[Pkg-privacy-commits] [torbrowser-launcher] 07/11: ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)

Holger Levsen holger at moszumanska.debian.org
Sat Jan 16 12:31:44 UTC 2016


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch debian/jessie
in repository torbrowser-launcher.

commit 95bfa31ee13c8791d0dbdeb3391ff65e55592b40
Author: Holger Levsen <holger at layer-acht.org>
Date:   Sat Jan 16 13:00:35 2016 +0100

    ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)
---
 debian/changelog                                   |   1 +
 ...sha256sums.txt-and-sha256sums.txt.asc-fix.patch | 108 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 110 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d7b591a..b308d0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,7 @@ torbrowser-launcher (0.1.9-1+deb8u2) UNRELEASED; urgency=medium
       make it work again (based on 70c750e).
     - e07beac Get stable version using torbrowser updater xml.
       (Closes: #804184)
+    - ab141ee Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)
 
  -- Holger Levsen <holger at debian.org>  Fri, 15 Jan 2016 20:46:52 +0100
 
diff --git a/debian/patches/0007-Stop-using-sha256sums.txt-and-sha256sums.txt.asc-fix.patch b/debian/patches/0007-Stop-using-sha256sums.txt-and-sha256sums.txt.asc-fix.patch
new file mode 100644
index 0000000..6e3b71d
--- /dev/null
+++ b/debian/patches/0007-Stop-using-sha256sums.txt-and-sha256sums.txt.asc-fix.patch
@@ -0,0 +1,108 @@
+From 29838399e416968413e3d36cab7668c666caf921 Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Thu, 5 Nov 2015 19:39:16 -0800
+Subject: [PATCH] Stop using sha256sums.txt and sha256sums.txt.asc (fixes #180)
+
+Conflicts resolved:
+	torbrowser_launcher/launcher.py
+---
+ torbrowser_launcher/common.py   |  7 +++----
+ torbrowser_launcher/launcher.py | 33 +++++++++++++++------------------
+ 2 files changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
+index d79b32a..86243b0 100644
+--- a/torbrowser_launcher/common.py
++++ b/torbrowser_launcher/common.py
+@@ -119,10 +119,9 @@ class Common:
+             self.paths['tarball_filename'] = tarball_filename
+ 
+             # sig
+-            self.paths['sha256_file'] = tbb_cache+'/download/sha256sums.txt'
+-            self.paths['sha256_sig_file'] = tbb_cache+'/download/sha256sums.txt.asc'
+-            self.paths['sha256_url'] = '{0}torbrowser/'+tbb_version+'/sha256sums.txt'
+-            self.paths['sha256_sig_url'] = '{0}torbrowser/'+tbb_version+'/sha256sums.txt.asc'
++            self.paths['sig_url'] = '{0}torbrowser/'+tbb_version+'/'+tarball_filename+'.asc'
++            self.paths['sig_file'] = tbb_cache+'/download/'+tarball_filename+'.asc'
++            self.paths['sig_filename'] = tarball_filename+'.asc'
+         else:
+             self.paths = {
+                 'dirs': {
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 4ff6bbe..afababf 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -148,6 +148,12 @@ class Launcher:
+ 
+         start = self.common.paths['tbb']['start']
+         if os.path.isfile(start) and os.access(start, os.X_OK):
++            self.set_gui('task', _("testing verify"),
++                         ['verify',
++                          'extract',
++                          'run'])
++            return
++
+             if installed_version == latest_version:
+                 print _('Latest version of TBB is installed, launching')
+                 # current version of tbb is installed, launch it
+@@ -157,8 +163,7 @@ class Launcher:
+                 print _('TBB is out of date, attempting to upgrade to {0}'.format(latest_version))
+                 # there is a tbb upgrade available
+                 self.set_gui('task', _("Your Tor Browser is out of date. Upgrading from {0} to {1}.".format(installed_version, latest_version)),
+-                             ['download_sha256',
+-                              'download_sha256_sig',
++                             ['download_sig',
+                               'download_tarball',
+                               'verify',
+                               'extract',
+@@ -171,8 +176,7 @@ class Launcher:
+         else:
+             print _('TBB is not installed, attempting to install {0}'.format(latest_version))
+             self.set_gui('task', _("Downloading and installing Tor Browser for the first time."),
+-                         ['download_sha256',
+-                          'download_sha256_sig',
++                         ['download_sig',
+                           'download_tarball',
+                           'verify',
+                           'extract',
+@@ -317,13 +321,9 @@ class Launcher:
+             print _('Checking to see if update is needed')
+             self.attempt_update()
+ 
+-        elif task == 'download_sha256':
+-            print _('Downloading'), self.common.paths['sha256_url'].format(self.common.settings['mirror'])
+-            self.download('signature', self.common.paths['sha256_url'], self.common.paths['sha256_file'])
+-
+-        elif task == 'download_sha256_sig':
+-            print _('Downloading'), self.common.paths['sha256_sig_url'].format(self.common.settings['mirror'])
+-            self.download('signature', self.common.paths['sha256_sig_url'], self.common.paths['sha256_sig_file'])
++        elif task == 'download_sig':
++            print _('Downloading'), self.common.paths['sig_url'].format(self.common.settings['mirror'])
++            self.download('signature', self.common.paths['sig_url'], self.common.paths['sig_file'])
+ 
+         elif task == 'download_tarball':
+             print _('Downloading'), self.common.paths['tarball_url'].format(self.common.settings['mirror'])
+@@ -533,16 +533,13 @@ class Launcher:
+         self.progressbar.set_text(_('Verifying Signature'))
+         self.progressbar.show()
+ 
++        # verify the PGP signature
+         verified = False
+-        # check the sha256 file's sig, and also take the sha256 of the tarball and compare
+-        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sha256_sig_file']])
++        FNULL = open(os.devnull, 'w')
++        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+         self.pulse_until_process_exits(p)
+         if p.returncode == 0:
+-            # compare with sha256 of the tarball
+-            tarball_sha256 = hashlib.sha256(open(self.common.paths['tarball_file'], 'r').read()).hexdigest()
+-            for line in open(self.common.paths['sha256_file'], 'r').readlines():
+-                if tarball_sha256.lower() in line.lower() and self.common.paths['tarball_filename'] in line:
+-                    verified = True
++            verified = True
+ 
+         if verified:
+             self.run_task()
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 803f9fa..5aef45b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 0004-Stop-confining-start-tor-browser-script-with-AppArmo.patch
 0005-Set-torbrowser.start-tor-browser-and-usr.bin.torbrow.patch
 0006-Get-stable-version-using-torbrowser-updater-xml.patch
+0007-Stop-using-sha256sums.txt-and-sha256sums.txt.asc-fix.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git



More information about the Pkg-privacy-commits mailing list