From a734bbfd61d3fa48f7ca4b9c398331d2484ad8c2 Mon Sep 17 00:00:00 2001
From: Saptak S <saptak013@gmail.com>
Date: Mon, 24 Apr 2023 00:46:49 +0530
Subject: Uses python-gnupg instead of jce

---
 desktop/poetry.lock        | 124 +++++----------------------------------------
 desktop/pyproject.toml     |   2 +-
 desktop/scripts/get-tor.py |  39 ++++++++------
 3 files changed, 37 insertions(+), 128 deletions(-)

diff --git a/desktop/poetry.lock b/desktop/poetry.lock
index 3a39c65a..7d81085f 100644
--- a/desktop/poetry.lock
+++ b/desktop/poetry.lock
@@ -1,26 +1,5 @@
 # This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
 
-[[package]]
-name = "anyio"
-version = "3.6.2"
-description = "High level compatibility layer for multiple asynchronous event loop implementations"
-category = "main"
-optional = false
-python-versions = ">=3.6.2"
-files = [
-    {file = "anyio-3.6.2-py3-none-any.whl", hash = "sha256:fbbe32bd270d2a2ef3ed1c5d45041250284e31fc0a4df4a5a6071842051a51e3"},
-    {file = "anyio-3.6.2.tar.gz", hash = "sha256:25ea0d673ae30af41a0c442f81cf3b38c7e79fdc7b60335a4c14e05eb0947421"},
-]
-
-[package.dependencies]
-idna = ">=2.8"
-sniffio = ">=1.1"
-
-[package.extras]
-doc = ["packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"]
-test = ["contextlib2", "coverage[toml] (>=4.5)", "hypothesis (>=4.0)", "mock (>=4)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "uvloop (<0.15)", "uvloop (>=0.15)"]
-trio = ["trio (>=0.16,<0.22)"]
-
 [[package]]
 name = "attrs"
 version = "22.2.0"
@@ -671,64 +650,6 @@ files = [
 docs = ["Sphinx", "docutils (<0.18)"]
 test = ["objgraph", "psutil"]
 
-[[package]]
-name = "h11"
-version = "0.14.0"
-description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
-    {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
-]
-
-[[package]]
-name = "httpcore"
-version = "0.17.0"
-description = "A minimal low-level HTTP client."
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "httpcore-0.17.0-py3-none-any.whl", hash = "sha256:0fdfea45e94f0c9fd96eab9286077f9ff788dd186635ae61b312693e4d943599"},
-    {file = "httpcore-0.17.0.tar.gz", hash = "sha256:cc045a3241afbf60ce056202301b4d8b6af08845e3294055eb26b09913ef903c"},
-]
-
-[package.dependencies]
-anyio = ">=3.0,<5.0"
-certifi = "*"
-h11 = ">=0.13,<0.15"
-sniffio = ">=1.0.0,<2.0.0"
-
-[package.extras]
-http2 = ["h2 (>=3,<5)"]
-socks = ["socksio (>=1.0.0,<2.0.0)"]
-
-[[package]]
-name = "httpx"
-version = "0.24.0"
-description = "The next generation HTTP client."
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "httpx-0.24.0-py3-none-any.whl", hash = "sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e"},
-    {file = "httpx-0.24.0.tar.gz", hash = "sha256:507d676fc3e26110d41df7d35ebd8b3b8585052450f4097401c9be59d928c63e"},
-]
-
-[package.dependencies]
-certifi = "*"
-httpcore = ">=0.15.0,<0.18.0"
-idna = "*"
-sniffio = "*"
-
-[package.extras]
-brotli = ["brotli", "brotlicffi"]
-cli = ["click (>=8.0.0,<9.0.0)", "pygments (>=2.0.0,<3.0.0)", "rich (>=10,<14)"]
-http2 = ["h2 (>=3,<5)"]
-socks = ["socksio (>=1.0.0,<2.0.0)"]
-
 [[package]]
 name = "idna"
 version = "3.4"
@@ -803,25 +724,6 @@ MarkupSafe = ">=2.0"
 [package.extras]
 i18n = ["Babel (>=2.7)"]
 
-[[package]]
-name = "johnnycanencrypt"
-version = "0.14.0"
-description = ""
-category = "main"
-optional = false
-python-versions = ">=3.8"
-files = [
-    {file = "johnnycanencrypt-0.14.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:1725d4634649229f896644c439e3cac9ccc977a838cf6d3737a9af8b3a04e7d5"},
-    {file = "johnnycanencrypt-0.14.0-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:2d9e21015e4740bf762b0cec9830b48ecf5807f4142f9ab47b5bad5503935bb5"},
-    {file = "johnnycanencrypt-0.14.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:a76d0439e89039fe62507cac68ba43af2b30e6a6f9937c0e6fb4bd67aee93ed3"},
-    {file = "johnnycanencrypt-0.14.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:0e0420cb205dcfcd90950fc03904918bf7b95f87bc4a9ba9241a9facc2a981cf"},
-    {file = "johnnycanencrypt-0.14.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:8fdab8fac058606b5138ca577638874d04d8634a8f2ef07ee9703b1a81d01930"},
-    {file = "johnnycanencrypt-0.14.0.tar.gz", hash = "sha256:323d8e7d538000bbee3fa45f39180d83e8ff07ceb741b320242ad45005e879ad"},
-]
-
-[package.dependencies]
-httpx = "*"
-
 [[package]]
 name = "lief"
 version = "0.12.3"
@@ -1269,6 +1171,18 @@ files = [
 asyncio-client = ["aiohttp (>=3.4)"]
 client = ["requests (>=2.21.0)", "websocket-client (>=0.54.0)"]
 
+[[package]]
+name = "python-gnupg"
+version = "0.5.0"
+description = "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)"
+category = "main"
+optional = false
+python-versions = "*"
+files = [
+    {file = "python-gnupg-0.5.0.tar.gz", hash = "sha256:70758e387fc0e0c4badbcb394f61acbe68b34970a8fed7e0f7c89469fe17912a"},
+    {file = "python_gnupg-0.5.0-py2.py3-none-any.whl", hash = "sha256:345723a03e67b82aba0ea8ae2328b2e4a3906fbe2c18c4082285c3b01068f270"},
+]
+
 [[package]]
 name = "python-socketio"
 version = "5.7.2"
@@ -1381,18 +1295,6 @@ files = [
     {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"},
 ]
 
-[[package]]
-name = "sniffio"
-version = "1.3.0"
-description = "Sniff out which async library your code is running under"
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "sniffio-1.3.0-py3-none-any.whl", hash = "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"},
-    {file = "sniffio-1.3.0.tar.gz", hash = "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101"},
-]
-
 [[package]]
 name = "stem"
 version = "1.8.1"
@@ -1564,4 +1466,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.8,<3.11"
-content-hash = "0c90ba138195f93705c79fc41dfaa22de4ed611fcaef63d42064e37c58916ae8"
+content-hash = "d9feb340ebd14d40abcc105856b84d2275502e64a9c094081990501d606da084"
diff --git a/desktop/pyproject.toml b/desktop/pyproject.toml
index a43505b7..bea97ccc 100644
--- a/desktop/pyproject.toml
+++ b/desktop/pyproject.toml
@@ -11,7 +11,7 @@ onionshare_cli = {path = "../cli", develop = true}
 PySide6 = "6.4.0"
 qrcode = "*"
 werkzeug = "~2.0.3"
-johnnycanencrypt = "^0.14.0"
+python-gnupg = "^0.5.0"
 
 [tool.poetry.dev-dependencies]
 click = "*"
diff --git a/desktop/scripts/get-tor.py b/desktop/scripts/get-tor.py
index 30a86ed1..12bf0b50 100644
--- a/desktop/scripts/get-tor.py
+++ b/desktop/scripts/get-tor.py
@@ -9,11 +9,12 @@ import subprocess
 import requests
 import click
 import tempfile
-import johnnycanencrypt as jce
+import gnupg
 
 torbrowser_latest_url = (
     "https://aus1.torproject.org/torbrowser/update_3/release/downloads.json"
 )
+tor_dev_fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"
 
 # Common paths
 root_path = os.path.dirname(
@@ -35,7 +36,7 @@ def get_latest_tor_version_urls(platform):
     return platform_url, platform_filename, platform_sig_url
 
 
-def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
+def get_tor_windows(gpg, torkey, win_url, win_filename, expected_win_sig):
     bin_filenames = ["tor.exe"]
 
     # Build paths
@@ -60,8 +61,10 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
         open(win_sig_path, "wb").write(r.content)
 
     # Verify the signature
-    if not ks.verify_file_detached(torkey, win_path, win_sig_path):
-        print("ERROR! The .exe file verification with the signature failed!")
+    sig_stream = open(win_sig_path, "rb")
+    verified = gpg.verify_file(sig_stream, win_path)
+    if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
+        print("ERROR! The tarball verification with the signature failed!")
         sys.exit(-1)
 
     print("Tor Browser verification successful!")
@@ -107,7 +110,7 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
     update_tor_bridges()
 
 
-def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
+def get_tor_macos(gpg, torkey, macos_url, macos_filename, expected_macos_sig):
     # Build paths
     dmg_tor_path = os.path.join(
         "/Volumes", "Tor Browser", "Tor Browser.app", "Contents"
@@ -135,8 +138,10 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
         open(dmg_sig_path, "wb").write(r.content)
 
     # Verify the signature
-    if not ks.verify_file_detached(torkey, dmg_path, dmg_sig_path):
-        print("ERROR! The dmg file verification with the signature failed!")
+    sig_stream = open(dmg_sig_path, "rb")
+    verified = gpg.verify_file(sig_stream, dmg_path)
+    if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
+        print("ERROR! The tarball verification with the signature failed!")
         sys.exit(-1)
 
     print("Tor Browser verification successful!")
@@ -170,7 +175,7 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
     update_tor_bridges()
 
 
-def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_sig):
+def get_tor_linux64(gpg, torkey, linux64_url, linux64_filename, expected_linux64_sig):
     # Build paths
     tarball_path = os.path.join(working_path, linux64_filename)
     tarball_sig_path = os.path.join(working_path, f"{linux64_filename}.asc")
@@ -196,7 +201,9 @@ def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_
         open(tarball_sig_path, "wb").write(r.content)
 
     # Verify signature
-    if not ks.verify_file_detached(torkey, tarball_path, tarball_sig_path):
+    sig_stream = open(tarball_sig_path, "rb")
+    verified = gpg.verify_file(sig_stream, tarball_path)
+    if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
         print("ERROR! The tarball verification with the signature failed!")
         sys.exit(-1)
 
@@ -314,18 +321,18 @@ def main(platform):
         expected_platform_sig,
     ) = get_latest_tor_version_urls(platform)
     tmpdir = tempfile.TemporaryDirectory()
-    ks = jce.KeyStore(tmpdir.name)
-    torkey = ks.import_key(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
-    print(f"Tor GPG key: {torkey}")
+    gpg = gnupg.GPG(gnupghome=tmpdir.name)
+    torkey = gpg.import_keys_file(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
+    print(f"Imported Tor GPG key: {torkey.fingerprints}")
 
     if platform == "win32":
-        get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
+        get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
     elif platform == "win64":
-        get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
+        get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
     elif platform == "macos":
-        get_tor_macos(ks, torkey, platform_url, platform_filename, expected_platform_sig)
+        get_tor_macos(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
     elif platform == "linux64":
-        get_tor_linux64(ks, torkey, platform_url, platform_filename, expected_platform_sig)
+        get_tor_linux64(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
     else:
         click.echo("invalid platform")
 
-- 
cgit v1.2.3-54-g00ecf