diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/Makefile.am | 15 | ||||
-rwxr-xr-x | contrib/make-signature.sh | 79 | ||||
-rw-r--r-- | contrib/tor-mingw.nsi.in | 2 |
3 files changed, 94 insertions, 2 deletions
diff --git a/contrib/Makefile.am b/contrib/Makefile.am index 5aae2c819e..795c351f3a 100644 --- a/contrib/Makefile.am +++ b/contrib/Makefile.am @@ -3,7 +3,20 @@ DIST_SUBDIRS = suse confdir = $(sysconfdir)/tor -EXTRA_DIST = exitlist tor-tsocks.conf tor.nsi.in tor.sh torctl rc.subr cross.sh tor-mingw.nsi.in package_nsis-mingw.sh tor.ico tor-ctrl.sh linux-tor-prio.sh tor-exit-notice.html +EXTRA_DIST = \ + cross.sh \ + exitlist \ + linux-tor-prio.sh \ + package_nsis-mingw.sh \ + rc.subr \ + tor-ctrl.sh \ + tor-exit-notice.html \ + tor-mingw.nsi.in \ + tor-tsocks.conf \ + tor.ico \ + tor.nsi.in \ + tor.sh \ + torctl conf_DATA = tor-tsocks.conf diff --git a/contrib/make-signature.sh b/contrib/make-signature.sh new file mode 100755 index 0000000000..4aba08b754 --- /dev/null +++ b/contrib/make-signature.sh @@ -0,0 +1,79 @@ +#!/bin/sh + +set -eu + +if test "$1" = "" ; then + echo "I need a package as an argument." + exit 1 +fi + +PACKAGEFILE=$1 + +if test ! -f "$PACKAGEFILE" ; then + echo "$PACKAGEFILE is not a file." + exit 1 +fi + +DIGESTNAME=sha256 +DIGESTOUTPUT=`gpg --print-md $DIGESTNAME $PACKAGEFILE` + +RAWDIGEST=`gpg --print-md $DIGESTNAME $PACKAGEFILE | sed -e 's/^[^ ]*: //' ` + +# These regexes are a little fragile, but I think they work for us. +VERSION=`echo $PACKAGEFILE | sed -e 's/^[a-z\-]*//' -e 's/\.[\.a-z]*$//' ` +PACKAGE=`echo $PACKAGEFILE | sed -e 's/-[0-9].*//'` +SIGFILE_UNSIGNED="$PACKAGE-$VERSION-signature" +SIGNATUREFILE="$SIGFILE_UNSIGNED.asc" + +cat >$SIGFILE_UNSIGNED <<EOF +This is the signature file for "$PACKAGEFILE", +which contains version "$VERSION" of "$PACKAGE". + +Here's how to check this signature. + +1) Make sure that this is really a signature file, and not a forgery, + with: + + "gpg --verify $SIGNATUREFILE" + + The key should be one of the keys that signs the Tor release; the + official Tor website has more information on those. + + If this step fails, then either you are missing the correct key, or + this signature file was not really signed by a Tor packager. + Beware! + +2) Make sure that the package you wanted is indeed "$PACKAGE", and that + its version you wanted is indeed "$VERSION". If you wanted a + different package, or a different version, this signature file is + not the right one! + +3) Now that you're sure you have the right signature file, make sure + that you got the right package. Check its $DIGESTNAME digest with + + "gpg --print-md $DIGESTNAME $PACKAGEFILE" + + The output should match this, exactly: + +$DIGESTOUTPUT + + Make sure that every part of the output matches: don't just check the + first few characters. If the digest does not match, you do not have + the right package file. It could even be a forgery. + +Frequently asked questions: + +Q: Why not just sign the package file, like you used to do? +A: GPG signatures authenticate file contents, but not file names. If + somebody gave you a renamed file with a matching renamed signature + file, the signature would still be given as "valid". + +-- +FILENAME: $PACKAGEFILE +PACKAGE: $PACKAGE +VERSION: $VERSION +DIGESTALG: $DIGESTNAME +DIGEST: $RAWDIGEST +EOF + +gpg --clearsign $SIGFILE_UNSIGNED diff --git a/contrib/tor-mingw.nsi.in b/contrib/tor-mingw.nsi.in index a44961b027..1cecf34f8f 100644 --- a/contrib/tor-mingw.nsi.in +++ b/contrib/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.2.19-alpha" +!define VERSION "0.2.3.0-alpha-dev" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" |