Uses python-gnupg instead of jce

This commit is contained in:
Saptak S 2023-04-24 00:46:49 +05:30
parent d970cf1148
commit a734bbfd61
No known key found for this signature in database
GPG key ID: 7B7F1772C0C6FCBF
3 changed files with 37 additions and 128 deletions

124
desktop/poetry.lock generated
View file

@ -1,26 +1,5 @@
# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
[[package]]
name = "anyio"
version = "3.6.2"
description = "High level compatibility layer for multiple asynchronous event loop implementations"
category = "main"
optional = false
python-versions = ">=3.6.2"
files = [
{file = "anyio-3.6.2-py3-none-any.whl", hash = "sha256:fbbe32bd270d2a2ef3ed1c5d45041250284e31fc0a4df4a5a6071842051a51e3"},
{file = "anyio-3.6.2.tar.gz", hash = "sha256:25ea0d673ae30af41a0c442f81cf3b38c7e79fdc7b60335a4c14e05eb0947421"},
]
[package.dependencies]
idna = ">=2.8"
sniffio = ">=1.1"
[package.extras]
doc = ["packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"]
test = ["contextlib2", "coverage[toml] (>=4.5)", "hypothesis (>=4.0)", "mock (>=4)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "uvloop (<0.15)", "uvloop (>=0.15)"]
trio = ["trio (>=0.16,<0.22)"]
[[package]]
name = "attrs"
version = "22.2.0"
@ -671,64 +650,6 @@ files = [
docs = ["Sphinx", "docutils (<0.18)"]
test = ["objgraph", "psutil"]
[[package]]
name = "h11"
version = "0.14.0"
description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
category = "main"
optional = false
python-versions = ">=3.7"
files = [
{file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
{file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
]
[[package]]
name = "httpcore"
version = "0.17.0"
description = "A minimal low-level HTTP client."
category = "main"
optional = false
python-versions = ">=3.7"
files = [
{file = "httpcore-0.17.0-py3-none-any.whl", hash = "sha256:0fdfea45e94f0c9fd96eab9286077f9ff788dd186635ae61b312693e4d943599"},
{file = "httpcore-0.17.0.tar.gz", hash = "sha256:cc045a3241afbf60ce056202301b4d8b6af08845e3294055eb26b09913ef903c"},
]
[package.dependencies]
anyio = ">=3.0,<5.0"
certifi = "*"
h11 = ">=0.13,<0.15"
sniffio = ">=1.0.0,<2.0.0"
[package.extras]
http2 = ["h2 (>=3,<5)"]
socks = ["socksio (>=1.0.0,<2.0.0)"]
[[package]]
name = "httpx"
version = "0.24.0"
description = "The next generation HTTP client."
category = "main"
optional = false
python-versions = ">=3.7"
files = [
{file = "httpx-0.24.0-py3-none-any.whl", hash = "sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e"},
{file = "httpx-0.24.0.tar.gz", hash = "sha256:507d676fc3e26110d41df7d35ebd8b3b8585052450f4097401c9be59d928c63e"},
]
[package.dependencies]
certifi = "*"
httpcore = ">=0.15.0,<0.18.0"
idna = "*"
sniffio = "*"
[package.extras]
brotli = ["brotli", "brotlicffi"]
cli = ["click (>=8.0.0,<9.0.0)", "pygments (>=2.0.0,<3.0.0)", "rich (>=10,<14)"]
http2 = ["h2 (>=3,<5)"]
socks = ["socksio (>=1.0.0,<2.0.0)"]
[[package]]
name = "idna"
version = "3.4"
@ -803,25 +724,6 @@ MarkupSafe = ">=2.0"
[package.extras]
i18n = ["Babel (>=2.7)"]
[[package]]
name = "johnnycanencrypt"
version = "0.14.0"
description = ""
category = "main"
optional = false
python-versions = ">=3.8"
files = [
{file = "johnnycanencrypt-0.14.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:1725d4634649229f896644c439e3cac9ccc977a838cf6d3737a9af8b3a04e7d5"},
{file = "johnnycanencrypt-0.14.0-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:2d9e21015e4740bf762b0cec9830b48ecf5807f4142f9ab47b5bad5503935bb5"},
{file = "johnnycanencrypt-0.14.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:a76d0439e89039fe62507cac68ba43af2b30e6a6f9937c0e6fb4bd67aee93ed3"},
{file = "johnnycanencrypt-0.14.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:0e0420cb205dcfcd90950fc03904918bf7b95f87bc4a9ba9241a9facc2a981cf"},
{file = "johnnycanencrypt-0.14.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:8fdab8fac058606b5138ca577638874d04d8634a8f2ef07ee9703b1a81d01930"},
{file = "johnnycanencrypt-0.14.0.tar.gz", hash = "sha256:323d8e7d538000bbee3fa45f39180d83e8ff07ceb741b320242ad45005e879ad"},
]
[package.dependencies]
httpx = "*"
[[package]]
name = "lief"
version = "0.12.3"
@ -1269,6 +1171,18 @@ files = [
asyncio-client = ["aiohttp (>=3.4)"]
client = ["requests (>=2.21.0)", "websocket-client (>=0.54.0)"]
[[package]]
name = "python-gnupg"
version = "0.5.0"
description = "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)"
category = "main"
optional = false
python-versions = "*"
files = [
{file = "python-gnupg-0.5.0.tar.gz", hash = "sha256:70758e387fc0e0c4badbcb394f61acbe68b34970a8fed7e0f7c89469fe17912a"},
{file = "python_gnupg-0.5.0-py2.py3-none-any.whl", hash = "sha256:345723a03e67b82aba0ea8ae2328b2e4a3906fbe2c18c4082285c3b01068f270"},
]
[[package]]
name = "python-socketio"
version = "5.7.2"
@ -1381,18 +1295,6 @@ files = [
{file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"},
]
[[package]]
name = "sniffio"
version = "1.3.0"
description = "Sniff out which async library your code is running under"
category = "main"
optional = false
python-versions = ">=3.7"
files = [
{file = "sniffio-1.3.0-py3-none-any.whl", hash = "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"},
{file = "sniffio-1.3.0.tar.gz", hash = "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101"},
]
[[package]]
name = "stem"
version = "1.8.1"
@ -1564,4 +1466,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
[metadata]
lock-version = "2.0"
python-versions = ">=3.8,<3.11"
content-hash = "0c90ba138195f93705c79fc41dfaa22de4ed611fcaef63d42064e37c58916ae8"
content-hash = "d9feb340ebd14d40abcc105856b84d2275502e64a9c094081990501d606da084"

View file

@ -11,7 +11,7 @@ onionshare_cli = {path = "../cli", develop = true}
PySide6 = "6.4.0"
qrcode = "*"
werkzeug = "~2.0.3"
johnnycanencrypt = "^0.14.0"
python-gnupg = "^0.5.0"
[tool.poetry.dev-dependencies]
click = "*"

View file

@ -9,11 +9,12 @@ import subprocess
import requests
import click
import tempfile
import johnnycanencrypt as jce
import gnupg
torbrowser_latest_url = (
"https://aus1.torproject.org/torbrowser/update_3/release/downloads.json"
)
tor_dev_fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"
# Common paths
root_path = os.path.dirname(
@ -35,7 +36,7 @@ def get_latest_tor_version_urls(platform):
return platform_url, platform_filename, platform_sig_url
def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
def get_tor_windows(gpg, torkey, win_url, win_filename, expected_win_sig):
bin_filenames = ["tor.exe"]
# Build paths
@ -60,8 +61,10 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
open(win_sig_path, "wb").write(r.content)
# Verify the signature
if not ks.verify_file_detached(torkey, win_path, win_sig_path):
print("ERROR! The .exe file verification with the signature failed!")
sig_stream = open(win_sig_path, "rb")
verified = gpg.verify_file(sig_stream, win_path)
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
print("ERROR! The tarball verification with the signature failed!")
sys.exit(-1)
print("Tor Browser verification successful!")
@ -107,7 +110,7 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
update_tor_bridges()
def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
def get_tor_macos(gpg, torkey, macos_url, macos_filename, expected_macos_sig):
# Build paths
dmg_tor_path = os.path.join(
"/Volumes", "Tor Browser", "Tor Browser.app", "Contents"
@ -135,8 +138,10 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
open(dmg_sig_path, "wb").write(r.content)
# Verify the signature
if not ks.verify_file_detached(torkey, dmg_path, dmg_sig_path):
print("ERROR! The dmg file verification with the signature failed!")
sig_stream = open(dmg_sig_path, "rb")
verified = gpg.verify_file(sig_stream, dmg_path)
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
print("ERROR! The tarball verification with the signature failed!")
sys.exit(-1)
print("Tor Browser verification successful!")
@ -170,7 +175,7 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
update_tor_bridges()
def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_sig):
def get_tor_linux64(gpg, torkey, linux64_url, linux64_filename, expected_linux64_sig):
# Build paths
tarball_path = os.path.join(working_path, linux64_filename)
tarball_sig_path = os.path.join(working_path, f"{linux64_filename}.asc")
@ -196,7 +201,9 @@ def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_
open(tarball_sig_path, "wb").write(r.content)
# Verify signature
if not ks.verify_file_detached(torkey, tarball_path, tarball_sig_path):
sig_stream = open(tarball_sig_path, "rb")
verified = gpg.verify_file(sig_stream, tarball_path)
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
print("ERROR! The tarball verification with the signature failed!")
sys.exit(-1)
@ -314,18 +321,18 @@ def main(platform):
expected_platform_sig,
) = get_latest_tor_version_urls(platform)
tmpdir = tempfile.TemporaryDirectory()
ks = jce.KeyStore(tmpdir.name)
torkey = ks.import_key(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
print(f"Tor GPG key: {torkey}")
gpg = gnupg.GPG(gnupghome=tmpdir.name)
torkey = gpg.import_keys_file(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
print(f"Imported Tor GPG key: {torkey.fingerprints}")
if platform == "win32":
get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
elif platform == "win64":
get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
elif platform == "macos":
get_tor_macos(ks, torkey, platform_url, platform_filename, expected_platform_sig)
get_tor_macos(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
elif platform == "linux64":
get_tor_linux64(ks, torkey, platform_url, platform_filename, expected_platform_sig)
get_tor_linux64(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
else:
click.echo("invalid platform")