diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2018-03-04 23:11:09 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-03-04 23:47:01 +0100 |
commit | 9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab (patch) | |
tree | 704bab5f28dcc01015749bf912fae33ebab4dd99 /pkgs/tools | |
parent | afe11c592970efd82fd739f62f0079c3df7173f9 (diff) | |
download | nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar.gz nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar.bz2 nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar.lz nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar.xz nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.tar.zst nixlib-9c0e9f6a3055c0b6f84e006858b82cf69c4de4ab.zip |
tor: initial updateScript
Tested briefly, seems to work okay. The gpg stuff could be better, however.
Diffstat (limited to 'pkgs/tools')
-rw-r--r-- | pkgs/tools/security/tor/default.nix | 28 | ||||
-rw-r--r-- | pkgs/tools/security/tor/update.nix | 72 |
2 files changed, 100 insertions, 0 deletions
diff --git a/pkgs/tools/security/tor/default.nix b/pkgs/tools/security/tor/default.nix index 4e8dbab00173..44c11d2814af 100644 --- a/pkgs/tools/security/tor/default.nix +++ b/pkgs/tools/security/tor/default.nix @@ -1,5 +1,17 @@ { stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks , libseccomp, systemd, libcap + +# for update.nix +, writeScript +, runCommand +, common-updater-scripts +, bash +, coreutils +, curl +, gnugrep +, gnupg +, gnused +, nix }: stdenv.mkDerivation rec { @@ -34,6 +46,22 @@ stdenv.mkDerivation rec { doCheck = true; + passthru.updateScript = import ./update.nix { + inherit (stdenv) lib; + inherit + writeScript + runCommand + common-updater-scripts + bash + coreutils + curl + gnupg + gnugrep + gnused + nix + ; + }; + meta = with stdenv.lib; { homepage = https://www.torproject.org/; repositories.git = https://git.torproject.org/git/tor; diff --git a/pkgs/tools/security/tor/update.nix b/pkgs/tools/security/tor/update.nix new file mode 100644 index 000000000000..6a7682a8f578 --- /dev/null +++ b/pkgs/tools/security/tor/update.nix @@ -0,0 +1,72 @@ +{ lib +, writeScript +, runCommand +, common-updater-scripts +, bash +, coreutils +, curl +, gnugrep +, gnupg +, gnused +, nix +}: + +with lib; + +let + downloadPageUrl = "https://dist.torproject.org"; + + # See https://www.torproject.org/docs/signing-keys.html + signingKeys = [ + # Roger Dingledine + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451" + # Nick Mathewson + "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB" + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + ]; +in + +writeScript "update-tor" '' +#! ${bash}/bin/bash + +set -eu -o pipefail + +export PATH=${makeBinPath [ + common-updater-scripts + coreutils + curl + gnugrep + gnupg + gnused + nix +]} + +srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \ + | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \ + | sort -Vu \ + | tail -n1) +srcFile=$srcBase +srcUrl=${downloadPageUrl}/$srcBase + +srcName=''${srcBase/.tar.gz/} +srcVers=(''${srcName//-/ }) +version=''${srcVers[1]} + +sigUrl=$srcUrl.asc +sigFile=''${sigUrl##*/} + +# upstream does not support byte ranges ... +[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl" +[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl" + +export GNUPGHOME=$PWD/gnupg +mkdir -m 700 -p "$GNUPGHOME" + +gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)} +gpg --batch --verify "$sigFile" "$srcFile" + +sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile") + +update-source-version tor "$version" "$sha256" +'' |