firefox-bin: Add gpg verification to updater (#22270)

This commit is contained in:
Graham Christensen 2017-02-19 13:33:31 -05:00 committed by zimbatm
parent 4129697445
commit a21455d989
3 changed files with 77 additions and 5 deletions

View file

@ -43,6 +43,7 @@
, coreutils
, gnused
, gnugrep
, gnupg
}:
assert stdenv.isLinux;
@ -173,7 +174,7 @@ stdenv.mkDerivation {
passthru.ffmpegSupport = true;
passthru.updateScript = import ./update.nix {
inherit name writeScript xidel coreutils gnused gnugrep curl;
inherit name writeScript xidel coreutils gnused gnugrep gnupg curl;
};
meta = with stdenv.lib; {
description = "Mozilla Firefox, free web browser (binary package)";

View file

@ -0,0 +1,63 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFWpQAQBEAC+9wVlwGLy8ILCybLesuB3KkHHK+Yt1F1PJaI30X448ttGzxCz
PQpH6BoA73uzcTReVjfCFGvM4ij6qVV2SNaTxmNBrL1uVeEUsCuGduDUQMQYRGxR
tWq5rCH48LnltKPamPiEBzrgFL3i5bYEUHO7M0lATEknG7Iaz697K/ssHREZfuuc
B4GNxXMgswZ7GTZO3VBDVEw5GwU3sUvww93TwMC29lIPCux445AxZPKr5sOVEsEn
dUB2oDMsSAoS/dZcl8F4otqfR1pXg618cU06omvq5yguWLDRV327BLmezYK0prD3
P+7qwEp8MTVmxlbkrClS5j5pR47FrJGdyupNKqLzK+7hok5kBxhsdMsdTZLd4tVR
jXf04isVO3iFFf/GKuwscOi1+ZYeB3l3sAqgFUWnjbpbHxfslTmo7BgvmjZvAH5Z
asaewF3wA06biCDJdcSkC9GmFPmN5DS5/Dkjwfj8+dZAttuSKfmQQnypUPaJ2sBu
blnJ6INpvYgsEZjV6CFG1EiDJDPu2Zxap8ep0iRMbBBZnpfZTn7SKAcurDJptxin
CRclTcdOdi1iSZ35LZW0R2FKNnGL33u1IhxU9HRLw3XuljXCOZ84RLn6M+PBc1eZ
suv1TA+Mn111yD3uDv/u/edZ/xeJccF6bYcMvUgRRZh0sgZ0ZT4b0Q6YcQARAQAB
tC9Nb3ppbGxhIFNvZnR3YXJlIFJlbGVhc2VzIDxyZWxlYXNlQG1vemlsbGEuY29t
PokCOAQTAQIAIgUCValABAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
Ybe1JtmPA1NQqg//Rr6/V7uLqrIwx0UFknyNJasRJZhUkYxdGsLD18zO0Na8Ve3Q
sYpOC3ojpqaFUzpqm6KNv8eXfd/Ku7j3WGr9kPkbjZNghvy6V5Lva4JkxO6LMxKk
JYqiqF2o1Gfda8NfcK08GFy4C0L8zNwlADvmdMo4382tmHNGbTTft7BeVaRrE9xW
9eGmGQ2jYOsjxb5MsadAdZUuK8IC95ZHlUDR3gH9KqhfbQWp5Bo924Kiv+f2JUzN
rrG98eOm1Qb8F9rePzZ2DOYRJyOe4p8Gpl+kojCXNntkJgcwJ1a1yRE6wy9RzpeB
lCeoQuLS92MNne+deQZUskTZFoYXUadf6vbdfqL0nuPCKdl9lhef1QNwE30IRymt
6fhJCFffFQjGdeMfSiCHgcI8ichQbrzhBCGGR3bAHan9c2EbQ+puqG3Aa0YjX6Db
GJjWOI6A61bqSPepLCMVaXqV2mZEIaZWdZkOHjnRrU6CJdXG/+D4m1YBZwYM60eJ
kNu4eMMwMFnRsHiWf7bhqKptwuk8HyIGp2o4j8iqrFRVJEbK/ctdhA3H1AlKug9f
NrfwCfqhNCSBju97V03U26j04JMn9nrZ2UEGbpty+8ONTb38WX5/oC61BgwV8Ki4
6Lwyb7fImUzz8jE83pjh7s3+NCKvvbH+VfT12f+V/fsphN3EwGwJPTC3fX25Ag0E
ValA9AEQAK/z677fpoVUj4zQz0g60wVWf+1y2lGb8iFYICmvrJyaEra5SRkyihYA
1WmEzhN4T//tHw3UIfe646+GkY3eIQW2jY9DM2XaElmMN8k/v54nbn5oD7rNEyCT
FTvCOq5d74HH1vw96Lzay1vy45E7jPWvqfg9Se8KAnzElohTJjizyhU+0QbmPHnQ
lY8gOkT/SvRo9bFEUnqjWh0fRq+K1tdLPhcFB1scc25iFqh9IAKUGDur8jQ+SDHC
jgQlkFOg3rbqtaUOnVHPohfrBM90ZNwuneFgQY7ZFSUidCimp/EN4CXnzgjDYXUU
A42S8G86+G4KAJC22gRQo4mcVmehwHTH0glfLmUK7TEu29A1KWNL3R/R7Zdyajjp
CvUaK2A0Abj3ZE2BSDbJrVlbBVfy5kfPdZjhd3wUWqFaDHiVcImcjZRWPncllhcy
6fhqEy3ELZrkezpJjnARsVkij3GXz6oX+HVULne2w0dkTXydR6muZI/GeNtrLHmA
8B3/0/TllmLy8ChmYZVIKZ8zt1ghq3f+hFTXgtZil7eBewZgA6L+EXXK6dZj14lb
e6CMS2kungTX9stU1s42I+WRbiqiLpAxCX6qcLBOWrJwsOep2nvu5bhrPHptSfRh
F4Vs1xteVFckCWhcLgdYi/Je1XBEM+AAVa0k1FiywCg7MqlG6toLABEBAAGJBEQE
GAECAA8FAlWpQPQCGwIFCQPCZwACKQkQYbe1JtmPA1PBXSAEGQECAAYFAlWpQPQA
CgkQHGnE5V6ZBdsvxQ/6A62ZteN0b/TVfSJ51SdG66amwe2rpRX4UdSw7ifxo3qh
gEICQmXR5c09qXwl17MFJWM3FhGrbxnA5KGgeWGtqrPup4QZPKU+l2Ea2QLSJSiB
q5QqqEgZvR14Lhr/hCGhBAq9s/xbp8fbKNJj/uWiZ+uTPbt5T5rgKJ4+g3B6DNO1
rH7F70OLrd32mxZs4pSxngHRAyiMPB59yQVDsVMha0JTqC+P96itUzvnInc/9mwE
0EMiBtpDTkoBwbJVPnuv+7FjkOLn5s5u3RLH9fe8z1xnV0fPC0/ndrlNiuBpAn3z
VCsWasvW18Vz8K+CQY8Sw0Jw75edBgFoz2QMFxHfDpMJefvMadB7mdte1lKk/Im9
KFFH8Idh9b6zD0a/+Ooujukx6QpFfAVhe2sT2CIm2nmMAuAZI2cCt7SC+REn9n9M
SuIWxN8YTE3qgAUB6F3ea0O0hGlLl+z5UOfX0bNAs+ebx/P6PczJtDzeqpmRb0QX
qo55JWXLvmXT/fgjF7fNTTLsyCtV+xH6ZFKGpvGJGJMHApEbz2a0hy12RZH58eI1
ueN3Tzn8nI57+oYSsqFw/QgcdGXDonLGJsPVzIpQRg92/GXSukWF+MsCjVOilHRS
Y1wfPPmJ7+kMQ4rdXpjAhwNYJc1ff5N+omCxCKoFgYsCXlFCHFKs4JwRbTdd3Mku
qBAAlBlIjym8NyJIBltfWckuhQTX4BiBltGPNga9CpQsml519EePuLtoe5H0fTUp
4UYbL0ZzyJImQE2uw/hMNZ36bA057YtHOoP4FcPUwv6wsl5JC87UR1XFhAXb5xSU
0qdi3hWh0hm772X6CBlM8lM6GtT/fDZkSGNXMQaIs1X/O9vf8wGg+HwLJcaCvybI
4w7w1K0R7WjWZlJXutCZf8hRc0d88W/qSZYooKD9q2S7foqaJhySIaF11sH5ETvV
P3oCfGVIVhKWb0Tp2jXPXlXLeRAQA8S+4B1o5XHiM+J3SNXhPQHRGQ3VGcDn45it
g3F4xQX2Qvo4SV42NMYd6TykM/dIfQyJDOVg3CT3+nqfjCknf94SNvyZprHEPmpc
DeseoPMw8kjKNwDwPXFLxBRntPgnqVXDcNN41OH2kqx4jF7FLlRmwNpB2mFVH8xe
VuRm7h2WZRsaEoqvivhzRtESVA2um5Eg763CVTcNYlK6MD/iy8JzbMuZBrlOHr58
HKDdcOy1W0z2quESGoqrwA995IgPav/1DSpyuJPNc/oUTWlhpYshqYKoflezAyKj
30+UzC3R/mY03ri6zUvCgXHNgZlKUsM3VEXk6h5oDuaXniHLLzuxjTBVrILnGYgH
SFRP80L/knz+o4Uvq4wj7NHnruc5fP1foFxRNsMt40yRJfU=
=D+jC
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -5,8 +5,9 @@
, gnused
, gnugrep
, curl
, gnupg
, baseName ? "firefox"
, basePath ? "pkgs/applications/networking/browsers/firefox-bin"
, basePath ? "pkgs/applications/networking/browsers/firefox-bin"
, baseUrl ? "http://archive.mozilla.org/pub/firefox/releases/"
}:
@ -14,10 +15,13 @@ let
version = (builtins.parseDrvName name).version;
isBeta = builtins.stringLength version + 1 == builtins.stringLength (builtins.replaceStrings ["b"] ["bb"] version);
in writeScript "update-${baseName}-bin" ''
PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin
PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin:${gnupg}/bin
set -eux
pushd ${basePath}
HOME=`mktemp -d`
cat ${./firefox.key} | gpg2 --import
tmpfile=`mktemp`
url=${baseUrl}
@ -39,8 +43,12 @@ in writeScript "update-${baseName}-bin" ''
grep -e "${if isBeta then "b" else ""}\([[:digit:]]\|[[:digit:]][[:digit:]]\)$" | ${if isBeta then "" else "grep -v \"b\" |"} \
tail -1`
curl --silent -o $HOME/shasums "$url$version/SHA512SUMS"
curl --silent -o $HOME/shasums.asc "$url$version/SHA512SUMS.asc"
gpgv2 --keyring=$HOME/.gnupg/pubring.kbx $HOME/shasums.asc $HOME/shasums
# this is a list of sha512 and tarballs for both arches
shasums=`curl --silent $url$version/SHA512SUMS`
shasums=`cat $HOME/shasums`
cat > $tmpfile <<EOF
{