Angelos Orfanakos

Install the latest Firefox securely in Debian

Since Debian does not provide an easy way to install the latest version of Firefox, I’ve written a script to install the latest official binary from Mozilla.

To make the process as secure as possible, the relevant binary is downloaded and its checksum is verified against the published checksum by Mozilla. The digital signature of the checksum file is also verified using Mozilla’s GPG key.

Some things to note:

  • Installation path is /opt/firefox/
  • Platform is x86_64 (configurable)
  • Locale is en-US (configurable)

Download the script:

#!/usr/bin/env bash
# Author: Angelos Orfanakos <https://agorf.gr>
# Released into the public domain.
trap exit INT
if [[ -n $(pgrep firefox) ]]; then
echo 'error: Firefox is running'
exit 1
fi
# Install Go if missing (dependency of pup)
command -v go >/dev/null 2>&1 || sudo apt-get -y install golang
# Install pup if missing
command -v pup >/dev/null 2>&1 || go get github.com/ericchiang/pup
target_version=$(wget -qO - https://www.mozilla.org/en-US/firefox/notes/ | \
pup '.c-release-version text{}')
if [[ -z "$target_version" ]]; then
echo 'error: Failed to parse latest Firefox release version'
exit 2
fi
mozilla_key=BBBEBDBB24C6F355
platform=linux-x86_64
locale=en-US
base_name=firefox-$target_version.tar.bz2
file_name=$platform/$locale/$base_name
base_url=https://releases.mozilla.org/pub/firefox/releases/$target_version
tmp_dir=/tmp/firefox-update-$target_version
rm -rf $tmp_dir
mkdir $tmp_dir
pushd $tmp_dir
wget $base_url/SHA512SUMS $base_url/SHA512SUMS.asc
gpg --recv-keys $mozilla_key && gpg --verify SHA512SUMS.asc SHA512SUMS
if [[ $? -ne 0 ]]; then
echo 'error: Failed to verify signature for SHA512SUMS'
exit 3
fi
wget $base_url/$file_name
expected_sum=$(grep $file_name SHA512SUMS | cut -d ' ' -f 1)
echo "$expected_sum $base_name" | sha512sum -c -
if [[ $? -ne 0 ]]; then
echo "error: Invalid checksum for $base_name"
exit 4
fi
sudo rm -rf /opt/firefox
pushd /opt
sudo tar -xvjf $tmp_dir/$base_name
popd
popd
rm -rf $tmp_dir
view raw update-firefox.sh hosted with ❤ by GitHub