mirror of
https://github.com/onionshare/onionshare.git
synced 2025-01-09 19:27:28 -03:00
Uses python-gnupg instead of jce
This commit is contained in:
parent
d970cf1148
commit
a734bbfd61
3 changed files with 37 additions and 128 deletions
124
desktop/poetry.lock
generated
124
desktop/poetry.lock
generated
|
@ -1,26 +1,5 @@
|
|||
# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
|
||||
|
||||
[[package]]
|
||||
name = "anyio"
|
||||
version = "3.6.2"
|
||||
description = "High level compatibility layer for multiple asynchronous event loop implementations"
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.6.2"
|
||||
files = [
|
||||
{file = "anyio-3.6.2-py3-none-any.whl", hash = "sha256:fbbe32bd270d2a2ef3ed1c5d45041250284e31fc0a4df4a5a6071842051a51e3"},
|
||||
{file = "anyio-3.6.2.tar.gz", hash = "sha256:25ea0d673ae30af41a0c442f81cf3b38c7e79fdc7b60335a4c14e05eb0947421"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
idna = ">=2.8"
|
||||
sniffio = ">=1.1"
|
||||
|
||||
[package.extras]
|
||||
doc = ["packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"]
|
||||
test = ["contextlib2", "coverage[toml] (>=4.5)", "hypothesis (>=4.0)", "mock (>=4)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "uvloop (<0.15)", "uvloop (>=0.15)"]
|
||||
trio = ["trio (>=0.16,<0.22)"]
|
||||
|
||||
[[package]]
|
||||
name = "attrs"
|
||||
version = "22.2.0"
|
||||
|
@ -671,64 +650,6 @@ files = [
|
|||
docs = ["Sphinx", "docutils (<0.18)"]
|
||||
test = ["objgraph", "psutil"]
|
||||
|
||||
[[package]]
|
||||
name = "h11"
|
||||
version = "0.14.0"
|
||||
description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.7"
|
||||
files = [
|
||||
{file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
|
||||
{file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "httpcore"
|
||||
version = "0.17.0"
|
||||
description = "A minimal low-level HTTP client."
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.7"
|
||||
files = [
|
||||
{file = "httpcore-0.17.0-py3-none-any.whl", hash = "sha256:0fdfea45e94f0c9fd96eab9286077f9ff788dd186635ae61b312693e4d943599"},
|
||||
{file = "httpcore-0.17.0.tar.gz", hash = "sha256:cc045a3241afbf60ce056202301b4d8b6af08845e3294055eb26b09913ef903c"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
anyio = ">=3.0,<5.0"
|
||||
certifi = "*"
|
||||
h11 = ">=0.13,<0.15"
|
||||
sniffio = ">=1.0.0,<2.0.0"
|
||||
|
||||
[package.extras]
|
||||
http2 = ["h2 (>=3,<5)"]
|
||||
socks = ["socksio (>=1.0.0,<2.0.0)"]
|
||||
|
||||
[[package]]
|
||||
name = "httpx"
|
||||
version = "0.24.0"
|
||||
description = "The next generation HTTP client."
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.7"
|
||||
files = [
|
||||
{file = "httpx-0.24.0-py3-none-any.whl", hash = "sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e"},
|
||||
{file = "httpx-0.24.0.tar.gz", hash = "sha256:507d676fc3e26110d41df7d35ebd8b3b8585052450f4097401c9be59d928c63e"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
certifi = "*"
|
||||
httpcore = ">=0.15.0,<0.18.0"
|
||||
idna = "*"
|
||||
sniffio = "*"
|
||||
|
||||
[package.extras]
|
||||
brotli = ["brotli", "brotlicffi"]
|
||||
cli = ["click (>=8.0.0,<9.0.0)", "pygments (>=2.0.0,<3.0.0)", "rich (>=10,<14)"]
|
||||
http2 = ["h2 (>=3,<5)"]
|
||||
socks = ["socksio (>=1.0.0,<2.0.0)"]
|
||||
|
||||
[[package]]
|
||||
name = "idna"
|
||||
version = "3.4"
|
||||
|
@ -803,25 +724,6 @@ MarkupSafe = ">=2.0"
|
|||
[package.extras]
|
||||
i18n = ["Babel (>=2.7)"]
|
||||
|
||||
[[package]]
|
||||
name = "johnnycanencrypt"
|
||||
version = "0.14.0"
|
||||
description = ""
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.8"
|
||||
files = [
|
||||
{file = "johnnycanencrypt-0.14.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:1725d4634649229f896644c439e3cac9ccc977a838cf6d3737a9af8b3a04e7d5"},
|
||||
{file = "johnnycanencrypt-0.14.0-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:2d9e21015e4740bf762b0cec9830b48ecf5807f4142f9ab47b5bad5503935bb5"},
|
||||
{file = "johnnycanencrypt-0.14.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:a76d0439e89039fe62507cac68ba43af2b30e6a6f9937c0e6fb4bd67aee93ed3"},
|
||||
{file = "johnnycanencrypt-0.14.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:0e0420cb205dcfcd90950fc03904918bf7b95f87bc4a9ba9241a9facc2a981cf"},
|
||||
{file = "johnnycanencrypt-0.14.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:8fdab8fac058606b5138ca577638874d04d8634a8f2ef07ee9703b1a81d01930"},
|
||||
{file = "johnnycanencrypt-0.14.0.tar.gz", hash = "sha256:323d8e7d538000bbee3fa45f39180d83e8ff07ceb741b320242ad45005e879ad"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
httpx = "*"
|
||||
|
||||
[[package]]
|
||||
name = "lief"
|
||||
version = "0.12.3"
|
||||
|
@ -1269,6 +1171,18 @@ files = [
|
|||
asyncio-client = ["aiohttp (>=3.4)"]
|
||||
client = ["requests (>=2.21.0)", "websocket-client (>=0.54.0)"]
|
||||
|
||||
[[package]]
|
||||
name = "python-gnupg"
|
||||
version = "0.5.0"
|
||||
description = "A wrapper for the Gnu Privacy Guard (GPG or GnuPG)"
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = "*"
|
||||
files = [
|
||||
{file = "python-gnupg-0.5.0.tar.gz", hash = "sha256:70758e387fc0e0c4badbcb394f61acbe68b34970a8fed7e0f7c89469fe17912a"},
|
||||
{file = "python_gnupg-0.5.0-py2.py3-none-any.whl", hash = "sha256:345723a03e67b82aba0ea8ae2328b2e4a3906fbe2c18c4082285c3b01068f270"},
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "python-socketio"
|
||||
version = "5.7.2"
|
||||
|
@ -1381,18 +1295,6 @@ files = [
|
|||
{file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"},
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "sniffio"
|
||||
version = "1.3.0"
|
||||
description = "Sniff out which async library your code is running under"
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = ">=3.7"
|
||||
files = [
|
||||
{file = "sniffio-1.3.0-py3-none-any.whl", hash = "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"},
|
||||
{file = "sniffio-1.3.0.tar.gz", hash = "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101"},
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "stem"
|
||||
version = "1.8.1"
|
||||
|
@ -1564,4 +1466,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
|
|||
[metadata]
|
||||
lock-version = "2.0"
|
||||
python-versions = ">=3.8,<3.11"
|
||||
content-hash = "0c90ba138195f93705c79fc41dfaa22de4ed611fcaef63d42064e37c58916ae8"
|
||||
content-hash = "d9feb340ebd14d40abcc105856b84d2275502e64a9c094081990501d606da084"
|
||||
|
|
|
@ -11,7 +11,7 @@ onionshare_cli = {path = "../cli", develop = true}
|
|||
PySide6 = "6.4.0"
|
||||
qrcode = "*"
|
||||
werkzeug = "~2.0.3"
|
||||
johnnycanencrypt = "^0.14.0"
|
||||
python-gnupg = "^0.5.0"
|
||||
|
||||
[tool.poetry.dev-dependencies]
|
||||
click = "*"
|
||||
|
|
|
@ -9,11 +9,12 @@ import subprocess
|
|||
import requests
|
||||
import click
|
||||
import tempfile
|
||||
import johnnycanencrypt as jce
|
||||
import gnupg
|
||||
|
||||
torbrowser_latest_url = (
|
||||
"https://aus1.torproject.org/torbrowser/update_3/release/downloads.json"
|
||||
)
|
||||
tor_dev_fingerprint = "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"
|
||||
|
||||
# Common paths
|
||||
root_path = os.path.dirname(
|
||||
|
@ -35,7 +36,7 @@ def get_latest_tor_version_urls(platform):
|
|||
return platform_url, platform_filename, platform_sig_url
|
||||
|
||||
|
||||
def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
|
||||
def get_tor_windows(gpg, torkey, win_url, win_filename, expected_win_sig):
|
||||
bin_filenames = ["tor.exe"]
|
||||
|
||||
# Build paths
|
||||
|
@ -60,8 +61,10 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
|
|||
open(win_sig_path, "wb").write(r.content)
|
||||
|
||||
# Verify the signature
|
||||
if not ks.verify_file_detached(torkey, win_path, win_sig_path):
|
||||
print("ERROR! The .exe file verification with the signature failed!")
|
||||
sig_stream = open(win_sig_path, "rb")
|
||||
verified = gpg.verify_file(sig_stream, win_path)
|
||||
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
|
||||
print("ERROR! The tarball verification with the signature failed!")
|
||||
sys.exit(-1)
|
||||
|
||||
print("Tor Browser verification successful!")
|
||||
|
@ -107,7 +110,7 @@ def get_tor_windows(ks, torkey, win_url, win_filename, expected_win_sig):
|
|||
update_tor_bridges()
|
||||
|
||||
|
||||
def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
|
||||
def get_tor_macos(gpg, torkey, macos_url, macos_filename, expected_macos_sig):
|
||||
# Build paths
|
||||
dmg_tor_path = os.path.join(
|
||||
"/Volumes", "Tor Browser", "Tor Browser.app", "Contents"
|
||||
|
@ -135,8 +138,10 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
|
|||
open(dmg_sig_path, "wb").write(r.content)
|
||||
|
||||
# Verify the signature
|
||||
if not ks.verify_file_detached(torkey, dmg_path, dmg_sig_path):
|
||||
print("ERROR! The dmg file verification with the signature failed!")
|
||||
sig_stream = open(dmg_sig_path, "rb")
|
||||
verified = gpg.verify_file(sig_stream, dmg_path)
|
||||
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
|
||||
print("ERROR! The tarball verification with the signature failed!")
|
||||
sys.exit(-1)
|
||||
|
||||
print("Tor Browser verification successful!")
|
||||
|
@ -170,7 +175,7 @@ def get_tor_macos(ks, torkey, macos_url, macos_filename, expected_macos_sig):
|
|||
update_tor_bridges()
|
||||
|
||||
|
||||
def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_sig):
|
||||
def get_tor_linux64(gpg, torkey, linux64_url, linux64_filename, expected_linux64_sig):
|
||||
# Build paths
|
||||
tarball_path = os.path.join(working_path, linux64_filename)
|
||||
tarball_sig_path = os.path.join(working_path, f"{linux64_filename}.asc")
|
||||
|
@ -196,7 +201,9 @@ def get_tor_linux64(ks, torkey, linux64_url, linux64_filename, expected_linux64_
|
|||
open(tarball_sig_path, "wb").write(r.content)
|
||||
|
||||
# Verify signature
|
||||
if not ks.verify_file_detached(torkey, tarball_path, tarball_sig_path):
|
||||
sig_stream = open(tarball_sig_path, "rb")
|
||||
verified = gpg.verify_file(sig_stream, tarball_path)
|
||||
if not verified.valid or verified.pubkey_fingerprint != tor_dev_fingerprint:
|
||||
print("ERROR! The tarball verification with the signature failed!")
|
||||
sys.exit(-1)
|
||||
|
||||
|
@ -314,18 +321,18 @@ def main(platform):
|
|||
expected_platform_sig,
|
||||
) = get_latest_tor_version_urls(platform)
|
||||
tmpdir = tempfile.TemporaryDirectory()
|
||||
ks = jce.KeyStore(tmpdir.name)
|
||||
torkey = ks.import_key(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
|
||||
print(f"Tor GPG key: {torkey}")
|
||||
gpg = gnupg.GPG(gnupghome=tmpdir.name)
|
||||
torkey = gpg.import_keys_file(os.path.join(root_path, "scripts", "kounek7zrdx745qydx6p59t9mqjpuhdf"))
|
||||
print(f"Imported Tor GPG key: {torkey.fingerprints}")
|
||||
|
||||
if platform == "win32":
|
||||
get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
elif platform == "win64":
|
||||
get_tor_windows(ks, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
get_tor_windows(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
elif platform == "macos":
|
||||
get_tor_macos(ks, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
get_tor_macos(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
elif platform == "linux64":
|
||||
get_tor_linux64(ks, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
get_tor_linux64(gpg, torkey, platform_url, platform_filename, expected_platform_sig)
|
||||
else:
|
||||
click.echo("invalid platform")
|
||||
|
||||
|
|
Loading…
Reference in a new issue