From 4482c60ead974420e5e4c1fbef22d70cc2d4925d Mon Sep 17 00:00:00 2001
From: Jessica Frazelle <acidburn@docker.com>
Date: Sat, 22 Aug 2015 13:50:35 -0700
Subject: [PATCH] check sigs tor

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
---
 tor-browser/alpha/Dockerfile  | 14 +++++++++++++-
 tor-browser/stable/Dockerfile | 16 ++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/tor-browser/alpha/Dockerfile b/tor-browser/alpha/Dockerfile
index 8ab5750..e14b77c 100644
--- a/tor-browser/alpha/Dockerfile
+++ b/tor-browser/alpha/Dockerfile
@@ -27,8 +27,20 @@ RUN useradd --create-home --home-dir $HOME user \
 ENV LANG C.UTF-8
 
 ENV TOR_VERSION 5.5a1
+ENV TOR_FINGERPRINT 0x4E2C6E8793298290
+
+# download tor and check signature
+RUN cd /tmp \
+	&& curl -sSOL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz" \
+	&& curl -sSOL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz.asc" \
+	&& mkdir ~/.gnupg \
+	&& gpg --keyserver x-hkp://keys.gnupg.net --recv-keys ${TOR_FINGERPRINT} \
+	&& gpg --fingerprint ${TOR_FINGERPRINT} | grep "Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290" \
+	&& gpg tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz.asc \
+	&& tar -vxJ --strip-components 1 -C /usr/local/bin -f tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz \
+	&& rm -rf tor-browser* \
+	&& rm -rf ~/.gnupg
 
-RUN curl -sSL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz" | tar -v -C /usr/local/bin -xJ --strip-components 1 
 
 # good fonts
 COPY local.conf /etc/fonts/local.conf
diff --git a/tor-browser/stable/Dockerfile b/tor-browser/stable/Dockerfile
index 678850e..ca86f08 100644
--- a/tor-browser/stable/Dockerfile
+++ b/tor-browser/stable/Dockerfile
@@ -26,9 +26,21 @@ RUN useradd --create-home --home-dir $HOME user \
 
 ENV LANG C.UTF-8
 
-ENV TOR_VERSION 5.0
+ENV TOR_VERSION 5.0.1
+ENV TOR_FINGERPRINT 0x4E2C6E8793298290
+
+# download tor and check signature
+RUN cd /tmp \
+	&& curl -sSOL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz" \
+	&& curl -sSOL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz.asc" \
+	&& mkdir ~/.gnupg \
+	&& gpg --keyserver x-hkp://keys.gnupg.net --recv-keys ${TOR_FINGERPRINT} \
+	&& gpg --fingerprint ${TOR_FINGERPRINT} | grep "Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290" \
+	&& gpg tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz.asc \
+	&& tar -vxJ --strip-components 1 -C /usr/local/bin -f tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz \
+	&& rm -rf tor-browser* \
+	&& rm -rf ~/.gnupg
 
-RUN curl -sSL "https://www.torproject.org/dist/torbrowser/${TOR_VERSION}/tor-browser-linux64-${TOR_VERSION}_en-US.tar.xz" | tar -v -C /usr/local/bin -xJ --strip-components 1 
 
 # good fonts
 COPY local.conf /etc/fonts/local.conf