[bisq-network/bisq] Bump netlayer to use tor binaries from verified tor-browser v9.5.4 (#4601)

Tue Oct 6 15:06:16 UTC 2020

Use a `netlayer` version that includes tor binaries extracted from the latest tor browser [v9.5.4](https://dist.torproject.org/torbrowser/9.5.4/).

For simplicity:
- use [netlayer version cdbe476](https://jitpack.io/#cd2357/netlayer/cdbe476) (based on commit `cdbe476` from [this branch](https://github.com/cd2357/netlayer/commits/upgrade-tor-binary-0.4.3.8-on-v0.6.8))
  - the referenced branch = previously used `netlayer` v0.6.8 + a change to use following `tor-binary`
- above `netlayer` bumps `tor-binary` dependency to [f3bc31f](https://jitpack.io/#cd2357/tor-binary/f3bc31f) (based on commit `f3bc31f` from [this branch](https://github.com/cd2357/tor-binary/commits/upgrade-tor-9.5.4))
  - the referenced branch = previously used `tor-binary` dependency + change A + change B
    - change A: extract tor binaries from `tor-browser` v9.5.4 (instead of 9.5.3 used previously)
    - change B: update the extraction and build process to check if the `SHA-256` hashes of the `tor-browser` binaries match [the official ones](https://dist.torproject.org/torbrowser/9.5.4/sha256sums-signed-build.txt) (instead of `SHA-512` hashes used previously, which are not published in the official tor repo anymore)
      - this ensures the build only succeeds if the downloaded `tor-browser` binaries (used to extract the tor binaries) match the official checksums

Note: The tor binaries in `tor-browser` v9.5.4 are the same version as from v9.5.3 (namely tor v0.4.3.6, as per [the tor-browser changelog](https://gitweb.torproject.org/builders/tor-browser-build.git/plain/projects/tor-browser/Bundle-Data/Docs/ChangeLog.txt?h=maint-9.5)).

So this PR doesn't bring or change any tor or netlayer functionality. It only ensures that the used tor binaries were extracted from verified `tor-browser` packages. The tor binaries are delivered as dependencies of `netlayer`.

Fixes #4593
You can view, comment on, or merge this pull request online at:

  https://github.com/bisq-network/bisq/pull/4601

-- Commit Summary --

  * Bump netlayer to use tor binary from tor browser v9.5.4

-- File Changes --

    M build.gradle (6)
    M gradle/witness/gradle-witness.gradle (16)

-- Patch Links --

https://github.com/bisq-network/bisq/pull/4601.patch
https://github.com/bisq-network/bisq/pull/4601.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4601
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201006/04a30229/attachment.html>