| blob | 7faf4c31efbf0e89c984190aada272f66d35111c |
1 { lib
2 , writeShellScript
3 , coreutils
4 , gnused
5 , gnugrep
6 , curl
7 , gnupg
8 , nix
9 , common-updater-scripts
11 # options
12 , pname
13 , version
14 , meta
15 , baseUrl ? "https://dist.torproject.org/torbrowser/"
16 # name used to match published archive
17 , name ? "tor-browser"
18 , prerelease ? false
19 }:
21 let
22 versionMatch = if prerelease
23 then ''[0-9]+(\.[0-9]+)*.*''
24 else ''[0-9]+(\.[0-9]+)*'';
25 in writeShellScript "update-${pname}" ''
26 PATH="${lib.makeBinPath [ coreutils curl gnugrep gnused gnupg nix common-updater-scripts ]}"
27 set -euo pipefail
29 trap
31 url=${baseUrl}
32 version=$(curl -s $url \
33 | sed -rne 's,^.*href="(${versionMatch})/".*,\1,p' \
34 | sort --version-sort | tail -1)
36 if [[ "${version}" = "$version" ]]; then
37 echo "The new version same as the old version."
38 exit 0
39 fi
41 HOME=$(mktemp -d)
42 export GNUPGHOME=$(mktemp -d)
43 trap 'rm -rf "$HOME" "$GNUPGHOME"' EXIT
45 gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
46 gpg --output $HOME/tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
48 curl --silent --show-error --fail -o $HOME/shasums "$url$version/sha256sums-signed-build.txt"
49 curl --silent --show-error --fail -o $HOME/shasums.asc "$url$version/sha256sums-signed-build.txt.asc"
50 gpgv --keyring=$HOME/tor.keyring $HOME/shasums.asc $HOME/shasums
52 declare -A platforms=(
53 ['x86_64-linux']='linux-x86_64'
54 ['i686-linux']='linux-i686'
55 )
57 for platform in ${lib.escapeShellArgs meta.platforms}; do
58 arch="''${platforms[$platform]}"
59 sha256=$(grep "${name}-$arch-$version.tar.xz" "$HOME/shasums" | head -1 | cut -d" " -f1)
60 hash=$(nix hash to-sri --type sha256 "$sha256")
62 update-source-version "${pname}" "$version" "$hash" --ignore-same-version --source-key="sources.$platform"
63 done
64 ''