[Pkg-privacy-commits] [torbrowser-launcher] 31/48: Use HKPS for GPG key refresh, add sks-keyservers' CA cert.

Roger Shimizu rosh at moszumanska.debian.org
Mon Sep 4 16:42:34 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rosh pushed a commit to branch debian/sid
in repository torbrowser-launcher.

commit 445834e9c4fcab722f02a90eafe3d54002a851f7
Author: Dan Snider <dan at dephekt.net>
Date:   Sat Apr 22 10:17:33 2017 -0500

    Use HKPS for GPG key refresh, add sks-keyservers' CA cert.
---
 share/torbrowser-launcher/sks-keyservers.netCA.pem | 32 ++++++++++++++++++++++
 torbrowser_launcher/common.py                      |  8 +++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/share/torbrowser-launcher/sks-keyservers.netCA.pem b/share/torbrowser-launcher/sks-keyservers.netCA.pem
new file mode 100644
index 0000000..24a2ad2
--- /dev/null
+++ b/share/torbrowser-launcher/sks-keyservers.netCA.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
index d9eab99..edad35a 100644
--- a/torbrowser_launcher/common.py
+++ b/torbrowser_launcher/common.py
@@ -158,6 +158,7 @@ class Common:
                 'tbl_bin': sys.argv[0],
                 'icon_file': os.path.join(os.path.dirname(SHARE), 'pixmaps/torbrowser.png'),
                 'torproject_pem': os.path.join(SHARE, 'torproject.pem'),
+                'keyserver_ca': os.path.join(SHARE, 'sks-keyservers.netCA.pem'),
                 'signing_keys': {
                     'tor_browser_developers': os.path.join(SHARE, 'tor-browser-developers.asc')
                 },
@@ -208,8 +209,13 @@ class Common:
     def refresh_keyring(self, fingerprint=None):
         p = subprocess.Popen(['/usr/bin/gpg', '--status-fd', '2',
                               '--homedir', self.paths['gnupg_homedir'],
-                              '--keyserver', 'pool.sks-keyservers.net',
+                              '--keyserver', 'hkps://hkps.pool.sks-keyservers.net',
+                              '--keyserver-options', 'ca-cert-file=' + self.paths['keyserver_ca']
+                              + ',include-revoked,no-honor-keyserver-url,no-honor-pka-record',
                               '--refresh-keys'], stderr=subprocess.PIPE)
+        p.wait()
+        for output in p.stderr.readlines():
+            print(str(output))
 
         if fingerprint is not None:
             print('Refreshing local keyring. Missing key: ' + fingerprint)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list