[arch-commits] Commit in tor/trunk (PKGBUILD)
Levente Polyak
anthraxx at gemini.archlinux.org
Sat May 21 23:54:26 UTC 2022
Date: Saturday, May 21, 2022 @ 23:54:25
Author: anthraxx
Revision: 1209908
upgpkg: tor 0.4.7.7-2: reactivate pgp signature verification
Tor 0.4.6.10 switched to exclusively sign the checksum files instead of
the actual source tarballs. Lets ensure the signatures are always
checked my downloading the signed sums file alongside the signature and
source tarball. Makepkg checks the signature on the sumsfile, afterwards
we use the prepare() function of makepkg to verify the sums file against
the actual source tarball.
Valid signing fingerprints have been updated According to:
https://support.torproject.org/little-t-tor/verify-little-t-tor/
Note that for Alexander F{U+00E6}r{U+00F8}y key, we list the actual fingerprint of the
root certificate instead of the signing subkey ed25519/BE6A0531C18A9179
Modified:
tor/trunk/PKGBUILD
----------+
PKGBUILD | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-05-21 23:34:04 UTC (rev 1209907)
+++ PKGBUILD 2022-05-21 23:54:25 UTC (rev 1209908)
@@ -7,7 +7,7 @@
pkgname=tor
pkgver=0.4.7.7
-pkgrel=1
+pkgrel=2
pkgdesc='Anonymizing overlay network.'
arch=('x86_64')
url='https://www.torproject.org/download/tor/'
@@ -17,18 +17,27 @@
optdepends=('torsocks: for torify')
makedepends=('ca-certificates' 'systemd')
backup=('etc/tor/torrc')
-source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"
+source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"{,.sha256sum{,.asc}}
'torrc.patch'
'tor.sysusers'
'tor.tmpfiles'
'tor.service')
b2sums=('18acfbe017b2ad456184f6031881149717f6fecad0d3e6daf90241a5a8ef296c32a36ace266d38b703f34b66d71e282c803f03f2059502c6ff6f4fdfb6641a97'
+ '09e715beaf05926c4cdc13a43c8cd31ec2f477876a8a13915416d7ac955622c10c77177a1a0d7a7c4eb5a6c1256170379692c42dd2161889c51018f43f4a3398'
+ 'SKIP'
'3359e138d823a77df2a42ce3fe8c6ecb4004e9ec191863db7857aceea7c136c78f09518b1a199dfd3215f5d61f1c060f4a0e2141c5bdb6b847af60fb6e9a81a7'
'9053da53926f2120ac57b6c1442238f5bbd89bf9270347c4e00b721b39939bebc6adfcf814a9d7289dfd14d085d91c193529305336db93190da5b7f586a031df'
'5d55d9a7e42b6ce78b8ab985bab37afe8f0bacddb5abd895c4a490adb8f98b9422f90b40066fef05ecf37b7b21e80aadc615c4b7f6e12b05581304113a1b1f1d'
'327c1a35c3d4c44f93edb47959c8c41ab6af4cbfcbb8f4e9f54f2f69d17d148bf85e2d2c8aefe2d3165e123056dd68a248af78d1ba713b94a4e6d27a9cf412f1')
+validpgpkeys=(
+ '2133BC600AB133E1D826D173FE43009C4607B1FB' # Nick Mathewson
+ 'B74417EDDF22AC9F9E90F49142E86A2A11F48D36' # David Goulet
+ '1C1BC007A9F607AA8152C040BEA7B180B1491921' # Alexander Færøy
+)
prepare() {
+ # verify the signed sums match the expected source tarball
+ sha256sum -c ${pkgname}-${pkgver}.tar.gz.sha256sum
cd ${pkgname}-${pkgver}
# uncomment essential config sections in the torrc file
patch -Np1 < "${srcdir}/torrc.patch"
More information about the arch-commits
mailing list