AladW
commented
9 years ago Well I do like drawing the gpg key and sources from different servers for added verification. Also, if possible awk should be used instead of a big grep/sed/sort e.a pipe.
Closed lucaspetter closed 9 years ago
AladW
commented
9 years ago Well I do like drawing the gpg key and sources from different servers for added verification. Also, if possible awk should be used instead of a big grep/sed/sort e.a pipe.
lucaspetter
commented
9 years ago @AladW
Well I do like drawing the gpg key and sources from different servers for added verification.
I think you mean the GPG signature file, not the key – right?
As long as we have the right GPG key in our keyring, then a cryptographic signature that passes verification is final proof that the file is authentic, as the key owner intended, and hasn't been modified by anyone. From the GnuPG documentation:
A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant. The GnuPG source distribution, for example, is signed so that users can verify that the source code has not been modified since it was packaged.
Even if dnscrypt-proxy-1.5.0.tar.gz and dnscrypt-proxy-1.5.0.tar.gz.sig were hosted on the same server, and an attacker gained control of that server and tampered with those files, the GPG verification would still fail as long as you had the right key in your GPG keyring. It would make no difference to verification if the files were hosted on different servers because GPG signatures are tamper-resistant.
We're relying on the key in the script being the correct one and not an impostor's key. Assuming we do have the right fingerprint in the script, there is some assurance that users' copies of the script aren't being modified in transit over the Internet because the script file is downloaded over HTTPS from GitHub, so everyone should have the right fingerprint.
So with the script's current setup, it's safe to have the files on either one server or different servers.
Also, if possible awk should be used instead of a big grep/sed/sort e.a pipe.
Yes, it's big. I don't know how to do it with awk, but I can omit sed and make it simpler.
LSODIUMVER=$(curl --retry 5 -L $LSODIUMURL | grep -o 'libsodium-1.[0-9].[0-9].tar.gz' | sort -u | tail -n 1 | grep -o '[0-9].[0-9].[0-9]')Yeah, I meant the sig, sorry. But your make a fair argument - I'll take a look at awk.
AladW
commented
9 years ago e.g
DNSCRYPTVER=$(curl -L $DNSCRYPTURL | awk -F'(.tar|proxy-)' '/proxy-1/ {v=$2}; END {print v}')There's also a LATEST tarball available? I think @simonclausen should have the last say here.
simonclausen
commented
9 years ago @lucaspetter makes a valid point about sticking within major version, as a major version change would probably mean a big change in functionality, resulting in big changes in these scripts.
This would rule out getting LATEST, since it will most likely break at some point in time. This makes me want to go for a logic that gets the lastest version, but within a defined major version.
I am assuming that @jedisct1 uses semantic versioning for dnscrypt-proxy and libsodium.
Does this sound good to you?
lucaspetter
commented
9 years ago @AladW Nice awk line. Can you update it so it gets versions only within 1.X.X?
FWIW, here's an updated version of my line. It now gets version numbers with multiple digits (eg. 1.5.10 and 1.0.123) and omits sort -u because the server list is already sorted.
DNSCRYPTVER=$(curl --retry 5 -L $DNSCRYPTURL | grep -Eo 'dnscrypt-proxy-1.[0-9]{1,4}.[0-9]{1,4}.tar.gz' | tail -n 1 | grep -Eo '[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}')Alright, I've replaced [1-9] with 1. Simulating curl output:
[think@arch ~]$ foo=$(awk -F'(.tar|proxy-)' '/proxy-1/ {v=$2}; END {print v}' <<< '<a href="dnscrypt-proxy-2.5.123.tar.bz2">dnscrypt-proxy-2.5.123.tar.bz2</a> 11-Jun-2015 05:46 1263253')
[think@arch ~]$ echo $foo
[think@arch ~]$ echo $bar
[think@arch ~]$ foo=$(awk -F'(.tar|proxy-)' '/proxy-1/ {v=$2}; END {print v}' <<< '<a href="dnscrypt-proxy-1.5.123.tar.bz2">dnscrypt-proxy-1.5.123.tar.bz2</a> 11-Jun-2015 05:46 1263253')
[think@arch ~]$ echo $foo
1.5.123Thanks, @AladW, I've committed your awk command. I think this is ready to merge now.
AladW
commented
9 years ago Done, cheers.
lucaspetter
commented
9 years ago Thanks
Automatically download the latest versions of dnscrypt-proxy and libsodium. We no longer have to update the script every time there's a version number change, the script gets the latest version numbers automatically. It's set to stick to the 1.X.X releases only, since we'll probably need to update the whole script when either one eventually reaches 2.X.X. Fixes #44, related to #31.
Download source files from
download.libsodium.organddownload.dnscrypt.org. This is to better facilitate automated downloading of the latest versions. While LSODIUMURL and DNSCRYPTURL were previously changed togithub.comin #22 / #23 due to problems with thedownload.libsodium.orgserver, there are 4 reasons why we should switch them back todownload.libsodium.organddownload.dnscrypt.org:download.libsodium.organddownload.dnscrypt.org, so it might as well get the source files there too. The signature files aren't hosted elsewhere. If the libsodium server has issues, the script will fail regardless..tar.gzor.tar.bz2, but not both (eg.dnscrypt-proxy-1.4.3.tar.gz,dnscrypt-proxy-1.5.0.tar.bz2). But the ones athttp://download.dnscrypt.org/dnscrypt-proxyare reliably released in both formats, which makes more sense for automated downloading of the latest version.https://download.libsodium.org/libsodium/releasesandhttp://download.dnscrypt.org/dnscrypt-proxythan through thegithub.comrelease pages.download.libsodium.orgis still having issues as reported in #22 / #23 nearly a year ago, then the server ought to be fixed.I've tested the changes and can confirm they're working.