[tor-commits] [arm/release] Fetching / validating lib dependencies via mirror
atagar at torproject.org
atagar at torproject.org
Sun Jul 17 06:08:23 UTC 2011
commit 1419b8997ec348092b2bd98fa3d596f491321c3a
Author: Damian Johnson <atagar at torproject.org>
Date: Fri Jun 10 18:39:24 2011 -0700
Fetching / validating lib dependencies via mirror
When needed we fetch torctl and cagraph (small library dependencies of arm)
from a mirror on my site and verify their sha256 signatures against hardcoded
values. Issue caught by Sebastian and rransom.
---
src/prereq.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 53 insertions(+), 5 deletions(-)
diff --git a/src/prereq.py b/src/prereq.py
index 93d9de3..ba1e988 100644
--- a/src/prereq.py
+++ b/src/prereq.py
@@ -5,8 +5,19 @@ Provides a warning and error code if python version isn't compatible.
import os
import sys
import shutil
+import urllib
+import hashlib
+import tarfile
import tempfile
+# Library dependencies can be fetched on request. By default this is via
+# the following mirrors with their sha256 signatures checked.
+TORCTL_ARCHIVE = "http://www.atagar.com/arm/resources/deps/11-6-10/torctl.tar.gz"
+TORCTL_SIG = "be583e53b2bccf09a7126c5271f9af5682447903b6ac92cf1cf78ca5b35273ed"
+CAGRAPH_ARCHIVE = "http://www.atagar.com/arm/resources/deps/11-6-10/cagraph.tar.gz"
+CAGRAPH_SIG = "1439acd40ce016f4329deb216d86f36a749e4b8bf73a313a757396af6f95310d"
+
+# optionally we can do an unverified fetch from the library's sources
TORCTL_REPO = "git://git.torproject.org/pytorctl.git"
CAGRAPH_TARBALL_URL = "http://cagraph.googlecode.com/files/cagraph-1.2.tar.gz"
CAGRAPH_TARBALL_NAME = "cagraph-1.2.tar.gz"
@@ -46,7 +57,7 @@ def promptTorCtlInstall():
# attempt to install TorCtl, printing the issue if unsuccessful
try:
- installTorCtl()
+ fetchLibrary(TORCTL_ARCHIVE, TORCTL_SIG)
if not isTorCtlAvailable():
raise IOError("Unable to install TorCtl, sorry")
@@ -70,7 +81,7 @@ def promptCagraphInstall():
# attempt to install cagraph, printing the issue if unsuccessful
try:
- installCagraph()
+ fetchLibrary(CAGRAPH_ARCHIVE, CAGRAPH_SIG)
if not isCagraphAvailable():
raise IOError("Unable to install cagraph, sorry")
@@ -81,6 +92,43 @@ def promptCagraphInstall():
print exc
return False
+def fetchLibrary(url, sig):
+ """
+ Downloads the given archive, verifies its signature, then installs the
+ library. This raises an IOError if any of these steps fail.
+
+ Arguments:
+ url - url from which to fetch the gzipped tarball
+ sig - sha256 signature for the archive
+ """
+
+ tmpDir = tempfile.mkdtemp()
+ destination = tmpDir + "/" + url.split("/")[-1]
+ urllib.urlretrieve(url, destination)
+
+ # checks the signature, reading the archive in 256-byte chunks
+ m = hashlib.sha256()
+ fd = open(destination, "rb")
+
+ while True:
+ data = fd.read(256)
+ if not data: break
+ m.update(data)
+
+ fd.close()
+ actualSig = m.hexdigest()
+
+ if sig != actualSig:
+ raise IOError("Signature of the library is incorrect (got '%s' rather than '%s')" % (actualSig, sig))
+
+ # extracts the tarball
+ tarFd = tarfile.open(destination, 'r:gz')
+ tarFd.extractall("src/")
+ tarFd.close()
+
+ # clean up the temporary contents (fails quietly if unsuccessful)
+ shutil.rmtree(destination, ignore_errors=True)
+
def installTorCtl():
"""
Checks out the current git head release for TorCtl and bundles it with arm.
@@ -110,8 +158,8 @@ def installTorCtl():
def installCagraph():
"""
- Downloads and extracts the cagraph tarball.
- This raises an IOError if unsuccessful.
+ Downloads and extracts the cagraph tarball. This raises an IOError if
+ unsuccessful.
"""
if isCagraphAvailable(): return
@@ -119,7 +167,7 @@ def installCagraph():
tmpDir = tempfile.mkdtemp()
tmpFilename = os.path.join(tmpDir, CAGRAPH_TARBALL_NAME)
- exitStatus = os.system("wget -P %s %s" % (tmpDir, CAGRAPH_TARBALL_URL))
+ exitStatus = os.system("wget --quiet -P %s %s" % (tmpDir, CAGRAPH_TARBALL_URL))
if exitStatus: raise IOError("Unable to fetch cagraph from %s. Is wget installed?" % CAGRAPH_TARBALL_URL)
# the destination for cagraph will be our directory
More information about the tor-commits
mailing list