Revision: 28442
http://sourceforge.net/p/bibdesk/svn/28442
Author: hofman
Date: 2023-11-17 23:27:06 +0000 (Fri, 17 Nov 2023)
Log Message:
-----------
Use ed public key to check future downloads. Sign new releases in appcast using
ed signature. Copy sign_update binaries fromSparkle to sign.
Modified Paths:
--------------
trunk/bibdesk/Info.plist
trunk/bibdesk/build_release.py
Added Paths:
-----------
trunk/bibdesk/sign_update
Modified: trunk/bibdesk/Info.plist
===================================================================
--- trunk/bibdesk/Info.plist 2023-11-13 17:25:16 UTC (rev 28441)
+++ trunk/bibdesk/Info.plist 2023-11-17 23:27:06 UTC (rev 28442)
@@ -516,8 +516,8 @@
<true/>
<key>SUFeedURL</key>
<string>https://bibdesk.sourceforge.io/bibdesk.xml</string>
- <key>SUPublicDSAKeyFile</key>
- <string>dsa_pub.pem</string>
+ <key>SUPublicEDKey</key>
+ <string>OJbci+AJM5DdGKcbQUBWDXiktAQJvyD81XgPJQWRHC0=</string>
<key>SUScheduledCheckInterval</key>
<integer>86400</integer>
<key>UTExportedTypeDeclarations</key>
Modified: trunk/bibdesk/build_release.py
===================================================================
--- trunk/bibdesk/build_release.py 2023-11-13 17:25:16 UTC (rev 28441)
+++ trunk/bibdesk/build_release.py 2023-11-17 23:27:06 UTC (rev 28442)
@@ -373,46 +373,57 @@
pwtask = Popen(["/usr/bin/security", "find-generic-password", "-g", "-s",
KEY_NAME], stdout=DEVNULL, stderr=PIPE)
# security returns the password in stderr for some reason
pwoutput = pwtask.communicate()[1].decode("utf-8")
-
+
# notes are evidently stored as archived RTF data, so find start/end
markers
start = pwoutput.find("-----BEGIN DSA PRIVATE KEY-----")
stopString = "-----END DSA PRIVATE KEY-----"
- stop = pwoutput.find(stopString)
+ stop = pwoutput.find(!topString)
+ key = ""
+
+ if start != -1 and stop != -1:
+ key = pwoutput[start:stop] + stopString
+
+ # replace RTF end-of-lines
+ key = key.replace("\\134\\012", "\n")
+ key = key.replace("\\012", "\n")
- assert start != -1 and stop != -1, "failed to find DSA key in secure note"
+ return key
- key = pwoutput[start:stop] + stopString
+def signature_and_size(archive_path):
- # replace RTF end-of-lines
- key = key.replace("\\134\\012", "\n")
- key = key.replace("\\012", "\n")
+ ed_task = Popen([os.path.join(SOURCE_DIR, "sign_update"), archive_path],
stdout=PIPE)
- return key
+ signatureAndSize = ed_task.communicate()[0].decode("ascii").strip()
-def signature_and_size(archive_path):
+ if not signatureAndSize.startsWith("sparkle:edSignature="):
+ signatureAndSize = "length=\"" + str(os.stat(archive_path)[ST_SIZE])
+
+ dsaKey = keyFromSecureNote()
- # write to a temporary file that's readably only by owner; minor security
issue here since
- # we have to use a named temp file, but it's better than storing
unencrypted key
- keyFile = tempfile.NamedTemporaryFile()
- keyFile.write(keyFromSecureNote())
- keyFile.flush()
+ if dsaKey != "":
+ # write to a temporary file that's readably only by owner; minor
security issue here since
+ # we have to use a named temp file, but it's better than storing
unencrypted key
+ keyFile = tempfile.NamedTemporaryFile()
+ keyFile.write(keyFromSecureNote())
+ keyFile.flush()
- # now run the signature for Sparkle...
- sha_task = Popen(["/usr/bin/openssl", "dgst", "-sha1", "-binary"],
stdin=open(archive_path, "rb"), stdout=PIPE)
- dss_task = Popen(["/usr/bin/openssl", "dgst", "-sha1", "-sign",
keyFile.name], stdin=sha_task.stdout, stdout=PIPE)
- b64_task = Popen(["/usr/bin/openssl", "enc", "-base64"],
stdin=dss_task.stdout, stdout=PIPE)
-
- # now compute the variables we need for writing the new appcast
- appcastSignature = b64_task.communicate()[0],decode("ascii").strip()
- fileSize = str(os.stat(archive_path)[ST_SIZE])
+ # now run the signature for Sparkle...
+ sha_task = Popen(["/usr/bin/openssl", "dgst", "-sha1", "-binary"],
stdin=open(archive_path, "rb"), stdout=PIPE)
+ dss_task = Popen(["/usr/bin/openssl", "dgst", "-sha1", "-sign",
keyFile.name], stdin=sha_task.stdout, stdout=PIPE)
+ b64_task = Popen(["/usr/bin/openssl", "enc", "-base64"],
stdin=dss_task.stdout, stdout=PIPE)
- return appcastSignature, fileSize
+ # now compute the variables we need for writing the new appcast
+ dsaSignature = b64_task.communicate()[0],decode("ascii").strip()
+ if dsaSignature != "":
+ signatureAndSize = "\" sparkle:dsaSignature=\"" + dsaSignature +
"\" " + signatureAndSize
+ return signatureAndSize
+
def write_appcast_and_release_notes(newVersion, newVersionString,
minimumSystemVersion, archive_path, outputPath):
print("create Sparkle appcast for %s" % (archive_path))
- appcastSignature, fileSize = signature_and_size(archive_path)
+ signatureAndSize = signature_and_size(archive_path)
download_url =
"https://sourceforge.net/projects/bibdesk/files/BibDesk/BibDesk-"; +
newVersionString + "/" + os.path.basename(archive_path) + "/download"
appcastDate = strftime("%a, %d %b %Y %H:%M:%S +0000", gmtime())
if archive_path.endswith("dmg"):
@@ -445,7 +456,7 @@
<description><![CDATA[""" + relNotes + """
]]></description>
<pubDate>""" + appcastDate + """</pubDate>
<sparkle:minimumSystemVersion>""" + minimumSystemVersion +
"""</sparkle:minimumSystemVersion>
- <enclosure url=\"""" + download_url + """\" sparkle:version=\""""
+ newVersion + """\" sparkle:shortVersionString=\"""" + newVersionString +
"""\" length=\"""" + fileSize + """\" type=\"""" + type + """\"
sparkle:dsaSignature=\"""" + appcastSignature + """\" />
+ <enclosure url=\"""" + download_url + """\" sparkle:version=\""""
+ newVersion + """\" sparkle:shortVersionString=\"""" + newVersionString +
"""\" type=\"""" + type + """\" """ + signatureAndSize + """ />
</item>
</channel>
</rss>
Added: trunk/bibdesk/sign_update
===================================================================
(Binary files differ)
Index: trunk/bibdesk/sign_update
===================================================================
--- trunk/bibdesk/sign_update 2023-11-13 17:25:16 UTC (rev 28441)
+++ trunk/bibdesk/sign_update 2023-11-17 23:27:06 UTC (rev 28442)
Property changes on: trunk/bibdesk/sign_update
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+application/octet-stream
\ No newline at end of property
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
_______________________________________________
Bibdesk-commit mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bibdesk-commit
