[arch-commits] Commit in tor/trunk (PKGBUILD)

Levente Polyak via arch-commits Sat, 21 May 2022 16:54:42 -0700

    Date: Saturday, May 21, 2022 @ 23:54:25
  Author: anthraxx
Revision: 1209908


upgpkg: tor 0.4.7.7-2: reactivate pgp signature verification

Tor 0.4.6.10 switched to exclusively sign the checksum files instead of
the actual source tarballs. Lets ensure the signatures are always
checked my downloading the signed sums file alongside the signature and
source tarball. Makepkg checks the signature on the sumsfile, afterwards
we use the prepare() function of makepkg to verify the sums file against
the actual source tarball.

Valid signing fingerprints have been updated According to:
https://support.torproject.org/little-t-tor/verify-little-t-tor/

Note that for Alexander F{U+00E6}r{U+00F8}y key, we list the actual fingerprint 
of the
root certificate instead of the signing subkey ed25519/BE6A0531C18A9179

Modified:
  tor/trunk/PKGBUILD

----------+
 PKGBUILD |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2022-05-21 23:34:04 UTC (rev 1209907)
+++ PKGBUILD    2022-05-21 23:54:25 UTC (rev 1209908)
@@ -7,7 +7,7 @@
 
 pkgname=tor
 pkgver=0.4.7.7
-pkgrel=1
+pkgrel=2
 pkgdesc='Anonymizing overlay network.'
 arch=('x86_64')
 url='https://www.torproject.org/download/tor/'
@@ -17,18 +17,27 @@
 optdepends=('torsocks: for torify')
 makedepends=('ca-certificates' 'systemd')
 backup=('etc/tor/torrc')
-source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz";
+source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"{,.sha256sum{,.asc}}
         'torrc.patch'
         'tor.sysusers'
         'tor.tmpfiles'
         'tor.service')
 
b2sums=('18acfbe017b2ad456184f6031881149717f6fecad0d3e6daf90241a5a8ef296c32a36ace266d38b703f34b66d71e282c803f03f2059502c6ff6f4fdfb6641a97'
+        
'09e715beaf05926c4cdc13a43c8cd31ec2f477876a8a13915416d7ac955622c10c77177a1a0d7a7c4eb5a6c1256170379692c42dd2161889c51018f43f4a3398'
+        'SKIP'
         
'3359e138d823a77df2a42ce3fe8c6ecb4004e9ec191863db7857aceea7c136c78f09518b1a199dfd3215f5d61f1c060f4a0e2141c5bdb6b847af60fb6e9a81a7'
         
'9053da53926f2120ac57b6c1442238f5bbd89bf9270347c4e00b721b39939bebc6adfcf814a9d7289dfd14d085d91c193529305336db93190da5b7f586a031df'
         
'5d55d9a7e42b6ce78b8ab985bab37afe8f0bacddb5abd895c4a490adb8f98b9422f90b40066fef05ecf37b7b21e80aadc615c4b7f6e12b05581304113a1b1f1d'
         
'327c1a35c3d4c44f93edb47959c8c41ab6af4cbfcbb8f4e9f54f2f69d17d148bf85e2d2c8aefe2d3165e123056dd68a248af78d1ba713b94a4e6d27a9cf412f1')
+validpgpkeys=(
+  '2133BC600AB133E1D826D173FE43009C4607B1FB' # Nick Mathewson
+  'B74417EDDF22AC9F9E90F49142E86A2A11F48D36' # David Goulet
+  '1C1BC007A9F607AA8152C040BEA7B180B1491921' # Alexander Færøy
+)
 
 prepare() {
+  # verify the signed sums match the expected source tarball
+  sha256sum -c ${pkgname}-${pkgver}.tar.gz.sha256sum
   cd ${pkgname}-${pkgver}
   # uncomment essential config sections in the torrc file
   patch -Np1 < "${srcdir}/torrc.patch"

[arch-commits] Commit in tor/trunk (PKGBUILD)

Reply via email to