diff options
Diffstat (limited to 'desktop/scripts/get-tor.py')
-rw-r--r-- | desktop/scripts/get-tor.py | 39 |
1 files changed, 23 insertions, 16 deletions
diff --git a/desktop/scripts/get-tor.py b/desktop/scripts/get-tor.py index 30a86ed1..12bf0b50 100644 --- a/desktop/scripts/get-tor.py +++ b/desktop/scripts/get-tor.py @@ -9,11 +9,12 @@ import subprocess import requests import click import tempfile -import johnnycanencrypt as jce +import gnupg torbrowser_latest_url = ( "https://aus1.torproject.org/torbrowser/update_3/release/downloads.json" ) +tor_dev_fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" # Common paths root_path = os.path.dirname( @@ -35,7 +36,7 @@ def get_latest_tor_version_urls(platform): return platform_url, platform_filename, platform_sig_url -def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): +def get_tor_windows(gpg, torkey, win_url, win_filename, expected_win_sig): bin_filenames = ["tor.exe"] # Build paths @@ -60,8 +61,10 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): open(win_sig_path, "wb").write(r.content) # Verify the signature - if not ks.verify_file_detached(torkey, win_path, win_sig_path): - print("ERROR! The .exe file verification with the signature failed!") + sig_stream = open(win_sig_path, "rb") + verified = gpg.verify_file(sig_stream, win_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: + print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) print("Tor Browser verification successful!") @@ -107,7 +110,7 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): update_tor_bridges() -def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): +def get_tor_macos(gpg, torkey, macos_url, macos_filename, expected_macos_sig): # Build paths dmg_tor_path = os.path.join( "/Volumes", "Tor Browser", "Tor Browser.app", "Contents" @@ -135,8 +138,10 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): open(dmg_sig_path, "wb").write(r.content) # Verify the signature - if not ks.verify_file_detached(torkey, dmg_path, dmg_sig_path): - print("ERROR! The dmg file verification with the signature failed!") + sig_stream = open(dmg_sig_path, "rb") + verified = gpg.verify_file(sig_stream, dmg_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: + print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) print("Tor Browser verification successful!") @@ -170,7 +175,7 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): update_tor_bridges() -def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_sig): +def get_tor_linux64(gpg, torkey, linux64_url, linux64_filename, expected_linux64_sig): # Build paths tarball_path = os.path.join(working_path, linux64_filename) tarball_sig_path = os.path.join(working_path, f"{linux64_filename}.asc") @@ -196,7 +201,9 @@ def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_ open(tarball_sig_path, "wb").write(r.content) # Verify signature - if not ks.verify_file_detached(torkey, tarball_path, tarball_sig_path): + sig_stream = open(tarball_sig_path, "rb") + verified = gpg.verify_file(sig_stream, tarball_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) @@ -314,18 +321,18 @@ def main(platform): expected_platform_sig, ) = get_latest_tor_version_urls(platform) tmpdir = tempfile.TemporaryDirectory() - ks = jce.KeyStore(tmpdir.name) - torkey = ks.import_key(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf")) - print(f"Tor GPG key: {torkey}") + gpg = gnupg.GPG(gnupghome=tmpdir.name) + torkey = gpg.import_keys_file(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf")) + print(f"Imported Tor GPG key: {torkey.fingerprints}") if platform == "win32": - get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "win64": - get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "macos": - get_tor_macos(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_macos(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "linux64": - get_tor_linux64(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_linux64(gpg, torkey, platform_url, platform_filename, expected_platform_sig) else: click.echo("invalid platform") |