[arch-commits] Commit in tor/trunk (PKGBUILD)

Levente Polyak anthraxx at gemini.archlinux.org
Sat May 21 23:54:26 UTC 2022 

    Date: Saturday, May 21, 2022 @ 23:54:25
  Author: anthraxx
Revision: 1209908

upgpkg: tor 0.4.7.7-2: reactivate pgp signature verification

Tor 0.4.6.10 switched to exclusively sign the checksum files instead of
the actual source tarballs. Lets ensure the signatures are always
checked my downloading the signed sums file alongside the signature and
source tarball. Makepkg checks the signature on the sumsfile, afterwards
we use the prepare() function of makepkg to verify the sums file against
the actual source tarball.

Valid signing fingerprints have been updated According to:
https://support.torproject.org/little-t-tor/verify-little-t-tor/

Note that for Alexander F{U+00E6}r{U+00F8}y key, we list the actual fingerprint of the
root certificate instead of the signing subkey ed25519/BE6A0531C18A9179

Modified:
  tor/trunk/PKGBUILD

----------+
 PKGBUILD |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-05-21 23:34:04 UTC (rev 1209907)
+++ PKGBUILD	2022-05-21 23:54:25 UTC (rev 1209908)
@@ -7,7 +7,7 @@
 
 pkgname=tor
 pkgver=0.4.7.7
-pkgrel=1
+pkgrel=2
 pkgdesc='Anonymizing overlay network.'
 arch=('x86_64')
 url='https://www.torproject.org/download/tor/'
@@ -17,18 +17,27 @@
 optdepends=('torsocks: for torify')
 makedepends=('ca-certificates' 'systemd')
 backup=('etc/tor/torrc')
-source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"
+source=("https://dist.torproject.org/${pkgname}-${pkgver}.tar.gz"{,.sha256sum{,.asc}}
         'torrc.patch'
         'tor.sysusers'
         'tor.tmpfiles'
         'tor.service')
 b2sums=('18acfbe017b2ad456184f6031881149717f6fecad0d3e6daf90241a5a8ef296c32a36ace266d38b703f34b66d71e282c803f03f2059502c6ff6f4fdfb6641a97'
+        '09e715beaf05926c4cdc13a43c8cd31ec2f477876a8a13915416d7ac955622c10c77177a1a0d7a7c4eb5a6c1256170379692c42dd2161889c51018f43f4a3398'
+        'SKIP'
         '3359e138d823a77df2a42ce3fe8c6ecb4004e9ec191863db7857aceea7c136c78f09518b1a199dfd3215f5d61f1c060f4a0e2141c5bdb6b847af60fb6e9a81a7'
         '9053da53926f2120ac57b6c1442238f5bbd89bf9270347c4e00b721b39939bebc6adfcf814a9d7289dfd14d085d91c193529305336db93190da5b7f586a031df'
         '5d55d9a7e42b6ce78b8ab985bab37afe8f0bacddb5abd895c4a490adb8f98b9422f90b40066fef05ecf37b7b21e80aadc615c4b7f6e12b05581304113a1b1f1d'
         '327c1a35c3d4c44f93edb47959c8c41ab6af4cbfcbb8f4e9f54f2f69d17d148bf85e2d2c8aefe2d3165e123056dd68a248af78d1ba713b94a4e6d27a9cf412f1')
+validpgpkeys=(
+  '2133BC600AB133E1D826D173FE43009C4607B1FB' # Nick Mathewson
+  'B74417EDDF22AC9F9E90F49142E86A2A11F48D36' # David Goulet
+  '1C1BC007A9F607AA8152C040BEA7B180B1491921' # Alexander Færøy
+)
 
 prepare() {
+  # verify the signed sums match the expected source tarball
+  sha256sum -c ${pkgname}-${pkgver}.tar.gz.sha256sum
   cd ${pkgname}-${pkgver}
   # uncomment essential config sections in the torrc file
   patch -Np1 < "${srcdir}/torrc.patch"

More information about the arch-commits mailing list