Merge master into staging-next

4 files changed, 20 insertions, 19 deletions

diff --git a/pkgs/tools/security/cdk-go/default.nix b/pkgs/tools/security/cdk-go/default.nix
index 14f7e05140e..317f6092718 100644
--- a/pkgs/tools/security/cdk-go/default.nix
+++ b/pkgs/tools/security/cdk-go/default.nix
@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "cdk-go";
-  version = "1.0.4";
+  version = "1.0.5";
 
   src = fetchFromGitHub {
     owner = "cdk-team";
     repo = "CDK";
     rev = "v${version}";
-    sha256 = "1zz9jaz5nlvs52nqlaisivrnz7lz8g48qii0n2s1783a5jpkk9ml";
+    sha256 = "sha256-Ngv+/b9D27ERwjNIC3s3ZBPkV10G+tT8QW8YMOgb8aA=";
   };
 
-  vendorSha256 = "0sn709mbhfymwwfdqc5xpdz2lgimqx3xycfmq24vbfmlh8wqcs7l";
+  vendorSha256 = "sha256-9Q7f3keMUEI2cWal2dvp4b8kvTZVM1Cf4iTvH9yCyX0=";
 
   # At least one test is outdated
   doCheck = false;
diff --git a/pkgs/tools/security/tor/default.nix b/pkgs/tools/security/tor/default.nix
index 76bfee42196..571b4e7f4da 100644
--- a/pkgs/tools/security/tor/default.nix
+++ b/pkgs/tools/security/tor/default.nix
@@ -30,11 +30,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "tor";
-  version = "0.4.6.9";
+  version = "0.4.6.10";
 
   src = fetchurl {
     url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
-    sha256 = "1ad99k4wysxrnlaprv7brxr2nc0h5zdnrh0rma10pqlck2037sf7";
+    sha256 = "lMzWDgTlWPM75zAyvITqJBZg+S9Yz7iHib2miTc54xw=";
   };
 
   outputs = [ "out" "geoip" ];
diff --git a/pkgs/tools/security/tor/update.nix b/pkgs/tools/security/tor/update.nix
index c944883d417..50353ce32a6 100644
--- a/pkgs/tools/security/tor/update.nix
+++ b/pkgs/tools/security/tor/update.nix
@@ -15,14 +15,11 @@ with lib;
 let
   downloadPageUrl = "https://dist.torproject.org";
 
-  # See https://www.torproject.org/docs/signing-keys.html
+  # See https://support.torproject.org/little-t-tor/#fetching-the-tor-developers-key
   signingKeys = [
-    # Roger Dingledine
-    "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
-    "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451"
-    # Nick Mathewson
-    "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB"
-    "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
+    "514102454D0A87DB0767A1EBBE6A0531C18A9179" # Alexander Færøy
+    "B74417EDDF22AC9F9E90F49142E86A2A11F48D36" # David Goulet
+    "2133BC600AB133E1D826D173FE43009C4607B1FB" # Nick Mathewson
   ];
 in
 
@@ -52,20 +49,24 @@ srcName=''${srcBase/.tar.gz/}
 srcVers=(''${srcName//-/ })
 version=''${srcVers[1]}
 
-sigUrl=$srcUrl.asc
+checksumUrl=$srcUrl.sha256sum
+checksumFile=''${checksumUrl##*/}
+
+sigUrl=$checksumUrl.asc
 sigFile=''${sigUrl##*/}
 
 # upstream does not support byte ranges ...
 [[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
+[[ -e "$checksumFile" ]] || curl -L -o "$checksumFile" -- "$checksumUrl"
 [[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
 
 export GNUPGHOME=$PWD/gnupg
 mkdir -m 700 -p "$GNUPGHOME"
 
 gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
-gpg --batch --verify "$sigFile" "$srcFile"
+gpg --batch --verify "$sigFile" "$checksumFile"
 
-sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile")
+sha256sum -c "$checksumFile"
 
-update-source-version tor "$version" "$sha256"
+update-source-version tor "$version" "$(cut -d ' ' "$checksumFile")"
 ''
diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix
index 6f1de7b45a9..458e2a53389 100644
--- a/pkgs/tools/security/vault/default.nix
+++ b/pkgs/tools/security/vault/default.nix
@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "vault";
-  version = "1.9.3";
+  version = "1.9.4";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = "vault";
     rev = "v${version}";
-    sha256 = "sha256-2pysQsJynuedqX9Yi4BjTnWuJZ5XTq11UEgkSh7eZyw=";
+    sha256 = "sha256-zqtRM2p+RrLrXzDCMtHJZNx/dKWyFqM+3V5eICwWvWs=";
   };
 
-  vendorSha256 = "sha256-LNN0u48B6xGjrUasxGF+4sw1HxiR22hj8H2/mSyh1SI=";
+  vendorSha256 = "sha256-EiQ6XmGrw1O2Zd8TM7HSr3sQUd1naQYKbYLKB/vWdXU=";
 
   subPackages = [ "." ];