Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encourage users to only download from official sources, and optionally verify downloads #490

Open
kaie opened this issue Sep 27, 2023 · 4 comments
Open

Encourage users to only download from official sources, and optionally verify downloads #490

kaie opened this issue Sep 27, 2023 · 4 comments

Comments

@kaie
Copy link
Contributor

kaie commented Sep 27, 2023

Somewhere in the download section, it would be good to explain to users how they can verify their downloads, in a discoverable way.

We should discuss what we should explain, which verification strategies we want to explain.

The intention is:

(1) create some general awareness that verifying downloads is a good idea
(the fact that such a verification offering can be found on the download page could be seen as a way to make users aware, and allow them to learn more, if they want to)

(2) Allow users a simple verification that could be done without downloading additional software. For example, if users find the SHA256 checksum on the download page, there could be a quick information how to use tools already available on the OS to verify (e.g. sha256sum on Linux and MacOS, and on Windows something like certutil -hashfile SHA256)

(3) Potentially have a link that explains the more advanced checking. Which is, use GnuPG, and offer a link to the signature file.
@kaie
Copy link
Contributor Author

kaie commented Sep 27, 2023

cc @Sancus @hellsworth @KillYourFM

@rtanglao
Copy link

  • Do we need a SUMO KB article?

@kaie
Copy link
Contributor Author

kaie commented Sep 27, 2023

SUMO could be the place where the detailed explanations live.

==Download page==

  • here is your download: link
  • You may verify the correctness of your download using SHA256 hashsum ABCDEF000111... (dynamically embedded) or uising a GnuPG signature (dynamically set the correct link).
  • Here are the instructions for verifying a download: link to SUMO
  • remember to obtain thunderbird only from official locations, such as this thunderbird.net website or using a download mechanism that's integrated into your operating system.

@MelissaAutumn
Copy link
Member

Some thoughts:

I don't believe we have a sha256 hash (or any hash) in product details which is a pre-req if we want it to appear on the site. https://github.com/mozilla-releng/product-details/tree/production

I could definitely see this being useful though. Some examples of how other sites handle this:

Ubuntu provides a pop-over card that displays instructions to verify the download:
A thank you page with a pop-over card displaying how to verify your ubuntu server iso

openSUSE uses a dropdown with a link to the sha256 signature:
A download button with a small arrow to the right, displaying a list which reads: metalink, pick mirror, and checksum.

KDE Neon just has a link below the download button for the pgp signature:
Below a download button appears the words PGP signature for verification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rtanglao @kaie @MelissaAutumn