Date: Saturday, May 21, 2022 @ 23:54:25 Author: anthraxx Revision: 1209908
upgpkg: tor 0.4.7.7-2: reactivate pgp signature verification Tor 0.4.6.10 switched to exclusively sign the checksum files instead of the actual source tarballs. Lets ensure the signatures are always checked my downloading the signed sums file alongside the signature and source tarball. Makepkg checks the signature on the sumsfile, afterwards we use the prepare() function of makepkg to verify the sums file against the actual source tarball. Valid signing fingerprints have been updated According to: https://support.torproject.org/little-t-tor/verify-little-t-tor/ Note that for Alexander F{U+00E6}r{U+00F8}y key, we list the actual fingerprint of the root certificate instead of the signing subkey ed25519/BE6A0531C18A9179 Modified: tor/trunk/PKGBUILD ----------+ PKGBUILD | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-05-21 23:34:04 UTC (rev 1209907) +++ PKGBUILD 2022-05-21 23:54:25 UTC (rev 1209908) @@ -7,7 +7,7 @@ pkgname=tor pkgver=0.4.7.7 -pkgrel=1 +pkgrel=2 pkgdesc='Anonymizing overlay network.' arch=('x86_64') url='https://www.torproject.org/download/tor/' @@ -17,18 +17,27 @@ optdepends=('torsocks: for torify') makedepends=('ca-certificates' 'systemd') backup=('etc/tor/torrc') -source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz" +source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"{,.sha256sum{,.asc}} 'torrc.patch' 'tor.sysusers' 'tor.tmpfiles' 'tor.service') b2sums=('18acfbe017b2ad456184f6031881149717f6fecad0d3e6daf90241a5a8ef296c32a36ace266d38b703f34b66d71e282c803f03f2059502c6ff6f4fdfb6641a97' + '09e715beaf05926c4cdc13a43c8cd31ec2f477876a8a13915416d7ac955622c10c77177a1a0d7a7c4eb5a6c1256170379692c42dd2161889c51018f43f4a3398' + 'SKIP' '3359e138d823a77df2a42ce3fe8c6ecb4004e9ec191863db7857aceea7c136c78f09518b1a199dfd3215f5d61f1c060f4a0e2141c5bdb6b847af60fb6e9a81a7' '9053da53926f2120ac57b6c1442238f5bbd89bf9270347c4e00b721b39939bebc6adfcf814a9d7289dfd14d085d91c193529305336db93190da5b7f586a031df' '5d55d9a7e42b6ce78b8ab985bab37afe8f0bacddb5abd895c4a490adb8f98b9422f90b40066fef05ecf37b7b21e80aadc615c4b7f6e12b05581304113a1b1f1d' '327c1a35c3d4c44f93edb47959c8c41ab6af4cbfcbb8f4e9f54f2f69d17d148bf85e2d2c8aefe2d3165e123056dd68a248af78d1ba713b94a4e6d27a9cf412f1') +validpgpkeys=( + '2133BC600AB133E1D826D173FE43009C4607B1FB' # Nick Mathewson + 'B74417EDDF22AC9F9E90F49142E86A2A11F48D36' # David Goulet + '1C1BC007A9F607AA8152C040BEA7B180B1491921' # Alexander Færøy +) prepare() { + # verify the signed sums match the expected source tarball + sha256sum -c ${pkgname}-${pkgver}.tar.gz.sha256sum cd ${pkgname}-${pkgver} # uncomment essential config sections in the torrc file patch -Np1 < "${srcdir}/torrc.patch"