Verify signature of firefox source tarball (!18) · Merge requests · LibreWolf / Browser / Linux

squalus requested to merge squalus0/librewolf-linux:check-signature into master Dec 26, 2021

Add a signature verification step after the Firefox source download step. I grabbed the key from the Mozilla releases site and committed it to a file in the repository.

I'm not sure if the gpg/gpgv tools are available in the GitLab CI environment. If not we will have to add them in the first script.

Source of the key file: https://ftp.mozilla.org/pub/firefox/releases/95.0.2/KEY

https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/

Verify signature of firefox source tarball

Merge request reports