diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/tor/update.nix')
-rw-r--r-- | nixpkgs/pkgs/tools/security/tor/update.nix | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/tor/update.nix b/nixpkgs/pkgs/tools/security/tor/update.nix new file mode 100644 index 000000000000..c944883d4178 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/tor/update.nix @@ -0,0 +1,71 @@ +{ lib +, writeScript +, common-updater-scripts +, bash +, coreutils +, curl +, gnugrep +, gnupg +, gnused +, nix +}: + +with lib; + +let + downloadPageUrl = "https://dist.torproject.org"; + + # See https://www.torproject.org/docs/signing-keys.html + signingKeys = [ + # Roger Dingledine + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451" + # Nick Mathewson + "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB" + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + ]; +in + +writeScript "update-tor" '' +#! ${bash}/bin/bash + +set -eu -o pipefail + +export PATH=${makeBinPath [ + common-updater-scripts + coreutils + curl + gnugrep + gnupg + gnused + nix +]} + +srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \ + | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \ + | sort -Vu \ + | tail -n1) +srcFile=$srcBase +srcUrl=${downloadPageUrl}/$srcBase + +srcName=''${srcBase/.tar.gz/} +srcVers=(''${srcName//-/ }) +version=''${srcVers[1]} + +sigUrl=$srcUrl.asc +sigFile=''${sigUrl##*/} + +# upstream does not support byte ranges ... +[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl" +[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl" + +export GNUPGHOME=$PWD/gnupg +mkdir -m 700 -p "$GNUPGHOME" + +gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)} +gpg --batch --verify "$sigFile" "$srcFile" + +sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile") + +update-source-version tor "$version" "$sha256" +'' |