diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-03-07 13:51:26 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-03-07 13:51:26 +0000 |
| commit | 9307a4d3287b79bde380f6313a1b876bf35ef286 (patch) | |
| tree | 4bb3231becdd23c08e94a599d3fec355e4cc3f82 /pkgs/tools/security/tor | |
| parent | 03523688024b4a794c558a5f1237689471e52ad7 (diff) | |
| download | nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar.gz nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar.bz2 nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar.lz nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar.xz nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.tar.zst nixpkgs-9307a4d3287b79bde380f6313a1b876bf35ef286.zip | |
tor.updateScript: update verification/signing keys
Upstream no longers signs the tarball directly; instead they sign the sha256sum file[1]. Also, the signing keys have changed, and the latest release is signed with a key we didn't have before. [1]: https://gitlab.torproject.org/tpo/web/support/-/commit/dd17604bb3dffa77d6aacdcae52c0c38fee2ea27
Diffstat (limited to 'pkgs/tools/security/tor')
| -rw-r--r-- | pkgs/tools/security/tor/update.nix | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/pkgs/tools/security/tor/update.nix b/pkgs/tools/security/tor/update.nix index c944883d417..50353ce32a6 100644 --- a/pkgs/tools/security/tor/update.nix +++ b/pkgs/tools/security/tor/update.nix @@ -15,14 +15,11 @@ with lib; let downloadPageUrl = "https://dist.torproject.org"; - # See https://www.torproject.org/docs/signing-keys.html + # See https://support.torproject.org/little-t-tor/#fetching-the-tor-developers-key signingKeys = [ - # Roger Dingledine - "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" - "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451" - # Nick Mathewson - "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB" - "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + "514102454D0A87DB0767A1EBBE6A0531C18A9179" # Alexander Færøy + "B74417EDDF22AC9F9E90F49142E86A2A11F48D36" # David Goulet + "2133BC600AB133E1D826D173FE43009C4607B1FB" # Nick Mathewson ]; in @@ -52,20 +49,24 @@ srcName=''${srcBase/.tar.gz/} srcVers=(''${srcName//-/ }) version=''${srcVers[1]} -sigUrl=$srcUrl.asc +checksumUrl=$srcUrl.sha256sum +checksumFile=''${checksumUrl##*/} + +sigUrl=$checksumUrl.asc sigFile=''${sigUrl##*/} # upstream does not support byte ranges ... [[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl" +[[ -e "$checksumFile" ]] || curl -L -o "$checksumFile" -- "$checksumUrl" [[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl" export GNUPGHOME=$PWD/gnupg mkdir -m 700 -p "$GNUPGHOME" gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)} -gpg --batch --verify "$sigFile" "$srcFile" +gpg --batch --verify "$sigFile" "$checksumFile" -sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile") +sha256sum -c "$checksumFile" -update-source-version tor "$version" "$sha256" +update-source-version tor "$version" "$(cut -d ' ' "$checksumFile")" '' |