From a734bbfd61d3fa48f7ca4b9c398331d2484ad8c2 Mon Sep 17 00:00:00 2001 From: Saptak S Date: Mon, 24 Apr 2023 00:46:49 +0530 Subject: [PATCH] Uses python-gnupg instead of jce --- desktop/poetry.lock | 124 ++++--------------------------------- desktop/pyproject.toml | 2 +- desktop/scripts/get-tor.py | 39 +++++++----- 3 files changed, 37 insertions(+), 128 deletions(-) diff --git a/desktop/poetry.lock b/desktop/poetry.lock index 3a39c65a..7d81085f 100644 --- a/desktop/poetry.lock +++ b/desktop/poetry.lock @@ -1,26 +1,5 @@ # This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand. -[[package]] -name = "anyio" -version = "3.6.2" -description = "High level compatibility layer for multiple asynchronous event loop implementations" -category = "main" -optional = false -python-versions = ">=3.6.2" -files = [ - {file = "anyio-3.6.2-py3-none-any.whl", hash = "sha256:fbbe32bd270d2a2ef3ed1c5d45041250284e31fc0a4df4a5a6071842051a51e3"}, - {file = "anyio-3.6.2.tar.gz", hash = "sha256:25ea0d673ae30af41a0c442f81cf3b38c7e79fdc7b60335a4c14e05eb0947421"}, -] - -[package.dependencies] -idna = ">=2.8" -sniffio = ">=1.1" - -[package.extras] -doc = ["packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"] -test = ["contextlib2", "coverage[toml] (>=4.5)", "hypothesis (>=4.0)", "mock (>=4)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "uvloop (<0.15)", "uvloop (>=0.15)"] -trio = ["trio (>=0.16,<0.22)"] - [[package]] name = "attrs" version = "22.2.0" @@ -671,64 +650,6 @@ files = [ docs = ["Sphinx", "docutils (<0.18)"] test = ["objgraph", "psutil"] -[[package]] -name = "h11" -version = "0.14.0" -description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" -category = "main" -optional = false -python-versions = ">=3.7" -files = [ - {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"}, - {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"}, -] - -[[package]] -name = "httpcore" -version = "0.17.0" -description = "A minimal low-level HTTP client." -category = "main" -optional = false -python-versions = ">=3.7" -files = [ - {file = "httpcore-0.17.0-py3-none-any.whl", hash = "sha256:0fdfea45e94f0c9fd96eab9286077f9ff788dd186635ae61b312693e4d943599"}, - {file = "httpcore-0.17.0.tar.gz", hash = "sha256:cc045a3241afbf60ce056202301b4d8b6af08845e3294055eb26b09913ef903c"}, -] - -[package.dependencies] -anyio = ">=3.0,<5.0" -certifi = "*" -h11 = ">=0.13,<0.15" -sniffio = ">=1.0.0,<2.0.0" - -[package.extras] -http2 = ["h2 (>=3,<5)"] -socks = ["socksio (>=1.0.0,<2.0.0)"] - -[[package]] -name = "httpx" -version = "0.24.0" -description = "The next generation HTTP client." -category = "main" -optional = false -python-versions = ">=3.7" -files = [ - {file = "httpx-0.24.0-py3-none-any.whl", hash = "sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e"}, - {file = "httpx-0.24.0.tar.gz", hash = "sha256:507d676fc3e26110d41df7d35ebd8b3b8585052450f4097401c9be59d928c63e"}, -] - -[package.dependencies] -certifi = "*" -httpcore = ">=0.15.0,<0.18.0" -idna = "*" -sniffio = "*" - -[package.extras] -brotli = ["brotli", "brotlicffi"] -cli = ["click (>=8.0.0,<9.0.0)", "pygments (>=2.0.0,<3.0.0)", "rich (>=10,<14)"] -http2 = ["h2 (>=3,<5)"] -socks = ["socksio (>=1.0.0,<2.0.0)"] - [[package]] name = "idna" version = "3.4" @@ -803,25 +724,6 @@ MarkupSafe = ">=2.0" [package.extras] i18n = ["Babel (>=2.7)"] -[[package]] -name = "johnnycanencrypt" -version = "0.14.0" -description = "" -category = "main" -optional = false -python-versions = ">=3.8" -files = [ - {file = "johnnycanencrypt-0.14.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:1725d4634649229f896644c439e3cac9ccc977a838cf6d3737a9af8b3a04e7d5"}, - {file = "johnnycanencrypt-0.14.0-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:2d9e21015e4740bf762b0cec9830b48ecf5807f4142f9ab47b5bad5503935bb5"}, - {file = "johnnycanencrypt-0.14.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:a76d0439e89039fe62507cac68ba43af2b30e6a6f9937c0e6fb4bd67aee93ed3"}, - {file = "johnnycanencrypt-0.14.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:0e0420cb205dcfcd90950fc03904918bf7b95f87bc4a9ba9241a9facc2a981cf"}, - {file = "johnnycanencrypt-0.14.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:8fdab8fac058606b5138ca577638874d04d8634a8f2ef07ee9703b1a81d01930"}, - {file = "johnnycanencrypt-0.14.0.tar.gz", hash = "sha256:323d8e7d538000bbee3fa45f39180d83e8ff07ceb741b320242ad45005e879ad"}, -] - -[package.dependencies] -httpx = "*" - [[package]] name = "lief" version = "0.12.3" @@ -1269,6 +1171,18 @@ files = [ asyncio-client = ["aiohttp (>=3.4)"] client = ["requests (>=2.21.0)", "websocket-client (>=0.54.0)"] +[[package]] +name = "python-gnupg" +version = "0.5.0" +description = "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)" +category = "main" +optional = false +python-versions = "*" +files = [ + {file = "python-gnupg-0.5.0.tar.gz", hash = "sha256:70758e387fc0e0c4badbcb394f61acbe68b34970a8fed7e0f7c89469fe17912a"}, + {file = "python_gnupg-0.5.0-py2.py3-none-any.whl", hash = "sha256:345723a03e67b82aba0ea8ae2328b2e4a3906fbe2c18c4082285c3b01068f270"}, +] + [[package]] name = "python-socketio" version = "5.7.2" @@ -1381,18 +1295,6 @@ files = [ {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, ] -[[package]] -name = "sniffio" -version = "1.3.0" -description = "Sniff out which async library your code is running under" -category = "main" -optional = false -python-versions = ">=3.7" -files = [ - {file = "sniffio-1.3.0-py3-none-any.whl", hash = "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"}, - {file = "sniffio-1.3.0.tar.gz", hash = "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101"}, -] - [[package]] name = "stem" version = "1.8.1" @@ -1564,4 +1466,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"] [metadata] lock-version = "2.0" python-versions = ">=3.8,<3.11" -content-hash = "0c90ba138195f93705c79fc41dfaa22de4ed611fcaef63d42064e37c58916ae8" +content-hash = "d9feb340ebd14d40abcc105856b84d2275502e64a9c094081990501d606da084" diff --git a/desktop/pyproject.toml b/desktop/pyproject.toml index a43505b7..bea97ccc 100644 --- a/desktop/pyproject.toml +++ b/desktop/pyproject.toml @@ -11,7 +11,7 @@ onionshare_cli = {path = "../cli", develop = true} PySide6 = "6.4.0" qrcode = "*" werkzeug = "~2.0.3" -johnnycanencrypt = "^0.14.0" +python-gnupg = "^0.5.0" [tool.poetry.dev-dependencies] click = "*" diff --git a/desktop/scripts/get-tor.py b/desktop/scripts/get-tor.py index 30a86ed1..12bf0b50 100644 --- a/desktop/scripts/get-tor.py +++ b/desktop/scripts/get-tor.py @@ -9,11 +9,12 @@ import subprocess import requests import click import tempfile -import johnnycanencrypt as jce +import gnupg torbrowser_latest_url = ( "https://aus1.torproject.org/torbrowser/update_3/release/downloads.json" ) +tor_dev_fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" # Common paths root_path = os.path.dirname( @@ -35,7 +36,7 @@ def get_latest_tor_version_urls(platform): return platform_url, platform_filename, platform_sig_url -def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): +def get_tor_windows(gpg, torkey, win_url, win_filename, expected_win_sig): bin_filenames = ["tor.exe"] # Build paths @@ -60,8 +61,10 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): open(win_sig_path, "wb").write(r.content) # Verify the signature - if not ks.verify_file_detached(torkey, win_path, win_sig_path): - print("ERROR! The .exe file verification with the signature failed!") + sig_stream = open(win_sig_path, "rb") + verified = gpg.verify_file(sig_stream, win_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: + print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) print("Tor Browser verification successful!") @@ -107,7 +110,7 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig): update_tor_bridges() -def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): +def get_tor_macos(gpg, torkey, macos_url, macos_filename, expected_macos_sig): # Build paths dmg_tor_path = os.path.join( "/Volumes", "Tor Browser", "Tor Browser.app", "Contents" @@ -135,8 +138,10 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): open(dmg_sig_path, "wb").write(r.content) # Verify the signature - if not ks.verify_file_detached(torkey, dmg_path, dmg_sig_path): - print("ERROR! The dmg file verification with the signature failed!") + sig_stream = open(dmg_sig_path, "rb") + verified = gpg.verify_file(sig_stream, dmg_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: + print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) print("Tor Browser verification successful!") @@ -170,7 +175,7 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig): update_tor_bridges() -def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_sig): +def get_tor_linux64(gpg, torkey, linux64_url, linux64_filename, expected_linux64_sig): # Build paths tarball_path = os.path.join(working_path, linux64_filename) tarball_sig_path = os.path.join(working_path, f"{linux64_filename}.asc") @@ -196,7 +201,9 @@ def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_ open(tarball_sig_path, "wb").write(r.content) # Verify signature - if not ks.verify_file_detached(torkey, tarball_path, tarball_sig_path): + sig_stream = open(tarball_sig_path, "rb") + verified = gpg.verify_file(sig_stream, tarball_path) + if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint: print("ERROR! The tarball verification with the signature failed!") sys.exit(-1) @@ -314,18 +321,18 @@ def main(platform): expected_platform_sig, ) = get_latest_tor_version_urls(platform) tmpdir = tempfile.TemporaryDirectory() - ks = jce.KeyStore(tmpdir.name) - torkey = ks.import_key(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf")) - print(f"Tor GPG key: {torkey}") + gpg = gnupg.GPG(gnupghome=tmpdir.name) + torkey = gpg.import_keys_file(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf")) + print(f"Imported Tor GPG key: {torkey.fingerprints}") if platform == "win32": - get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "win64": - get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "macos": - get_tor_macos(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_macos(gpg, torkey, platform_url, platform_filename, expected_platform_sig) elif platform == "linux64": - get_tor_linux64(ks, torkey, platform_url, platform_filename, expected_platform_sig) + get_tor_linux64(gpg, torkey, platform_url, platform_filename, expected_platform_sig) else: click.echo("invalid platform")