diff options
| author | David Lönnhager <david.l@mullvad.net> | 2025-04-02 13:49:15 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2025-04-03 14:10:58 +0200 |
| commit | 3d03dc779f6829a236d139543e3c19fa56c4a25e (patch) | |
| tree | 63656e7a74de1ee9ec416b23a80ec42c53dc304d /mullvad-update/meta/src | |
| parent | 00e26c1d17fb9044f8cbc0a168eab1edef70ba8a (diff) | |
| download | mullvadvpn-3d03dc779f6829a236d139543e3c19fa56c4a25e.tar.xz mullvadvpn-3d03dc779f6829a236d139543e3c19fa56c4a25e.zip | |
Set default pubkeys and pinned certificate in mullvad-update
Diffstat (limited to 'mullvad-update/meta/src')
| -rw-r--r-- | mullvad-update/meta/src/platform.rs | 21 |
1 files changed, 3 insertions, 18 deletions
diff --git a/mullvad-update/meta/src/platform.rs b/mullvad-update/meta/src/platform.rs index 9d47825bc2..ed08915092 100644 --- a/mullvad-update/meta/src/platform.rs +++ b/mullvad-update/meta/src/platform.rs @@ -10,7 +10,6 @@ use std::{ fmt, path::{Path, PathBuf}, str::FromStr, - sync::LazyLock, }; use tokio::{fs, io}; @@ -23,12 +22,6 @@ use crate::{ /// Actual JSON files should be stored at `<base url>/<platform>.json`. const META_REPOSITORY_URL: &str = "https://releases.mullvad.net/desktop/metadata/"; -/// TLS certificate to pin to for `meta pull`. -static PINNED_CERTIFICATE: LazyLock<reqwest::Certificate> = LazyLock::new(|| { - const CERT_BYTES: &[u8] = include_bytes!("../../../mullvad-api/le_root_cert.pem"); - reqwest::Certificate::from_pem(CERT_BYTES).expect("invalid cert") -}); - #[derive(Clone, Copy)] pub enum Platform { Windows, @@ -127,11 +120,7 @@ impl Platform { println!("Pulling {self} metadata from {url}..."); - let version_provider = HttpVersionInfoProvider { - pinned_certificate: Some(PINNED_CERTIFICATE.clone()), - url, - verifying_keys: mullvad_update::keys::TRUSTED_METADATA_SIGNING_PUBKEYS.clone(), - }; + let version_provider = HttpVersionInfoProvider::new(url); let response = version_provider .get_versions(crate::MIN_VERIFY_METADATA_VERSION) .await @@ -231,12 +220,8 @@ impl Platform { println!("Verifying signature of {}...", signed_path.display()); let bytes = fs::read(signed_path).await.context("Failed to read file")?; - format::SignedResponse::deserialize_and_verify_with_keys( - &mullvad_update::keys::TRUSTED_METADATA_SIGNING_PUBKEYS, - &bytes, - crate::MIN_VERIFY_METADATA_VERSION, - ) - .context("Failed to verify metadata for {platform}: {error}")?; + format::SignedResponse::deserialize_and_verify(&bytes, crate::MIN_VERIFY_METADATA_VERSION) + .context("Failed to verify metadata for {platform}: {error}")?; Ok(()) } |