feat(privacy): try using torsocks for curl and git (#569)

* feat(privacy): try using torsocks for internet check * refactor: improve the whitespace * feat: wrap other curl and git commands in torsocks, except on macOS * fix: missing single-quote * fix: add shellcheck disable directives * fix: wrong spellcheck string * fix: remove whitespace * ensure the brew curl command only happens with sudo * download the files smallest to largest
bitcoin-tools · Apr 27, 2024 · 512726a · 512726a
1 parent 83bdb1e
commit 512726a
Showing 1 changed file with 45 additions and 12 deletions.
diff --git a/nodebuilder b/nodebuilder
@@ -14,7 +14,10 @@ check_internet() {
   check_int_address=$1
   check_int_port="443"
   check_int_timeout="10"
-  curl --silent --output /dev/null --connect-timeout "${check_int_timeout}" https://"${check_int_address}:${check_int_port}" > /dev/null
+  # shellcheck disable=SC2015
+  command -v torsocks > /dev/null 2>&1 && [ "$(get_os_release_type)" != 'Darwin' ] &&
+    torsocks curl --silent --output /dev/null --retry 5 --connect-timeout "${check_int_timeout}" https://"${check_int_address}:${check_int_port}" > /dev/null ||
+    curl --silent --output /dev/null --retry 5 --connect-timeout "${check_int_timeout}" https://"${check_int_address}:${check_int_port}" > /dev/null
 }
 
 display_macos_warning() {
@@ -142,7 +145,9 @@ install_build_dependencies_zypper() {
 
 install_runtime_dependencies_apk() {
   dependencies_url="https://github.com/bitcoin-tools/nodebuilder/raw/master/dependencies/runtime_dependencies_apk.txt"
-  dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
+  command -v torsocks > /dev/null 2>&1 &&
+    dependencies=$(torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}") ||
+    dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
   if [ -n "${dependencies}" ]; then
     printf '%s\n' "${dependencies}" | xargs sudo apk --quiet add
   else
@@ -153,7 +158,9 @@ install_runtime_dependencies_apk() {
 install_runtime_dependencies_aptget() {
   check_dpkg_lock
   dependencies_url="https://github.com/bitcoin-tools/nodebuilder/raw/master/dependencies/runtime_dependencies_aptget.txt"
-  dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
+  command -v torsocks > /dev/null 2>&1 &&
+    dependencies=$(torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}") ||
+    dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
   if [ -n "${dependencies}" ]; then
     printf '%s\n' "${dependencies}" | xargs sudo DEBIAN_FRONTEND=noninteractive apt-get -qq install --assume-yes --no-install-recommends > /dev/null
   else
@@ -194,7 +201,9 @@ install_runtime_dependencies_darwin() {
 
 install_runtime_dependencies_dnf() {
   dependencies_url="https://github.com/bitcoin-tools/nodebuilder/raw/master/dependencies/runtime_dependencies_dnf.txt"
-  dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
+  command -v torsocks > /dev/null 2>&1 &&
+    dependencies=$(torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}") ||
+    dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
   if [ -n "${dependencies}" ]; then
     printf '%s\n' "${dependencies}" | xargs sudo dnf --assumeyes --quiet install > /dev/null
   else
@@ -204,7 +213,9 @@ install_runtime_dependencies_dnf() {
 
 install_runtime_dependencies_pacman() {
   dependencies_url="https://github.com/bitcoin-tools/nodebuilder/raw/master/dependencies/runtime_dependencies_pacman.txt"
-  dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
+  command -v torsocks > /dev/null 2>&1 &&
+    dependencies=$(torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}") ||
+    dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
   if [ -n "${dependencies}" ]; then
     printf '%s\n' "${dependencies}" | xargs sudo pacman -Syu --needed --noconfirm --quiet > dev/null
   else
@@ -214,7 +225,9 @@ install_runtime_dependencies_pacman() {
 
 install_runtime_dependencies_zypper() {
   dependencies_url="https://github.com/bitcoin-tools/nodebuilder/raw/master/dependencies/runtime_dependencies_zypper.txt"
-  dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
+  command -v torsocks > /dev/null 2>&1 &&
+    dependencies=$(torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}") ||
+    dependencies=$(curl --fail --silent --show-error --location --retry 5 --retry-delay 10 "${dependencies_url}")
   if [ -n "${dependencies}" ]; then
     printf '%s\n' "${dependencies}" | xargs sudo zypper --non-interactive --quiet install > /dev/null
   else
@@ -613,7 +626,10 @@ elif [ "${compile_bitcoin:-"false"}" = "true" ] || [ "$(get_os_release_type)" =
     ;;
   esac
   printf '%s\n  %s' "ok." "Downloading Bitcoin source code... "
-  git clone --branch "v${target_bitcoin_version}" --single-branch --depth 1 --quiet -c advice.detachedHead=false https://github.com/bitcoin/bitcoin.git "${compile_directory}"
+  # shellcheck disable=SC2015
+  command -v torsocks > /dev/null 2>&1 && [ "$(get_os_release_type)" != 'Darwin' ] &&
+    torsocks git clone --branch "v${target_bitcoin_version}" --single-branch --depth 1 --quiet -c advice.detachedHead=false https://github.com/bitcoin/bitcoin.git "${compile_directory}" ||
+    git clone --branch "v${target_bitcoin_version}" --single-branch --depth 1 --quiet -c advice.detachedHead=false https://github.com/bitcoin/bitcoin.git "${compile_directory}"
   cd "${compile_directory}"/
   printf '%s\n  %s' "ok." "Analyzing hardware confgiruation... "
   ./autogen.sh > /dev/null 2> "${stderr_compile_log_file}"
@@ -677,9 +693,18 @@ else
     guix_sigs_temporary_dir="${temp_directory}/guix.sigs"
     guix_sigs_destination_dir="${HOME}/Downloads/guix.sigs"
     printf '  %s' "Downloading Bitcoin Core... "
-    curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_tarball_temporary_file}" "${bitcoin_tarball_file_source}"
-    curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_hash_file}" "${bitcoin_hash_file_source}"
-    curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${gpg_signatures_file}" "${gpg_signatures_file_source}"
+    if command -v torsocks > /dev/null 2>&1 && [ "$(get_os_release_type)" != 'Darwin' ]; then
+      torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_hash_file}" "${bitcoin_hash_file_source}" ||
+        curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_hash_file}" "${bitcoin_hash_file_source}"
+      torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${gpg_signatures_file}" "${gpg_signatures_file_source}" ||
+        curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${gpg_signatures_file}" "${gpg_signatures_file_source}"
+      torsocks curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_tarball_temporary_file}" "${bitcoin_tarball_file_source}" ||
+        curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_tarball_temporary_file}" "${bitcoin_tarball_file_source}"
+    else
+      curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_hash_file}" "${bitcoin_hash_file_source}"
+      curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${gpg_signatures_file}" "${gpg_signatures_file_source}"
+      curl --fail --silent --show-error --location --retry 5 --retry-delay 10 --output "${bitcoin_tarball_temporary_file}" "${bitcoin_tarball_file_source}"
+    fi
     printf '%s\n' "ok."
 
     printf '  %s' "Validating the checksum... "
@@ -704,7 +729,10 @@ else
     if [ -d "${guix_sigs_destination_dir}"/ ]; then
       gpg --quiet --import "${guix_sigs_destination_dir}"/builder-keys/*.gpg
     else
-      git clone --single-branch --depth 1 --quiet "${guix_sigs_repo}" "${guix_sigs_temporary_dir}"
+      # shellcheck disable=SC2015
+      command -v torsocks > /dev/null 2>&1 && [ "$(get_os_release_type)" != 'Darwin' ] &&
+        torsocks git clone --single-branch --depth 1 --quiet "${guix_sigs_repo}" "${guix_sigs_temporary_dir}" ||
+        git clone --single-branch --depth 1 --quiet "${guix_sigs_repo}" "${guix_sigs_temporary_dir}"
       gpg --quiet --import "${guix_sigs_temporary_dir}"/builder-keys/*.gpg
     fi
     gpg_good_signature_count=$(gpg --verify "${gpg_signatures_file}" 2>&1 | grep -c "^gpg: Good signature from ")
@@ -786,7 +814,12 @@ if [ "$(uname -s)" != "Darwin" ]; then
   shortcut_filename="bitcoin_core.desktop"
 
   [ -d "$(dirname "${shortcut_image_file}")" ] || mkdir -p "$(dirname "${shortcut_image_file}")"
-  [ -f "${shortcut_image_file}" ] || curl --silent --show-error --location --fail --output "${shortcut_image_file}" "${shortcut_image_source}"
+  if ! [ -f "${shortcut_image_file}" ]; then
+    # shellcheck disable=SC2015
+    command -v torsocks > /dev/null 2>&1 && [ "$(get_os_release_type)" != 'Darwin' ] &&
+      torsocks curl --silent --show-error --location --fail --output "${shortcut_image_file}" "${shortcut_image_source}" ||
+      curl --silent --show-error --location --fail --output "${shortcut_image_file}" "${shortcut_image_source}"
+  fi
 
   ## Create .desktop on the user's Desktop and "Show Applications" directories
   [ -d "${desktop_path}" ] || mkdir -p "${desktop_path}"