Verifying Mozilla FTP firefox releases

Recently started my privacy journey and ive been going over the guide was a little concerned about the whole “Firefox unique download token” thing. SO. downloaded the exe file from the FTP link in the guide. My question is what is the correct way to verify the exe download is safe i tested the SHA256 and it came out correct but im having a hard time understading how to verify with the key in the folder. When using Kleopatra i keep getting failed to find encrypted or signed data error.

Did you download SHA256SUMS and SHA256SUMS.asc and you’re trying to verify the SHA256SUMS file in Kleopatra?

yes i dowloaded both i was able to verify that the SHA256SUMS match for the executable. But maybe i was confused cause is that all the verification i had to do. In the folder for the versio i wated to download i saw a key which i added to kleopatra which is the mozilla signing key so i thought there was another step involved.

You use the key and the SHA256SUMS.asc file to verify that the SHA256SUMS file is legitimate, and then you use the SHA-256 hash contained within that file to verify that the installer is legitimate.

2 Likes