Last active
May 16, 2023 19:23
-
-
Save thomsh/8e2ee63bc38b5608082201ac10b2d34c to your computer and use it in GitHub Desktop.
Install latest stable binary version of firefox for desktop linux distro (tested Debian 11, proably Ubuntu too)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Purpose: Download and install latest stable firefox for any Linux distribution | |
| # gpg --receive-keys 0x4360FE2109C49763186F8E21EBE41E90F6F12F6D | |
| # Update 2021-06-03: key change, new key is signed with old 0x14F26682D0916CDD81E37B6D61B7B526D98F0353 | |
| # https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/ | |
| # GPG SETTINGS | |
| RELEASE_KEY_FINGERPRINT="0xADD7079479700DCADFDD5337E36D3B13F3D93274" | |
| MOZILLA_KEY_SERVER="gpg.mozilla.org" | |
| GNUPGHOME="/var/cache/gnupg_download_firefox_release" | |
| MOZILLA_KEY_URL="https://archive.mozilla.org/pub/firefox/releases/114.0b4/KEY" | |
| # FIREFOX VERSION SELECTION | |
| MOZILLA_LATEST_URL="https://product-details.mozilla.org/1.0/firefox_versions.json" | |
| FIREFOX_TARGET_BRANCH="LATEST_FIREFOX_VERSION" | |
| # INSTALL SETTINGS | |
| MOZILLA_BASE_URL_DOWNLOAD="https://ftp.mozilla.org/pub/firefox/releases" | |
| DL_PATH="/var/cache/download_firefox_release" | |
| INSTALL_PATH="/opt/firefox_release" | |
| DL_USER="nobody" | |
| if [ "$(id -u)" -ne 0 ];then | |
| echo "This script need root privileges" | |
| exit 1 | |
| fi | |
| for TOOL in gpg sudo jq curl wget | |
| do | |
| if [ ! -x "$(command -v "${TOOL}")" ];then | |
| echo "Command ${TOOL} not found, please install it or add it in your PATH" | |
| exit 1 | |
| fi | |
| done | |
| set -euxo pipefail | |
| # clean config vars | |
| INSTALL_PATH="${INSTALL_PATH%/}" | |
| DL_PATH="${DL_PATH%/}" | |
| GNUPGHOME="${GNUPGHOME%/}" | |
| # Setup DL dir | |
| mkdir -p "${DL_PATH}" | |
| chmod 1777 "${DL_PATH}" | |
| cd "${DL_PATH}" | |
| # Setup a GNU PGP home to validate signature from Mozilla | |
| mkdir -p "${GNUPGHOME}" | |
| chmod 700 "${GNUPGHOME}" | |
| function get_key_via_file { | |
| # DL the key file, import it in a TMP keyring and then export key right | |
| # key based on the fingerprint so in the final keyring we will have a valid KEY | |
| cd "${DL_PATH}" | |
| sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_KEY_URL}" -O "MOZ_KEY.asc" | |
| sudo -u "${DL_USER}" -- mkdir -p "${DL_PATH%/}/tmpgpghome" | |
| sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \ | |
| --no-default-keyring --keyring tmpkeyring \ | |
| --import MOZ_KEY.asc | |
| sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \ | |
| --no-default-keyring --keyring tmpkeyring \ | |
| --armor --export --output "${DL_PATH%/}/VALID_MOZ_KEY.asc" "${RELEASE_KEY_FINGERPRINT}" | |
| # Import the trusted key in our keyring | |
| gpg --homedir "${GNUPGHOME}" --import "${DL_PATH%/}/VALID_MOZ_KEY.asc" | |
| } | |
| if ! gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}";then | |
| get_key_via_file || gpg --homedir "${GNUPGHOME}" \ | |
| --keyserver "${MOZILLA_KEY_SERVER}" --receive-keys "${RELEASE_KEY_FINGERPRINT}" | |
| # display downloaded key | |
| gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}" | |
| fi | |
| # fetch latest version available on Moz' api | |
| VERSION=$(sudo -u "${DL_USER}" -- curl --fail -s "${MOZILLA_LATEST_URL}" \ | |
| |sudo -u "${DL_USER}" -- jq ".${FIREFOX_TARGET_BRANCH}" -r\ | |
| |head -n 1) | |
| if ! echo "${VERSION}" |grep -P '^[0-9A-Za-z.]{3,16}$' > /dev/null;then | |
| echo "Invalid version returned by Mozilla API : [${VERSION}]" | |
| exit 1 | |
| fi | |
| if grep "${VERSION}" "${DL_PATH}/installed_version" ;then | |
| set +x | |
| echo "" | |
| echo "Firefox version ${VERSION} already installed" | |
| echo "purge ${DL_PATH}/installed_version for reinstall" | |
| exit 0 | |
| fi | |
| FFARCHIVE="firefox-${VERSION}.tar.bz2" | |
| FFARCHIVE_STATUS=0 | |
| function verify_ffarchive() { | |
| if [ -f "${FFARCHIVE}" ];then | |
| CHECKSUM=$(sha512sum "${FFARCHIVE}"|awk '{print $1}') | |
| if grep "${CHECKSUM}" "SHA512SUMS" >/dev/null ;then | |
| FFARCHIVE_STATUS=1 | |
| fi | |
| fi | |
| } | |
| FFARCHIVE_STATUS=0 | |
| verify_ffarchive | |
| if [ ${FFARCHIVE_STATUS} -ne 1 ];then | |
| sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS" -O "SHA512SUMS" | |
| sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS.asc" -O "SHA512SUMS.asc" | |
| gpg --homedir "${GNUPGHOME}" --verify SHA512SUMS.asc SHA512SUMS | |
| sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/linux-x86_64/en-US/${FFARCHIVE}" -O "${FFARCHIVE}" | |
| fi | |
| FFARCHIVE_STATUS=0 | |
| verify_ffarchive | |
| if [ ${FFARCHIVE_STATUS} -ne 1 ];then | |
| echo "Invalid checksum / archive : ${CHECKSUM}" | |
| rm -f -- "${FFARCHIVE}*" | |
| exit 1 | |
| fi | |
| mkdir -p "${INSTALL_PATH}" | |
| rm -rf -- "${INSTALL_PATH:?}/*" ||true | |
| tar -C "${INSTALL_PATH}/" -jxvf "${FFARCHIVE}" | |
| # remove internal extension (untrusted) | |
| find "${INSTALL_PATH}/firefox/browser/features/" -type f -iname '*.xpi' -print -delete | |
| echo "${VERSION}" > "${DL_PATH}/installed_version" | |
| # clean cache, keep the last for fast re-install | |
| ls -t -- firefox-*.tar.bz2* |awk 'NR > 1'|while read -r ar ; do rm -f -- "${ar}";done; | |
| # Install shortcurt / .desktop entries | |
| # The profile manger desktop entry | |
| cat > /usr/share/applications/firefox-release-profile-manager.desktop <<EOF | |
| [Desktop Entry] | |
| Name=FF-Release-ProfileManager | |
| Comment=Latest stable Firefox start ProfileManager | |
| GenericName=Web Browser | |
| X-GNOME-FullName=FF-Release-ProfileManager | |
| Exec=${INSTALL_PATH}/firefox/firefox --ProfileManager --no-remote | |
| Terminal=false | |
| X-MultipleArgs=false | |
| Type=Application | |
| Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png | |
| Categories=Network;WebBrowser; | |
| MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https; | |
| StartupWMClass=Firefox | |
| StartupNotify=true | |
| EOF | |
| # The default profile desktop entry | |
| cat > /usr/share/applications/firefox-release-default.desktop <<EOF | |
| [Desktop Entry] | |
| Name=FF-Release-Default | |
| Comment=Latest stable Firefox start current profile | |
| GenericName=Web Browser | |
| X-GNOME-FullName=FF-Release-Default | |
| Exec=${INSTALL_PATH}/firefox/firefox --no-remote | |
| Terminal=false | |
| X-MultipleArgs=false | |
| Type=Application | |
| Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png | |
| Categories=Network;WebBrowser; | |
| MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https; | |
| StartupWMClass=Firefox | |
| StartupNotify=true | |
| EOF | |
| set +x | |
| echo "Firefox ${VERSION} sucessfully installed in ${INSTALL_PATH}" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated Moz's GPG key
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/