Hi there,
I wanted to migrate from the default Ubuntu Firefox snap installation to a deb-package-based one using the instructions on the official help site.
I do not just import keys without examining them first, so I had a look at the key from packages.mozilla.org:
pub rsa2048/C0BA5CE6DC6315A3
created: 2021-05-04 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Artifact Registry Repository Signer <artifact-registry-repository-signer@google.com>
Now, what I don’t understand is the identity containing a reference to Google instead Mozilla: “Artifact Registry Repository Signer [email protected]”
Could somebody help me understand that?
Thanks a lot in advance!
Good question.
I see that the file served from https://packages.mozilla.org/apt/repo-signing-key.gpg is the same as the file at https://packages.cloud.google.com/apt/doc/apt-key.gpg
Apparently Mozilla outsources the operation of the Firefox APT repo to the Google Cloud “Artifact Registry” service 😦
Well, perfect: I’m a Firefox user because I trust Google so much… 😉 ☹️