After downloading an installation package from the thunderbird.net website or directly from the software archive, you may verify that the download has completed correctly, and optionally that it is an authentic package from Mozilla.
For each release, a root folder can be found, which contains subdirectories for individual operating systems, which contain installation package files. In the root folder of a specific release, you can find a text file named SHA256SUMS.
To perform the verification, you need to do the following steps:
- Chose your installation package, based on your operating system and your language, and download it.
- Use a tool to calculate the SHA256 hashsum (which is a kind of checksum) for the file you have downloaded, and keep it on your screen for comparison.
- Go back to your browser, and view the file SHA256 for the release you have downloaded.
- Find the line that contains the language and name of the file that you have downloaded. In the same line, the expected hashsum for the file is shown. Ensure this hashsum matches the output you got from the tool used to calculate the SHA256 hashsum.
If you are viewing the file SHA256SUM using a recent version of Firefox, and you are viewing the file on the https://archive.mozilla.org site, and the hashsums match, chances are very high that your download is correct and authentic.
If you would like to also check that you are viewing the correct SHA256SUMS file, for example, because you have downloaded these files from a mirror, you may check that the file carries the digital signature of the Mozilla Software Release team.
Download both files SHA256SUMS and SHA256SUMS.asc
To check the signature, you may use the GnuPG software, and in addition, you must obtain Mozilla's most recent and official public key that is used for signing this file.
The GnuPG software is usually already included on Linux distributions. For other operating systems, you should be able to find HOWTO documents that explain how to install and use GPG4WIN for Windows or GPGTools for MacOS.
Use GnuPG or similar software to import Mozilla's public key, which is usually announced on Mozilla's security blog. At the time of writing this document, the most recent version can be found here: https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
Now tell GnuPG to check the signature in the SHA256SUMS.asc file against the data in the SHA256SUMS file with the following command:
$ gpg --verify SHA256SUMS.asc gpg: assuming signed data in 'SHA256SUMS' gpg: Signature made Di 26 Sep 2023 20:49:02 CEST gpg: using RSA key ADD7079479700DCADFDD5337E36D3B13F3D93274 gpg: Good signature from "Mozilla Software Releases <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 Subkey fingerprint: ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274
In the above example, there are 8 lines of output.
Lines 7 and tell you which key was used to create the digital signature. You may compare the fingerprint(s) shown on those lines with the fingerprint shown on the Mozilla security blog post. If they match, you have successfully verified the SHA256SUMS file.