pkgs/tools/security/tor/update.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / tools / security / tor / update.nix
at 23.05-pre 72 lines 1.6 kB view raw
 1{ lib
 2, writeScript
 3, common-updater-scripts
 4, bash
 5, coreutils
 6, curl
 7, gnugrep
 8, gnupg
 9, gnused
10, nix
11}:
12
13with lib;
14
15let
16  downloadPageUrl = "https://dist.torproject.org";
17
18  # See https://support.torproject.org/little-t-tor/#fetching-the-tor-developers-key
19  signingKeys = [
20    "514102454D0A87DB0767A1EBBE6A0531C18A9179" # Alexander Færøy
21    "B74417EDDF22AC9F9E90F49142E86A2A11F48D36" # David Goulet
22    "2133BC600AB133E1D826D173FE43009C4607B1FB" # Nick Mathewson
23  ];
24in
25
26writeScript "update-tor" ''
27#! ${bash}/bin/bash
28
29set -eu -o pipefail
30
31export PATH=${makeBinPath [
32  common-updater-scripts
33  coreutils
34  curl
35  gnugrep
36  gnupg
37  gnused
38  nix
39]}
40
41srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \
42  | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \
43  | sort -Vu \
44  | tail -n1)
45srcFile=$srcBase
46srcUrl=${downloadPageUrl}/$srcBase
47
48srcName=''${srcBase/.tar.gz/}
49srcVers=(''${srcName//-/ })
50version=''${srcVers[1]}
51
52checksumUrl=$srcUrl.sha256sum
53checksumFile=''${checksumUrl##*/}
54
55sigUrl=$checksumUrl.asc
56sigFile=''${sigUrl##*/}
57
58# upstream does not support byte ranges ...
59[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
60[[ -e "$checksumFile" ]] || curl -L -o "$checksumFile" -- "$checksumUrl"
61[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
62
63export GNUPGHOME=$PWD/gnupg
64mkdir -m 700 -p "$GNUPGHOME"
65
66gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
67gpg --batch --verify "$sigFile" "$checksumFile"
68
69sha256sum -c "$checksumFile"
70
71update-source-version tor "$version" "$(cut -d ' ' "$checksumFile")"
72''