public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tor: initial updateScript

Browse Source 
Tested briefly, seems to work okay. The gpg stuff could be better,
however.
This commit is contained in:
Joachim Fasting 2018-03-04 23:11:09 +01:00
parent afe11c5929
commit 9c0e9f6a30
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294
2 changed files with 100 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pkgs/tools/security/tor/default.nix
View File

@ -1,5 +1,17 @@
{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks { stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
, libseccomp, systemd, libcap , libseccomp, systemd, libcap
# for update.nix
, writeScript
, runCommand
, common-updater-scripts
, bash
, coreutils
, curl
, gnugrep
, gnupg
, gnused
, nix
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -34,6 +46,22 @@ stdenv.mkDerivation rec {
doCheck = true; doCheck = true;
passthru.updateScript = import ./update.nix {
inherit (stdenv) lib;
inherit
writeScript
runCommand
common-updater-scripts
bash
coreutils
curl
gnupg
gnugrep
gnused
nix
;
};
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = https://www.torproject.org/; homepage = https://www.torproject.org/;
repositories.git = https://git.torproject.org/git/tor; repositories.git = https://git.torproject.org/git/tor;

72
pkgs/tools/security/tor/update.nix Normal file
View File

@ -0,0 +1,72 @@
{ lib
, writeScript
, runCommand
, common-updater-scripts
, bash
, coreutils
, curl
, gnugrep
, gnupg
, gnused
, nix
}:
with lib;
let
downloadPageUrl = "https://dist.torproject.org";
# See https://www.torproject.org/docs/signing-keys.html
signingKeys = [
# Roger Dingledine
"B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
"F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451"
# Nick Mathewson
"2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB"
"B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
];
in
writeScript "update-tor" ''
#! ${bash}/bin/bash
set -eu -o pipefail
export PATH=${makeBinPath [
common-updater-scripts
coreutils
curl
gnugrep
gnupg
gnused
nix
]}
srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \
| grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \
| sort -Vu \
| tail -n1)
srcFile=$srcBase
srcUrl=${downloadPageUrl}/$srcBase
srcName=''${srcBase/.tar.gz/}
srcVers=(''${srcName//-/ })
version=''${srcVers[1]}
sigUrl=$srcUrl.asc
sigFile=''${sigUrl##*/}
# upstream does not support byte ranges ...
[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
export GNUPGHOME=$PWD/gnupg
mkdir -m 700 -p "$GNUPGHOME"
gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
gpg --batch --verify "$sigFile" "$srcFile"
sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile")
update-source-version tor "$version" "$sha256"
''