workaround: verify wireguard certificate against manually downloaded cert chain

3 files changed, 32 insertions, 4 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 50a426ebf561..ddf06396d481 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,21 +1,24 @@
 pkgbase = cyberghostvpn
 	pkgdesc = CyberGhost VPN
 	pkgver = 1.4.1
-	pkgrel = 5
+	pkgrel = 6
 	url = https://www.cyberghostvpn.com
 	arch = any
 	license = custom:cyberghostvpn
 	makedepends = zip
 	depends = bash
+	depends = ca-certificates
 	depends = curl
 	depends = openvpn
 	depends = wireguard-tools
 	depends = resolvconf
 	source = https://download.cyberghostvpn.com/linux/cyberghostvpn-ubuntu-20.04-1.4.1.zip
+	source = http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
 	source = cyberghostvpn_wrapper
 	source = openvpn_wrapper
 	sha256sums = b80941fd044cd7ac230743e9dc18e3ff636ac209e7c04fdf2619428f8043fc76
-	sha256sums = 388e6b86db32e6fb513769257e58efb32392fe5f020cc8bb2f67a506ac59206e
+	sha256sums = 72a34ac2b424aed3f6b0b04755b88cc027dccc806fddb22b4cd7c47773973ec0
+	sha256sums = b9410322648fa3ff40cee9199d9dcadf51117ad633b96e3f99e57b47c75d2b80
 	sha256sums = f26e37ce43385e625b012afd3d27bad9f9279e3d6cb135cd92c412eada36212e
 
 pkgname = cyberghostvpn
diff --git a/PKGBUILD b/PKGBUILD
index 728eb1ef629a..37c54432a23a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,13 +4,14 @@
 
 pkgname=cyberghostvpn
 pkgver=1.4.1
-pkgrel=5
+pkgrel=6
 pkgdesc="CyberGhost VPN"
 url="https://www.cyberghostvpn.com"
 arch=(any)
 license=(custom:cyberghostvpn)
 depends=(
   bash
+  ca-certificates
   curl
   openvpn
   wireguard-tools
@@ -20,20 +21,40 @@ makedepends=(zip)
 
 _variant=ubuntu-20.04
 source=(	"https://download.cyberghostvpn.com/linux/cyberghostvpn-${_variant}-${pkgver}.zip"
+		"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt"
 		"cyberghostvpn_wrapper"
 		"openvpn_wrapper")
 sha256sums=(	'b80941fd044cd7ac230743e9dc18e3ff636ac209e7c04fdf2619428f8043fc76'
-		'388e6b86db32e6fb513769257e58efb32392fe5f020cc8bb2f67a506ac59206e'
+		'72a34ac2b424aed3f6b0b04755b88cc027dccc806fddb22b4cd7c47773973ec0'
+		'b9410322648fa3ff40cee9199d9dcadf51117ad633b96e3f99e57b47c75d2b80'
 		'f26e37ce43385e625b012afd3d27bad9f9279e3d6cb135cd92c412eada36212e')
 
 _archive="${pkgname}-${_variant}-${pkgver}"
 
+prepare() {
+	# workaround: build certificate to connect to wireguard servers
+	# remove as soon as the certificate is provied by the package
+	_wireguard_certificate_server="washington-s403-i01.cg-dialup.net:1337"
+	true | openssl s_client -verify 5 -connect ${_wireguard_certificate_server} | openssl x509 > "${srcdir}/cg-dialup-net.pem"
+
+	sha256sum "${srcdir}/cg-dialup-net.pem"
+	sha256sum --check <( echo "ff0f9f4c75a06dedd1e34cf2a88b95dc879c9ef6173913b40f271355f614744c  ${srcdir}/cg-dialup-net.pem"  )
+
+	(
+		openssl x509 -in "${srcdir}/cg-dialup-net.pem"
+		openssl x509 -in "SectigoRSAOrganizationValidationSecureServerCA.crt"
+		openssl x509 -in "/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem"
+	) > "${srcdir}/wireguard_ca.crt"
+}
+
 package() {
   _installdir=usr/local/cyberghost
   install -Dm 755 openvpn_wrapper "$pkgdir/${_installdir}/wrapper/openvpn_wrapper"
   install -Dm 755 cyberghostvpn_wrapper "$pkgdir/${_installdir}/wrapper/cyberghostvpn_wrapper"
   ln -s "/${_installdir}/wrapper/openvpn_wrapper" "$pkgdir/${_installdir}/openvpn"
 
+  install -Dm 644 "${srcdir}/wireguard_ca.crt" "$pkgdir/${_installdir}/certs/wireguard/ca.crt"
+
   cd "$_archive"
 
   install -Dm 755 cyberghost/cyberghostvpn "$pkgdir/${_installdir}/cyberghostvpn"
diff --git a/cyberghostvpn_wrapper b/cyberghostvpn_wrapper
index 144c0e892646..03b74f00a85b 100755
--- a/cyberghostvpn_wrapper
+++ b/cyberghostvpn_wrapper
@@ -4,4 +4,8 @@
 # to ensure that cyberghost is calling the openvpn wrapper
 export PATH=/usr/local/cyberghost:$PATH
 
+# cyberghostvpn expects wireguard certificate to be located at '../certs/wireguard/ca.crt'
+# cd into /usr/local/cyberghostvpn/certs so that pinned certificate will be found
+cd /usr/local/cyberghost/certs
+
 /usr/local/cyberghost/cyberghostvpn "$@"