 day ago by Raginald_Savidge@lemm.ee to c/firefox@lemmy.ml

2 comments fedilink hide all child comments

Hi there,

I wanted to migrate from the default Ubuntu Firefox snap installation to a deb-package-based one using the instructions on the official help site.

I do not just import keys without examining them first, so I had a look at the key from packages.mozilla.org:

pub  rsa2048/C0BA5CE6DC6315A3
     created: 2021-05-04  expires: never       usage: SC  
     trust: unknown       validity: unknown
 [ unknown] (1). Artifact Registry Repository Signer <artifact-registry-repository-signer@google.com>

Now, what I don't understand is the identity containing a reference to Google instead Mozilla: "Artifact Registry Repository Signer artifact-registry-repository-signer@google.com"

Could somebody help me understand that?

Thanks a lot in advance!

top 2 comments

sorted by: hot top controversial new old

[–] cypherpunks@lemmy.ml 4 points 1 day ago (1 children)

Good question.

I see that the file served from https://packages.mozilla.org/apt/repo-signing-key.gpg is the same as the file at https://packages.cloud.google.com/apt/doc/apt-key.gpg

Apparently Mozilla outsources the operation of the Firefox APT repo to the Google Cloud "Artifact Registry" service 😦

[–] Raginald_Savidge@lemm.ee 3 points 1 day ago

Well, perfect: I'm a Firefox user because I trust Google so much... 😉 ☹️