thomsh · March 5, 2025 08:41 · thomsh · Jun 2, 2021 · thomsh · May 16, 2023
diff --git a/install-firefox-release.sh b/install-firefox-release.sh
 #!/usr/bin/env bash
 # Purpose: Download and install latest stable firefox for any Linux distribution
 # gpg --receive-keys 0x4360FE2109C49763186F8E21EBE41E90F6F12F6D
 # Update 2021-06-03: key change, new key is signed with old 0x14F26682D0916CDD81E37B6D61B7B526D98F0353
 # https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/

 # GPG SETTINGS
 RELEASE_KEY_FINGERPRINT="0xADD7079479700DCADFDD5337E36D3B13F3D93274"
 MOZILLA_KEY_SERVER="gpg.mozilla.org"
 GNUPGHOME="/var/cache/gnupg_download_firefox_release"
 MOZILLA_KEY_URL="https://archive.mozilla.org/pub/firefox/releases/114.0b4/KEY"

 # FIREFOX VERSION SELECTION
 MOZILLA_LATEST_URL="https://product-details.mozilla.org/1.0/firefox_versions.json"
 FIREFOX_TARGET_BRANCH="LATEST_FIREFOX_VERSION"

 # INSTALL SETTINGS
 MOZILLA_BASE_URL_DOWNLOAD="https://ftp.mozilla.org/pub/firefox/releases"
 DL_PATH="/var/cache/download_firefox_release"
 INSTALL_PATH="/opt/firefox_release"
 DL_USER="nobody"

 if [ "$(id -u)" -ne 0 ];then
  echo "This script need root privileges"
  exit 1
 fi

 for TOOL in gpg sudo jq curl wget
 do
  if [ ! -x "$(command -v "${TOOL}")" ];then
    echo "Command ${TOOL} not found, please install it or add it in your PATH"
    exit 1
  fi
 done


 set -euxo pipefail

 # clean config vars
 INSTALL_PATH="${INSTALL_PATH%/}"
 DL_PATH="${DL_PATH%/}"
 GNUPGHOME="${GNUPGHOME%/}"

 # Setup DL dir
 mkdir -p "${DL_PATH}"
 chmod 1777 "${DL_PATH}"
 cd "${DL_PATH}"


 # Setup a GNU PGP home to validate signature from Mozilla
 mkdir -p "${GNUPGHOME}"
 chmod 700 "${GNUPGHOME}"

 function get_key_via_file {
  # DL the key file, import it in a TMP keyring and then export key right
  # key based on the fingerprint so in the final keyring we will have a valid KEY
  cd "${DL_PATH}"
  sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_KEY_URL}" -O "MOZ_KEY.asc"
  sudo -u "${DL_USER}" -- mkdir -p "${DL_PATH%/}/tmpgpghome"
  sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \
    --no-default-keyring --keyring tmpkeyring \
    --import MOZ_KEY.asc
  sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \
    --no-default-keyring --keyring tmpkeyring \
    --armor --export --output "${DL_PATH%/}/VALID_MOZ_KEY.asc" "${RELEASE_KEY_FINGERPRINT}"
  # Import the trusted key in our keyring
  gpg --homedir "${GNUPGHOME}" --import "${DL_PATH%/}/VALID_MOZ_KEY.asc"
 }

 if ! gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}";then
  get_key_via_file || gpg --homedir "${GNUPGHOME}" \
    --keyserver "${MOZILLA_KEY_SERVER}" --receive-keys "${RELEASE_KEY_FINGERPRINT}"
  # display downloaded key
  gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}"
 fi

 # fetch latest version available on Moz' api
 VERSION=$(sudo -u "${DL_USER}" -- curl --fail -s "${MOZILLA_LATEST_URL}" \
  |sudo -u "${DL_USER}" -- jq ".${FIREFOX_TARGET_BRANCH}" -r\
  |head -n 1)

 if ! echo "${VERSION}" |grep -P '^[0-9A-Za-z.]{3,16}$' > /dev/null;then
  echo "Invalid version returned by Mozilla API : [${VERSION}]"
  exit 1
 fi

 if grep "${VERSION}" "${DL_PATH}/installed_version" ;then
  set +x
  echo ""
  echo "Firefox version ${VERSION} already installed"
  echo "purge ${DL_PATH}/installed_version  for reinstall"
  exit 0
 fi

 FFARCHIVE="firefox-${VERSION}.tar.xz"

 FFARCHIVE_STATUS=0
 function verify_ffarchive() {
  if [ -f "${FFARCHIVE}" ];then
    CHECKSUM=$(sha512sum "${FFARCHIVE}"|awk '{print $1}')
    if grep "${CHECKSUM}" "SHA512SUMS" >/dev/null ;then
      FFARCHIVE_STATUS=1
    fi
  fi
 }

 FFARCHIVE_STATUS=0
 verify_ffarchive
 if [ ${FFARCHIVE_STATUS} -ne 1 ];then
  sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS" -O "SHA512SUMS"
  sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS.asc" -O "SHA512SUMS.asc"
  gpg --homedir "${GNUPGHOME}" --verify SHA512SUMS.asc SHA512SUMS
  sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/linux-x86_64/en-US/${FFARCHIVE}" -O "${FFARCHIVE}"
 fi

 FFARCHIVE_STATUS=0
 verify_ffarchive
 if [ ${FFARCHIVE_STATUS} -ne 1 ];then
  echo "Invalid checksum  / archive : ${CHECKSUM}"
  rm -f -- "${FFARCHIVE}*"
  exit 1
 fi

 mkdir -p "${INSTALL_PATH}"
 rm -rf -- "${INSTALL_PATH:?}/*" ||true
 tar -C "${INSTALL_PATH}/" -xvf "${FFARCHIVE}"

 # remove internal extension (untrusted)
 #DISABLED#find "${INSTALL_PATH}/firefox/browser/features/" -type f -iname '*.xpi' -print -delete

 echo "${VERSION}" > "${DL_PATH}/installed_version"

 # clean cache, keep the last for fast re-install
 ls -t -- firefox-*.tar.bz2* |awk 'NR > 1'|while read -r ar ; do rm -f -- "${ar}";done;

 # Install shortcurt /  .desktop entries
 # The profile manger desktop entry
 cat > /usr/share/applications/firefox-release-profile-manager.desktop <<EOF
 [Desktop Entry]
 Name=FF-Release-ProfileManager
 Comment=Latest stable Firefox start ProfileManager
 GenericName=Web Browser
 X-GNOME-FullName=FF-Release-ProfileManager
 Exec=${INSTALL_PATH}/firefox/firefox --ProfileManager --no-remote
 Terminal=false
 X-MultipleArgs=false
 Type=Application
 Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png
 Categories=Network;WebBrowser;
 MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
 StartupWMClass=Firefox
 StartupNotify=true
 EOF

 # The default profile desktop entry
 cat > /usr/share/applications/firefox-release-default.desktop <<EOF
 [Desktop Entry]
 Name=FF-Release-Default
 Comment=Latest stable Firefox start current profile
 GenericName=Web Browser
 X-GNOME-FullName=FF-Release-Default
 Exec=${INSTALL_PATH}/firefox/firefox --no-remote
 Terminal=false
 X-MultipleArgs=false
 Type=Application
 Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png
 Categories=Network;WebBrowser;
 MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
 StartupWMClass=Firefox
 StartupNotify=true
 EOF

 set +x
 echo "Firefox ${VERSION} sucessfully installed in ${INSTALL_PATH}"
 exit 0
	#!/usr/bin/env bash
	# Purpose: Download and install latest stable firefox for any Linux distribution
	# gpg --receive-keys 0x4360FE2109C49763186F8E21EBE41E90F6F12F6D
	# Update 2021-06-03: key change, new key is signed with old 0x14F26682D0916CDD81E37B6D61B7B526D98F0353
	# https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/

	# GPG SETTINGS
	RELEASE_KEY_FINGERPRINT="0xADD7079479700DCADFDD5337E36D3B13F3D93274"
	MOZILLA_KEY_SERVER="gpg.mozilla.org"
	GNUPGHOME="/var/cache/gnupg_download_firefox_release"
	MOZILLA_KEY_URL="https://archive.mozilla.org/pub/firefox/releases/114.0b4/KEY"

	# FIREFOX VERSION SELECTION
	MOZILLA_LATEST_URL="https://product-details.mozilla.org/1.0/firefox_versions.json"
	FIREFOX_TARGET_BRANCH="LATEST_FIREFOX_VERSION"

	# INSTALL SETTINGS
	MOZILLA_BASE_URL_DOWNLOAD="https://ftp.mozilla.org/pub/firefox/releases"
	DL_PATH="/var/cache/download_firefox_release"
	INSTALL_PATH="/opt/firefox_release"
	DL_USER="nobody"

	if [ "$(id -u)" -ne 0 ];then
	echo "This script need root privileges"
	exit 1
	fi

	for TOOL in gpg sudo jq curl wget
	do
	if [ ! -x "$(command -v "${TOOL}")" ];then
	echo "Command ${TOOL} not found, please install it or add it in your PATH"
	exit 1
	fi
	done


	set -euxo pipefail

	# clean config vars
	INSTALL_PATH="${INSTALL_PATH%/}"
	DL_PATH="${DL_PATH%/}"
	GNUPGHOME="${GNUPGHOME%/}"

	# Setup DL dir
	mkdir -p "${DL_PATH}"
	chmod 1777 "${DL_PATH}"
	cd "${DL_PATH}"


	# Setup a GNU PGP home to validate signature from Mozilla
	mkdir -p "${GNUPGHOME}"
	chmod 700 "${GNUPGHOME}"

	function get_key_via_file {
	# DL the key file, import it in a TMP keyring and then export key right
	# key based on the fingerprint so in the final keyring we will have a valid KEY
	cd "${DL_PATH}"
	sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_KEY_URL}" -O "MOZ_KEY.asc"
	sudo -u "${DL_USER}" -- mkdir -p "${DL_PATH%/}/tmpgpghome"
	sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \
	--no-default-keyring --keyring tmpkeyring \
	--import MOZ_KEY.asc
	sudo -u "${DL_USER}" -- gpg --homedir "${DL_PATH%/}/tmpgpghome" \
	--no-default-keyring --keyring tmpkeyring \
	--armor --export --output "${DL_PATH%/}/VALID_MOZ_KEY.asc" "${RELEASE_KEY_FINGERPRINT}"
	# Import the trusted key in our keyring
	gpg --homedir "${GNUPGHOME}" --import "${DL_PATH%/}/VALID_MOZ_KEY.asc"
	}

	if ! gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}";then
	get_key_via_file \|\| gpg --homedir "${GNUPGHOME}" \
	--keyserver "${MOZILLA_KEY_SERVER}" --receive-keys "${RELEASE_KEY_FINGERPRINT}"
	# display downloaded key
	gpg --homedir "${GNUPGHOME}" --with-fingerprint -k "${RELEASE_KEY_FINGERPRINT}"
	fi

	# fetch latest version available on Moz' api
	VERSION=$(sudo -u "${DL_USER}" -- curl --fail -s "${MOZILLA_LATEST_URL}" \
	\|sudo -u "${DL_USER}" -- jq ".${FIREFOX_TARGET_BRANCH}" -r\
	\|head -n 1)

	if ! echo "${VERSION}" \|grep -P '^[0-9A-Za-z.]{3,16}$' > /dev/null;then
	echo "Invalid version returned by Mozilla API : [${VERSION}]"
	exit 1
	fi

	if grep "${VERSION}" "${DL_PATH}/installed_version" ;then
	set +x
	echo ""
	echo "Firefox version ${VERSION} already installed"
	echo "purge ${DL_PATH}/installed_version for reinstall"
	exit 0
	fi

	FFARCHIVE="firefox-${VERSION}.tar.xz"

	FFARCHIVE_STATUS=0
	function verify_ffarchive() {
	if [ -f "${FFARCHIVE}" ];then
	CHECKSUM=$(sha512sum "${FFARCHIVE}"\|awk '{print $1}')
	if grep "${CHECKSUM}" "SHA512SUMS" >/dev/null ;then
	FFARCHIVE_STATUS=1
	fi
	fi
	}

	FFARCHIVE_STATUS=0
	verify_ffarchive
	if [ ${FFARCHIVE_STATUS} -ne 1 ];then
	sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS" -O "SHA512SUMS"
	sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/SHA512SUMS.asc" -O "SHA512SUMS.asc"
	gpg --homedir "${GNUPGHOME}" --verify SHA512SUMS.asc SHA512SUMS
	sudo -u "${DL_USER}" -- wget --no-hsts "${MOZILLA_BASE_URL_DOWNLOAD}/${VERSION}/linux-x86_64/en-US/${FFARCHIVE}" -O "${FFARCHIVE}"
	fi

	FFARCHIVE_STATUS=0
	verify_ffarchive
	if [ ${FFARCHIVE_STATUS} -ne 1 ];then
	echo "Invalid checksum / archive : ${CHECKSUM}"
	rm -f -- "${FFARCHIVE}*"
	exit 1
	fi

	mkdir -p "${INSTALL_PATH}"
	rm -rf -- "${INSTALL_PATH:?}/*" \|\|true
	tar -C "${INSTALL_PATH}/" -xvf "${FFARCHIVE}"

	# remove internal extension (untrusted)
	#DISABLED#find "${INSTALL_PATH}/firefox/browser/features/" -type f -iname '*.xpi' -print -delete

	echo "${VERSION}" > "${DL_PATH}/installed_version"

	# clean cache, keep the last for fast re-install
	ls -t -- firefox-.tar.bz2 \|awk 'NR > 1'\|while read -r ar ; do rm -f -- "${ar}";done;

	# Install shortcurt / .desktop entries
	# The profile manger desktop entry
	cat > /usr/share/applications/firefox-release-profile-manager.desktop <<EOF
	[Desktop Entry]
	Name=FF-Release-ProfileManager
	Comment=Latest stable Firefox start ProfileManager
	GenericName=Web Browser
	X-GNOME-FullName=FF-Release-ProfileManager
	Exec=${INSTALL_PATH}/firefox/firefox --ProfileManager --no-remote
	Terminal=false
	X-MultipleArgs=false
	Type=Application
	Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png
	Categories=Network;WebBrowser;
	MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
	StartupWMClass=Firefox
	StartupNotify=true
	EOF

	# The default profile desktop entry
	cat > /usr/share/applications/firefox-release-default.desktop <<EOF
	[Desktop Entry]
	Name=FF-Release-Default
	Comment=Latest stable Firefox start current profile
	GenericName=Web Browser
	X-GNOME-FullName=FF-Release-Default
	Exec=${INSTALL_PATH}/firefox/firefox --no-remote
	Terminal=false
	X-MultipleArgs=false
	Type=Application
	Icon=${INSTALL_PATH}/firefox/browser/chrome/icons/default/default128.png
	Categories=Network;WebBrowser;
	MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
	StartupWMClass=Firefox
	StartupNotify=true
	EOF

	set +x
	echo "Firefox ${VERSION} sucessfully installed in ${INSTALL_PATH}"
	exit 0