commit 9307a4d3287b79bde380f6313a1b876bf35ef286

pyrox.dev / nixpkgs

lol

tor.updateScript: update verification/signing keys

Upstream no longers signs the tarball directly; instead they sign the
sha256sum file[1]. Also, the signing keys have changed, and the
latest release is signed with a key we didn't have before.

[1]: https://gitlab.torproject.org/tpo/web/support/-/commit/dd17604bb3dffa77d6aacdcae52c0c38fee2ea27

Alyssa Ross 4 years ago 9307a4d3 03523688

+12 -11

1 changed file

expand all

unified split

pkgs

tools

security

tor

update.nix

+12 -11

pkgs/tools/security/tor/update.nix

··· 15 15 let 16 16 downloadPageUrl = "https://dist.torproject.org"; 17 17 18 - # See https://www.torproject.org/docs/signing-keys.html 18 + # See https://support.torproject.org/little-t-tor/#fetching-the-tor-developers-key 19 19 signingKeys = [ 20 - # Roger Dingledine 21 - "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" 22 - "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451" 23 - # Nick Mathewson 24 - "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB" 25 - "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" 20 + "514102454D0A87DB0767A1EBBE6A0531C18A9179" # Alexander Færøy 21 + "B74417EDDF22AC9F9E90F49142E86A2A11F48D36" # David Goulet 22 + "2133BC600AB133E1D826D173FE43009C4607B1FB" # Nick Mathewson 26 23 ]; 27 24 in 28 25 ··· 52 49 srcVers=(''${srcName//-/ }) 53 50 version=''${srcVers[1]} 54 51 55 - sigUrl=$srcUrl.asc 52 + checksumUrl=$srcUrl.sha256sum 53 + checksumFile=''${checksumUrl##*/} 54 + 55 + sigUrl=$checksumUrl.asc 56 56 sigFile=''${sigUrl##*/} 57 57 58 58 # upstream does not support byte ranges ... 59 59 [[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl" 60 + [[ -e "$checksumFile" ]] || curl -L -o "$checksumFile" -- "$checksumUrl" 60 61 [[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl" 61 62 62 63 export GNUPGHOME=$PWD/gnupg 63 64 mkdir -m 700 -p "$GNUPGHOME" 64 65 65 66 gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)} 66 - gpg --batch --verify "$sigFile" "$srcFile" 67 + gpg --batch --verify "$sigFile" "$checksumFile" 67 68 68 - sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile") 69 + sha256sum -c "$checksumFile" 69 70 70 - update-source-version tor "$version" "$sha256" 71 + update-source-version tor "$version" "$(cut -d ' ' "$checksumFile")" 71 72 ''