Install the latest Firefox securely in Debian
Update: There’s an official APT repository
Since Debian does not provide an easy way to install the latest version of Firefox, I’ve written a script to install the latest official binary from Mozilla.
To make the process as secure as possible, the relevant binary is downloaded and its checksum is verified against the published checksum by Mozilla. The digital signature of the checksum file is also verified using Mozilla’s GPG key.
#!/usr/bin/env bash
trap exit INT
if [[ -n $(pgrep firefox) ]]; then
echo 'error: Firefox is running'
exit 1
fi
target_version=$(
wget -qS --spider https://www.mozilla.org/en-US/firefox/notes/ 2>&1 | \
grep -i location: | \
cut -d / -f 4
)
if [[ -z "$target_version" ]]; then
echo 'error: Failed to parse latest Firefox release version'
exit 2
fi
mozilla_key=BBBEBDBB24C6F355
platform=linux-x86_64locale=en-USbase_name=firefox-$target_version.tar.bz2
file_name=$platform/$locale/$base_name
base_url=https://releases.mozilla.org/pub/firefox/releases/$target_version
tmp_dir=/tmp/firefox-update-$target_version
rm -rf $tmp_dir
mkdir $tmp_dir
pushd $tmp_dir
wget $base_url/SHA512SUMS $base_url/SHA512SUMS.asc
gpg --recv-keys $mozilla_key && gpg --verify SHA512SUMS.asc SHA512SUMS
if [[ $? -ne 0 ]]; then
echo 'error: Failed to verify signature for SHA512SUMS'
exit 3
fi
wget $base_url/$file_name
expected_sum=$(grep $file_name SHA512SUMS | cut -d ' ' -f 1 | sed "s/^b'\|'$//g")
echo "$expected_sum $base_name" | sha512sum -c -
if [[ $? -ne 0 ]]; then
echo "error: Invalid checksum for $base_name"
exit 4
fi
sudo rm -rf /opt/firefox
pushd /optsudo tar -xvjf $tmp_dir/$base_name
popd
popd
rm -rf $tmp_dirThings to note:
- Platform is
x86_64(configurable) - Locale is
en-US(configurable) - Installation path is
/opt/firefox/