mirror of
https://github.com/basicswap/basicswap.git
synced 2025-01-22 10:34:34 +00:00
preparescript: Add expected keyids.
This commit is contained in:
parent
0c2c86070f
commit
d47a69c7cb
1 changed files with 30 additions and 13 deletions
|
@ -55,7 +55,15 @@ known_coins = {
|
||||||
'litecoin': (LITECOIN_VERSION, LITECOIN_VERSION_TAG, ('thrasher',)),
|
'litecoin': (LITECOIN_VERSION, LITECOIN_VERSION_TAG, ('thrasher',)),
|
||||||
'bitcoin': (BITCOIN_VERSION, BITCOIN_VERSION_TAG, ('laanwj',)),
|
'bitcoin': (BITCOIN_VERSION, BITCOIN_VERSION_TAG, ('laanwj',)),
|
||||||
'namecoin': ('0.18.0', '', ('JeremyRand',)),
|
'namecoin': ('0.18.0', '', ('JeremyRand',)),
|
||||||
'monero': (MONERO_VERSION, MONERO_VERSION_TAG, ('',)),
|
'monero': (MONERO_VERSION, MONERO_VERSION_TAG, ('binaryfate',)),
|
||||||
|
}
|
||||||
|
|
||||||
|
expected_key_ids = {
|
||||||
|
'tecnovert': ('13F13651C9CF0D6B',),
|
||||||
|
'thrasher': ('FE3348877809386C',),
|
||||||
|
'laanwj': ('1E4AED62986CD25D',),
|
||||||
|
'JeremyRand': ('2DBE339E29F6294C',),
|
||||||
|
'binaryfate': ('F0AF4D462A0BDF92',),
|
||||||
}
|
}
|
||||||
|
|
||||||
if platform.system() == 'Darwin':
|
if platform.system() == 'Darwin':
|
||||||
|
@ -201,6 +209,15 @@ def testOnionLink():
|
||||||
logger.info('Onion links work.')
|
logger.info('Onion links work.')
|
||||||
|
|
||||||
|
|
||||||
|
def ensureValidSignatureBy(result, signing_key_name):
|
||||||
|
if result.valid is False \
|
||||||
|
and not (result.status == 'signature valid' and result.key_status == 'signing key has expired'):
|
||||||
|
raise ValueError('Signature verification failed.')
|
||||||
|
|
||||||
|
if result.key_id not in expected_key_ids[signing_key_name]:
|
||||||
|
raise ValueError('Signature made by unexpected keyid: ' + result.key_id)
|
||||||
|
|
||||||
|
|
||||||
def extractCore(coin, version_data, settings, bin_dir, release_path, extra_opts={}):
|
def extractCore(coin, version_data, settings, bin_dir, release_path, extra_opts={}):
|
||||||
version, version_tag, signers = version_data
|
version, version_tag, signers = version_data
|
||||||
logger.info('extractCore %s v%s%s', coin, version, version_tag)
|
logger.info('extractCore %s v%s%s', coin, version, version_tag)
|
||||||
|
@ -284,6 +301,7 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
if coin == 'particl':
|
if coin == 'particl':
|
||||||
filename_extra = PARTICL_LINUX_EXTRA
|
filename_extra = PARTICL_LINUX_EXTRA
|
||||||
|
|
||||||
|
signing_key_name = signers[0]
|
||||||
if coin == 'monero':
|
if coin == 'monero':
|
||||||
use_file_ext = 'tar.bz2' if FILE_EXT == 'tar.gz' else FILE_EXT
|
use_file_ext = 'tar.bz2' if FILE_EXT == 'tar.gz' else FILE_EXT
|
||||||
release_filename = '{}-{}-{}.{}'.format(coin, version, BIN_ARCH, use_file_ext)
|
release_filename = '{}-{}-{}.{}'.format(coin, version, BIN_ARCH, use_file_ext)
|
||||||
|
@ -302,7 +320,6 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
downloadFile(assert_url, assert_path)
|
downloadFile(assert_url, assert_path)
|
||||||
else:
|
else:
|
||||||
major_version = int(version.split('.')[0])
|
major_version = int(version.split('.')[0])
|
||||||
signing_key_name = signers[0]
|
|
||||||
release_filename = '{}-{}-{}{}.{}'.format(coin, version + version_tag, BIN_ARCH, filename_extra, FILE_EXT)
|
release_filename = '{}-{}-{}{}.{}'.format(coin, version + version_tag, BIN_ARCH, filename_extra, FILE_EXT)
|
||||||
if coin == 'particl':
|
if coin == 'particl':
|
||||||
release_url = 'https://github.com/particl/particl-core/releases/download/v{}/{}'.format(version + version_tag, release_filename)
|
release_url = 'https://github.com/particl/particl-core/releases/download/v{}/{}'.format(version + version_tag, release_filename)
|
||||||
|
@ -368,12 +385,11 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
verified = gpg.verify_file(fp)
|
verified = gpg.verify_file(fp)
|
||||||
|
|
||||||
if verified.username is None:
|
if verified.username is None:
|
||||||
logger.warning('Signature not verified.')
|
logger.warning('Signature made by unknown key.')
|
||||||
|
|
||||||
pubkeyurl = 'https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc'
|
pubkeyurl = 'https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc'
|
||||||
logger.info('Importing public key from url: ' + pubkeyurl)
|
logger.info('Importing public key from url: ' + pubkeyurl)
|
||||||
rv = gpg.import_keys(downloadBytes(pubkeyurl))
|
rv = gpg.import_keys(downloadBytes(pubkeyurl))
|
||||||
print('import_keys', rv)
|
|
||||||
assert('F0AF4D462A0BDF92' in rv.fingerprints[0])
|
assert('F0AF4D462A0BDF92' in rv.fingerprints[0])
|
||||||
gpg.trust_keys(rv.fingerprints[0], 'TRUST_FULLY')
|
gpg.trust_keys(rv.fingerprints[0], 'TRUST_FULLY')
|
||||||
with open(assert_path, 'rb') as fp:
|
with open(assert_path, 'rb') as fp:
|
||||||
|
@ -383,7 +399,7 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
verified = gpg.verify_file(fp, assert_path)
|
verified = gpg.verify_file(fp, assert_path)
|
||||||
|
|
||||||
if verified.username is None:
|
if verified.username is None:
|
||||||
logger.warning('Signature not verified.')
|
logger.warning('Signature made by unknown key.')
|
||||||
|
|
||||||
filename = '{}_{}.pgp'.format(coin, signing_key_name)
|
filename = '{}_{}.pgp'.format(coin, signing_key_name)
|
||||||
pubkeyurls = (
|
pubkeyurls = (
|
||||||
|
@ -396,7 +412,7 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
rv = gpg.import_keys(downloadBytes(url))
|
rv = gpg.import_keys(downloadBytes(url))
|
||||||
break
|
break
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('Import from url failed', e)
|
logging.warning('Import from url failed: %s', str(e))
|
||||||
|
|
||||||
for key in rv.fingerprints:
|
for key in rv.fingerprints:
|
||||||
gpg.trust_keys(key, 'TRUST_FULLY')
|
gpg.trust_keys(key, 'TRUST_FULLY')
|
||||||
|
@ -404,9 +420,7 @@ def prepareCore(coin, version_data, settings, data_dir, extra_opts={}):
|
||||||
with open(assert_sig_path, 'rb') as fp:
|
with open(assert_sig_path, 'rb') as fp:
|
||||||
verified = gpg.verify_file(fp, assert_path)
|
verified = gpg.verify_file(fp, assert_path)
|
||||||
|
|
||||||
if verified.valid is False \
|
ensureValidSignatureBy(verified, signing_key_name)
|
||||||
and not (verified.status == 'signature valid' and verified.key_status == 'signing key has expired'):
|
|
||||||
raise ValueError('Signature verification failed.')
|
|
||||||
|
|
||||||
extractCore(coin, version_data, settings, bin_dir, release_path, extra_opts)
|
extractCore(coin, version_data, settings, bin_dir, release_path, extra_opts)
|
||||||
|
|
||||||
|
@ -540,6 +554,11 @@ def prepareDataDir(coin, settings, chain, particl_mnemonic, extra_opts={}):
|
||||||
if coin == 'bitcoin' and extra_opts.get('use_btc_fastsync', False) is True:
|
if coin == 'bitcoin' and extra_opts.get('use_btc_fastsync', False) is True:
|
||||||
logger.info('Initialising BTC chain with fastsync %s', BITCOIN_FASTSYNC_FILE)
|
logger.info('Initialising BTC chain with fastsync %s', BITCOIN_FASTSYNC_FILE)
|
||||||
base_dir = extra_opts['data_dir']
|
base_dir = extra_opts['data_dir']
|
||||||
|
|
||||||
|
for dirname in ('blocks', 'chainstate'):
|
||||||
|
if os.path.exists(os.path.join(data_dir, dirname)):
|
||||||
|
raise ValueError(f'{dirname} directory already exists, not overwriting.')
|
||||||
|
|
||||||
sync_file_path = os.path.join(base_dir, BITCOIN_FASTSYNC_FILE)
|
sync_file_path = os.path.join(base_dir, BITCOIN_FASTSYNC_FILE)
|
||||||
if not os.path.exists(sync_file_path):
|
if not os.path.exists(sync_file_path):
|
||||||
sync_file_url = os.path.join(BITCOIN_FASTSYNC_URL, BITCOIN_FASTSYNC_FILE)
|
sync_file_url = os.path.join(BITCOIN_FASTSYNC_URL, BITCOIN_FASTSYNC_FILE)
|
||||||
|
@ -557,14 +576,12 @@ def prepareDataDir(coin, settings, chain, particl_mnemonic, extra_opts={}):
|
||||||
downloadFile(url, asc_file_path)
|
downloadFile(url, asc_file_path)
|
||||||
break
|
break
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('Download failed', e)
|
logging.warning('Download failed: %s', str(e))
|
||||||
gpg = gnupg.GPG()
|
gpg = gnupg.GPG()
|
||||||
with open(asc_file_path, 'rb') as fp:
|
with open(asc_file_path, 'rb') as fp:
|
||||||
verified = gpg.verify_file(fp, sync_file_path)
|
verified = gpg.verify_file(fp, sync_file_path)
|
||||||
|
|
||||||
if verified.valid is False \
|
ensureValidSignatureBy(verified, 'tecnovert')
|
||||||
and not (verified.status == 'signature valid' and verified.key_status == 'signing key has expired'):
|
|
||||||
raise ValueError('Signature verification failed.')
|
|
||||||
|
|
||||||
with tarfile.open(sync_file_path) as ft:
|
with tarfile.open(sync_file_path) as ft:
|
||||||
ft.extractall(path=data_dir)
|
ft.extractall(path=data_dir)
|
||||||
|
|
Loading…
Reference in a new issue