tor: initial updateScript
Tested briefly, seems to work okay. The gpg stuff could be better, however.
This commit is contained in:
parent
afe11c5929
commit
9c0e9f6a30
@ -1,5 +1,17 @@
|
||||
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
|
||||
, libseccomp, systemd, libcap
|
||||
|
||||
# for update.nix
|
||||
, writeScript
|
||||
, runCommand
|
||||
, common-updater-scripts
|
||||
, bash
|
||||
, coreutils
|
||||
, curl
|
||||
, gnugrep
|
||||
, gnupg
|
||||
, gnused
|
||||
, nix
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
@ -34,6 +46,22 @@ stdenv.mkDerivation rec {
|
||||
|
||||
doCheck = true;
|
||||
|
||||
passthru.updateScript = import ./update.nix {
|
||||
inherit (stdenv) lib;
|
||||
inherit
|
||||
writeScript
|
||||
runCommand
|
||||
common-updater-scripts
|
||||
bash
|
||||
coreutils
|
||||
curl
|
||||
gnupg
|
||||
gnugrep
|
||||
gnused
|
||||
nix
|
||||
;
|
||||
};
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = https://www.torproject.org/;
|
||||
repositories.git = https://git.torproject.org/git/tor;
|
||||
|
72
pkgs/tools/security/tor/update.nix
Normal file
72
pkgs/tools/security/tor/update.nix
Normal file
@ -0,0 +1,72 @@
|
||||
{ lib
|
||||
, writeScript
|
||||
, runCommand
|
||||
, common-updater-scripts
|
||||
, bash
|
||||
, coreutils
|
||||
, curl
|
||||
, gnugrep
|
||||
, gnupg
|
||||
, gnused
|
||||
, nix
|
||||
}:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
downloadPageUrl = "https://dist.torproject.org";
|
||||
|
||||
# See https://www.torproject.org/docs/signing-keys.html
|
||||
signingKeys = [
|
||||
# Roger Dingledine
|
||||
"B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
|
||||
"F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451"
|
||||
# Nick Mathewson
|
||||
"2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB"
|
||||
"B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
|
||||
];
|
||||
in
|
||||
|
||||
writeScript "update-tor" ''
|
||||
#! ${bash}/bin/bash
|
||||
|
||||
set -eu -o pipefail
|
||||
|
||||
export PATH=${makeBinPath [
|
||||
common-updater-scripts
|
||||
coreutils
|
||||
curl
|
||||
gnugrep
|
||||
gnupg
|
||||
gnused
|
||||
nix
|
||||
]}
|
||||
|
||||
srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \
|
||||
| grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \
|
||||
| sort -Vu \
|
||||
| tail -n1)
|
||||
srcFile=$srcBase
|
||||
srcUrl=${downloadPageUrl}/$srcBase
|
||||
|
||||
srcName=''${srcBase/.tar.gz/}
|
||||
srcVers=(''${srcName//-/ })
|
||||
version=''${srcVers[1]}
|
||||
|
||||
sigUrl=$srcUrl.asc
|
||||
sigFile=''${sigUrl##*/}
|
||||
|
||||
# upstream does not support byte ranges ...
|
||||
[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
|
||||
[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
|
||||
|
||||
export GNUPGHOME=$PWD/gnupg
|
||||
mkdir -m 700 -p "$GNUPGHOME"
|
||||
|
||||
gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
|
||||
gpg --batch --verify "$sigFile" "$srcFile"
|
||||
|
||||
sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile")
|
||||
|
||||
update-source-version tor "$version" "$sha256"
|
||||
''
|
Loading…
x
Reference in New Issue
Block a user