In d054f2a the certificate pinning was removed (#224) so IPolicyForHTTPS
is no longer requiered. This is requiered to make torbrowser-launcher
work with python-twisted packages where IPolicyForHTTPS is not yet
implemented such as the one shipped with Ubuntu 14.04
Rather than checking the GnuPG process exit code, a more robust way to
handle determining whether or not a GnuPG process behaved as was
intended is to check GnuPG's status-fd output. [0]
In the case of key import, the particular status-fd flag we're looking
for is `IMPORT_OK` followed by a "reason", then the expected
fingerprint. [1] Because the "reason"s are integers which may be ORed,
and we are never expecting private keys to be within the file, we can
assume the reason to be `[0, 15]` inclusive.
While it's not strictly necessary to hardcode Erinn's key fingerprint
within the code because the keyfiles are safely distributed along with
the source code, doing so adds a simple defense-in-depth mechanism for
the unlikely case that a user's torbrowser-launcher package/source
download was compromised. As such, and because it was a trivial
addition which will also assist with checking that a signature was made
by the key with the expected fingerprint [2], I've gone ahead and added
a `common.fingerprints` dictionary whose keys match the names of the
`common.paths` keyfile for their respective key (i.e. the fingerprint
for `common.paths['erinn_key']` is stored at
`common.fingerprints['erinn_key']`) in order to facilitate extensibility
in the event that torbrowser-launcher should add new keyfiles in the
future. This may be removed, if undesirable.
* ADD `common.gnupg_import_ok_pattern`, a compiled regex for
determining if a key import was successful.
* ADD new class attribute, `common.Common.fingerprints` for storing
fingerprints.
* ADD new method, `common.Common.import_key_and_check_status()`, which
imports a GnuPG key, and then checks that the key was successfully
imported.
* CHANGE `common.Common.import_keys()` method to make adding
new/additional keys easier.
* FIXES https://github.com/micahflee/torbrowser-launcher/issues/137
[0]: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l323
[1]: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l713
[2]: https://github.com/micahflee/torbrowser-launcher/issues/147
If I recall correctly, weasel (Tor Project's volunteer lead sysadmin)
tried to switch everything to using https://dist.torproject.org/ last
week, and then added an Apache redirect from
https://www.torproject.org/dist to https://dist.torproject.org after
discovering that some things were still trying to use the old URL. We
should switch to the new one, so that someday weasel can remove the
redirect.
* CHANGE `default_mirror` to https://dist.torproject.org/
