firefox-bin: Add gpg verification to updater (#22270)

2017-02-19 13:33:31 -05:00 · 2017-02-19 13:33:31 -05:00 · a21455d989
commit a21455d989
parent 4129697445
3 changed files with 77 additions and 5 deletions
--- a/pkgs/applications/networking/browsers/firefox-bin/default.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/default.nix
@ -43,6 +43,7 @@
 , coreutils
 , gnused
 , gnugrep
+, gnupg
 }:

 assert stdenv.isLinux;
@ -173,7 +174,7 @@ stdenv.mkDerivation {

  passthru.ffmpegSupport = true;
  passthru.updateScript = import ./update.nix {
-    inherit name writeScript xidel coreutils gnused gnugrep curl;
+    inherit name writeScript xidel coreutils gnused gnugrep gnupg curl;
  };
  meta = with stdenv.lib; {
    description = "Mozilla Firefox, free web browser (binary package)";
--- a/pkgs/applications/networking/browsers/firefox-bin/firefox.key
+++ b/pkgs/applications/networking/browsers/firefox-bin/firefox.key
@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFWpQAQBEAC+9wVlwGLy8ILCybLesuB3KkHHK+Yt1F1PJaI30X448ttGzxCz
+PQpH6BoA73uzcTReVjfCFGvM4ij6qVV2SNaTxmNBrL1uVeEUsCuGduDUQMQYRGxR
+tWq5rCH48LnltKPamPiEBzrgFL3i5bYEUHO7M0lATEknG7Iaz697K/ssHREZfuuc
+B4GNxXMgswZ7GTZO3VBDVEw5GwU3sUvww93TwMC29lIPCux445AxZPKr5sOVEsEn
+dUB2oDMsSAoS/dZcl8F4otqfR1pXg618cU06omvq5yguWLDRV327BLmezYK0prD3
+P+7qwEp8MTVmxlbkrClS5j5pR47FrJGdyupNKqLzK+7hok5kBxhsdMsdTZLd4tVR
+jXf04isVO3iFFf/GKuwscOi1+ZYeB3l3sAqgFUWnjbpbHxfslTmo7BgvmjZvAH5Z
+asaewF3wA06biCDJdcSkC9GmFPmN5DS5/Dkjwfj8+dZAttuSKfmQQnypUPaJ2sBu
+blnJ6INpvYgsEZjV6CFG1EiDJDPu2Zxap8ep0iRMbBBZnpfZTn7SKAcurDJptxin
+CRclTcdOdi1iSZ35LZW0R2FKNnGL33u1IhxU9HRLw3XuljXCOZ84RLn6M+PBc1eZ
+suv1TA+Mn111yD3uDv/u/edZ/xeJccF6bYcMvUgRRZh0sgZ0ZT4b0Q6YcQARAQAB
+tC9Nb3ppbGxhIFNvZnR3YXJlIFJlbGVhc2VzIDxyZWxlYXNlQG1vemlsbGEuY29t
+PokCOAQTAQIAIgUCValABAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
+Ybe1JtmPA1NQqg//Rr6/V7uLqrIwx0UFknyNJasRJZhUkYxdGsLD18zO0Na8Ve3Q
+sYpOC3ojpqaFUzpqm6KNv8eXfd/Ku7j3WGr9kPkbjZNghvy6V5Lva4JkxO6LMxKk
+JYqiqF2o1Gfda8NfcK08GFy4C0L8zNwlADvmdMo4382tmHNGbTTft7BeVaRrE9xW
+9eGmGQ2jYOsjxb5MsadAdZUuK8IC95ZHlUDR3gH9KqhfbQWp5Bo924Kiv+f2JUzN
+rrG98eOm1Qb8F9rePzZ2DOYRJyOe4p8Gpl+kojCXNntkJgcwJ1a1yRE6wy9RzpeB
+lCeoQuLS92MNne+deQZUskTZFoYXUadf6vbdfqL0nuPCKdl9lhef1QNwE30IRymt
+6fhJCFffFQjGdeMfSiCHgcI8ichQbrzhBCGGR3bAHan9c2EbQ+puqG3Aa0YjX6Db
+GJjWOI6A61bqSPepLCMVaXqV2mZEIaZWdZkOHjnRrU6CJdXG/+D4m1YBZwYM60eJ
+kNu4eMMwMFnRsHiWf7bhqKptwuk8HyIGp2o4j8iqrFRVJEbK/ctdhA3H1AlKug9f
+NrfwCfqhNCSBju97V03U26j04JMn9nrZ2UEGbpty+8ONTb38WX5/oC61BgwV8Ki4
+6Lwyb7fImUzz8jE83pjh7s3+NCKvvbH+VfT12f+V/fsphN3EwGwJPTC3fX25Ag0E
+ValA9AEQAK/z677fpoVUj4zQz0g60wVWf+1y2lGb8iFYICmvrJyaEra5SRkyihYA
+1WmEzhN4T//tHw3UIfe646+GkY3eIQW2jY9DM2XaElmMN8k/v54nbn5oD7rNEyCT
+FTvCOq5d74HH1vw96Lzay1vy45E7jPWvqfg9Se8KAnzElohTJjizyhU+0QbmPHnQ
+lY8gOkT/SvRo9bFEUnqjWh0fRq+K1tdLPhcFB1scc25iFqh9IAKUGDur8jQ+SDHC
+jgQlkFOg3rbqtaUOnVHPohfrBM90ZNwuneFgQY7ZFSUidCimp/EN4CXnzgjDYXUU
+A42S8G86+G4KAJC22gRQo4mcVmehwHTH0glfLmUK7TEu29A1KWNL3R/R7Zdyajjp
+CvUaK2A0Abj3ZE2BSDbJrVlbBVfy5kfPdZjhd3wUWqFaDHiVcImcjZRWPncllhcy
+6fhqEy3ELZrkezpJjnARsVkij3GXz6oX+HVULne2w0dkTXydR6muZI/GeNtrLHmA
+8B3/0/TllmLy8ChmYZVIKZ8zt1ghq3f+hFTXgtZil7eBewZgA6L+EXXK6dZj14lb
+e6CMS2kungTX9stU1s42I+WRbiqiLpAxCX6qcLBOWrJwsOep2nvu5bhrPHptSfRh
+F4Vs1xteVFckCWhcLgdYi/Je1XBEM+AAVa0k1FiywCg7MqlG6toLABEBAAGJBEQE
+GAECAA8FAlWpQPQCGwIFCQPCZwACKQkQYbe1JtmPA1PBXSAEGQECAAYFAlWpQPQA
+CgkQHGnE5V6ZBdsvxQ/6A62ZteN0b/TVfSJ51SdG66amwe2rpRX4UdSw7ifxo3qh
+gEICQmXR5c09qXwl17MFJWM3FhGrbxnA5KGgeWGtqrPup4QZPKU+l2Ea2QLSJSiB
+q5QqqEgZvR14Lhr/hCGhBAq9s/xbp8fbKNJj/uWiZ+uTPbt5T5rgKJ4+g3B6DNO1
+rH7F70OLrd32mxZs4pSxngHRAyiMPB59yQVDsVMha0JTqC+P96itUzvnInc/9mwE
+0EMiBtpDTkoBwbJVPnuv+7FjkOLn5s5u3RLH9fe8z1xnV0fPC0/ndrlNiuBpAn3z
+VCsWasvW18Vz8K+CQY8Sw0Jw75edBgFoz2QMFxHfDpMJefvMadB7mdte1lKk/Im9
+KFFH8Idh9b6zD0a/+Ooujukx6QpFfAVhe2sT2CIm2nmMAuAZI2cCt7SC+REn9n9M
+SuIWxN8YTE3qgAUB6F3ea0O0hGlLl+z5UOfX0bNAs+ebx/P6PczJtDzeqpmRb0QX
+qo55JWXLvmXT/fgjF7fNTTLsyCtV+xH6ZFKGpvGJGJMHApEbz2a0hy12RZH58eI1
+ueN3Tzn8nI57+oYSsqFw/QgcdGXDonLGJsPVzIpQRg92/GXSukWF+MsCjVOilHRS
+Y1wfPPmJ7+kMQ4rdXpjAhwNYJc1ff5N+omCxCKoFgYsCXlFCHFKs4JwRbTdd3Mku
+qBAAlBlIjym8NyJIBltfWckuhQTX4BiBltGPNga9CpQsml519EePuLtoe5H0fTUp
+4UYbL0ZzyJImQE2uw/hMNZ36bA057YtHOoP4FcPUwv6wsl5JC87UR1XFhAXb5xSU
+0qdi3hWh0hm772X6CBlM8lM6GtT/fDZkSGNXMQaIs1X/O9vf8wGg+HwLJcaCvybI
+4w7w1K0R7WjWZlJXutCZf8hRc0d88W/qSZYooKD9q2S7foqaJhySIaF11sH5ETvV
+P3oCfGVIVhKWb0Tp2jXPXlXLeRAQA8S+4B1o5XHiM+J3SNXhPQHRGQ3VGcDn45it
+g3F4xQX2Qvo4SV42NMYd6TykM/dIfQyJDOVg3CT3+nqfjCknf94SNvyZprHEPmpc
+DeseoPMw8kjKNwDwPXFLxBRntPgnqVXDcNN41OH2kqx4jF7FLlRmwNpB2mFVH8xe
+VuRm7h2WZRsaEoqvivhzRtESVA2um5Eg763CVTcNYlK6MD/iy8JzbMuZBrlOHr58
+HKDdcOy1W0z2quESGoqrwA995IgPav/1DSpyuJPNc/oUTWlhpYshqYKoflezAyKj
+30+UzC3R/mY03ri6zUvCgXHNgZlKUsM3VEXk6h5oDuaXniHLLzuxjTBVrILnGYgH
+SFRP80L/knz+o4Uvq4wj7NHnruc5fP1foFxRNsMt40yRJfU=
+=D+jC
+-----END PGP PUBLIC KEY BLOCK-----
--- a/pkgs/applications/networking/browsers/firefox-bin/update.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/update.nix
@ -5,8 +5,9 @@
 , gnused
 , gnugrep
 , curl
+, gnupg
 , baseName ? "firefox"
-, basePath ? "pkgs/applications/networking/browsers/firefox-bin" 
+, basePath ? "pkgs/applications/networking/browsers/firefox-bin"
 , baseUrl ? "http://archive.mozilla.org/pub/firefox/releases/"
 }:

@ -14,10 +15,13 @@ let
  version = (builtins.parseDrvName name).version;
  isBeta = builtins.stringLength version + 1 == builtins.stringLength (builtins.replaceStrings ["b"] ["bb"] version);
 in writeScript "update-${baseName}-bin" ''
-  PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin
-
+  PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin:${gnupg}/bin
+  set -eux
  pushd ${basePath}

+  HOME=`mktemp -d`
+  cat ${./firefox.key} | gpg2 --import
+
  tmpfile=`mktemp`
  url=${baseUrl}

@ -39,8 +43,12 @@ in writeScript "update-${baseName}-bin" ''
           grep -e "${if isBeta then "b" else ""}\([[:digit:]]\|[[:digit:]][[:digit:]]\)$" | ${if isBeta then "" else "grep -v \"b\" |"} \
           tail -1`

+  curl --silent -o $HOME/shasums "$url$version/SHA512SUMS"
+  curl --silent -o $HOME/shasums.asc "$url$version/SHA512SUMS.asc"
+  gpgv2 --keyring=$HOME/.gnupg/pubring.kbx $HOME/shasums.asc $HOME/shasums
+
  # this is a list of sha512 and tarballs for both arches
-  shasums=`curl --silent $url$version/SHA512SUMS`
+  shasums=`cat $HOME/shasums`

  cat > $tmpfile <<EOF
  {