c1623f47f1
https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
94 lines
2.7 KiB
Nix
94 lines
2.7 KiB
Nix
{ pname
|
|
, channel
|
|
, lib
|
|
, writeScript
|
|
, xidel
|
|
, coreutils
|
|
, gnused
|
|
, gnugrep
|
|
, curl
|
|
, gnupg
|
|
, runtimeShell
|
|
, baseName ? "firefox"
|
|
, basePath ? "pkgs/applications/networking/browsers/firefox-bin"
|
|
, baseUrl
|
|
}:
|
|
|
|
let
|
|
isBeta =
|
|
channel != "release";
|
|
|
|
in writeScript "update-${pname}" ''
|
|
#!${runtimeShell}
|
|
PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin:${gnupg}/bin
|
|
set -eux
|
|
pushd ${basePath}
|
|
|
|
HOME=`mktemp -d`
|
|
export GNUPGHOME=`mktemp -d`
|
|
|
|
gpg --receive-keys ADD7079479700DCADFDD5337E36D3B13F3D93274
|
|
|
|
tmpfile=`mktemp`
|
|
url=${baseUrl}
|
|
|
|
# retriving latest released version
|
|
# - extracts all links from the $url
|
|
# - removes . and ..
|
|
# - this line remove everything not starting with a number
|
|
# - this line sorts everything with semver in mind
|
|
# - we remove lines that are mentioning funnelcake
|
|
# - this line removes beta version if we are looking for final release
|
|
# versions or removes release versions if we are looking for beta
|
|
# versions
|
|
# - this line pick up latest release
|
|
version=`xidel -s $url --extract "//a" | \
|
|
sed s"/.$//" | \
|
|
grep "^[0-9]" | \
|
|
sort --version-sort | \
|
|
grep -v "funnelcake" | \
|
|
grep -e "${lib.optionalString isBeta "b"}\([[:digit:]]\|[[:digit:]][[:digit:]]\)$" | ${lib.optionalString (!isBeta) "grep -v \"b\" |"} \
|
|
tail -1`
|
|
|
|
curl --silent -o $HOME/shasums "$url$version/SHA256SUMS"
|
|
curl --silent -o $HOME/shasums.asc "$url$version/SHA256SUMS.asc"
|
|
gpgv --keyring=$GNUPGHOME/pubring.kbx $HOME/shasums.asc $HOME/shasums
|
|
|
|
# this is a list of sha256 and tarballs for both arches
|
|
# Upstream files contains python repr strings like b'somehash', hence the sed dance
|
|
shasums=`cat $HOME/shasums | sed -E s/"b'([a-f0-9]{64})'?(.*)"/'\1\2'/ | grep tar.bz2`
|
|
|
|
cat > $tmpfile <<EOF
|
|
{
|
|
version = "$version";
|
|
sources = [
|
|
EOF
|
|
for arch in linux-x86_64 linux-i686; do
|
|
# retriving a list of all tarballs for each arch
|
|
# - only select tarballs for current arch
|
|
# - only select tarballs for current version
|
|
# - rename space with colon so that for loop doesnt
|
|
# - inteprets sha and path as 2 lines
|
|
for line in `echo "$shasums" | \
|
|
grep $arch | \
|
|
grep "${baseName}-$version.tar.bz2$" | \
|
|
tr " " ":"`; do
|
|
# create an entry for every locale
|
|
cat >> $tmpfile <<EOF
|
|
{ url = "$url$version/`echo $line | cut -d":" -f3`";
|
|
locale = "`echo $line | cut -d":" -f3 | sed "s/$arch\///" | sed "s/\/.*//"`";
|
|
arch = "$arch";
|
|
sha256 = "`echo $line | cut -d":" -f1`";
|
|
}
|
|
EOF
|
|
done
|
|
done
|
|
cat >> $tmpfile <<EOF
|
|
];
|
|
}
|
|
EOF
|
|
|
|
mv $tmpfile ${channel}_sources.nix
|
|
|
|
popd
|
|
''
|