Verify signature of firefox source tarball
Add a signature verification step after the Firefox source download step. I grabbed the key from the Mozilla releases site and committed it to a file in the repository.
I'm not sure if the gpg/gpgv tools are available in the GitLab CI environment. If not we will have to add them in the first script.
Source of the key file: https://ftp.mozilla.org/pub/firefox/releases/95.0.2/KEY
https://blog.mozilla.org/security/2021/06/02/updating-gpg-key-for-signing-firefox-releases/