[Pkg-privacy-commits] [torbrowser-launcher] 16/21: Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)

Holger Levsen holger at moszumanska.debian.org
Fri Nov 13 17:54:02 UTC 2015 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag debian/0.2.1-1
in repository torbrowser-launcher.

commit ab141ee869432fdebbb4009dc1cc5331c3e5fbd5
Author: Micah Lee <micah at micahflee.com>
Date:   Thu Nov 5 19:39:16 2015 -0800

    Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)
---
 torbrowser_launcher/common.py   |  7 +++----
 torbrowser_launcher/launcher.py | 32 ++++++++++++++------------------
 2 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
index 421cf4f..2df0161 100644
--- a/torbrowser_launcher/common.py
+++ b/torbrowser_launcher/common.py
@@ -118,10 +118,9 @@ class Common:
             self.paths['tarball_filename'] = tarball_filename
 
             # sig
-            self.paths['sha256_file'] = tbb_cache+'/download/sha256sums.txt'
-            self.paths['sha256_sig_file'] = tbb_cache+'/download/sha256sums.txt.asc'
-            self.paths['sha256_url'] = '{0}torbrowser/'+tbb_version+'/sha256sums.txt'
-            self.paths['sha256_sig_url'] = '{0}torbrowser/'+tbb_version+'/sha256sums.txt.asc'
+            self.paths['sig_url'] = '{0}torbrowser/'+tbb_version+'/'+tarball_filename+'.asc'
+            self.paths['sig_file'] = tbb_cache+'/download/'+tarball_filename+'.asc'
+            self.paths['sig_filename'] = tarball_filename+'.asc'
         else:
             self.paths = {
                 'dirs': {
diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
index 1d0575b..fb6d44f 100644
--- a/torbrowser_launcher/launcher.py
+++ b/torbrowser_launcher/launcher.py
@@ -161,6 +161,12 @@ class Launcher:
 
         start = self.common.paths['tbb']['start']
         if os.path.isfile(start) and os.access(start, os.X_OK):
+            self.set_gui('task', _("testing verify"),
+                         ['verify',
+                          'extract',
+                          'run'])
+            return
+
             if installed_version == latest_version:
                 print _('Latest version of TBB is installed, launching')
                 # current version of tbb is installed, launch it
@@ -170,8 +176,7 @@ class Launcher:
                 print _('TBB is out of date, attempting to upgrade to {0}'.format(latest_version))
                 # there is a tbb upgrade available
                 self.set_gui('task', _("Your Tor Browser is out of date. Upgrading from {0} to {1}.".format(installed_version, latest_version)),
-                             ['download_sha256',
-                              'download_sha256_sig',
+                             ['download_sig',
                               'download_tarball',
                               'verify',
                               'extract',
@@ -184,8 +189,7 @@ class Launcher:
         else:
             print _('TBB is not installed, attempting to install {0}'.format(latest_version))
             self.set_gui('task', _("Downloading and installing Tor Browser for the first time."),
-                         ['download_sha256',
-                          'download_sha256_sig',
+                         ['download_sig',
                           'download_tarball',
                           'verify',
                           'extract',
@@ -329,13 +333,9 @@ class Launcher:
             print _('Checking to see if update is needed')
             self.attempt_update()
 
-        elif task == 'download_sha256':
-            print _('Downloading'), self.common.paths['sha256_url'].format(self.common.settings['mirror'])
-            self.download('signature', self.common.paths['sha256_url'], self.common.paths['sha256_file'])
-
-        elif task == 'download_sha256_sig':
-            print _('Downloading'), self.common.paths['sha256_sig_url'].format(self.common.settings['mirror'])
-            self.download('signature', self.common.paths['sha256_sig_url'], self.common.paths['sha256_sig_file'])
+        elif task == 'download_sig':
+            print _('Downloading'), self.common.paths['sig_url'].format(self.common.settings['mirror'])
+            self.download('signature', self.common.paths['sig_url'], self.common.paths['sig_file'])
 
         elif task == 'download_tarball':
             print _('Downloading'), self.common.paths['tarball_url'].format(self.common.settings['mirror'])
@@ -543,17 +543,13 @@ class Launcher:
         self.progressbar.set_text(_('Verifying Signature'))
         self.progressbar.show()
 
+        # verify the PGP signature
         verified = False
-        # check the sha256 file's sig, and also take the sha256 of the tarball and compare
         FNULL = open(os.devnull, 'w')
-        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sha256_sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
         self.pulse_until_process_exits(p)
         if p.returncode == 0:
-            # compare with sha256 of the tarball
-            tarball_sha256 = hashlib.sha256(open(self.common.paths['tarball_file'], 'r').read()).hexdigest()
-            for line in open(self.common.paths['sha256_file'], 'r').readlines():
-                if tarball_sha256.lower() in line.lower() and self.common.paths['tarball_filename'] in line:
-                    verified = True
+            verified = True
 
         if verified:
             self.run_task()

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list