Switch to real key, and add signing to release script. Close #1573.

letsencrypt-auto-source/letsencrypt-auto

@@ -1656,6 +1656,7 @@ from sys import argv, exit
 from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError
 
 
+#test
 PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnwHkSuCSy3gIHawaCiIe
 4ilJ5kfEmSoiu50uiimBhTESq1JG2gVqXVXFxxVgobGhahSF+/iRVp3imrTtGp1B
@@ -1670,8 +1671,18 @@ q958HnzFpZiQZAqZYtOHaiQiaHPs/36ZN0HuOEy0zM9FEHbp4V/DEn4pNCfAmRY5
 3v+3nIBhgiLdlM7cV9559aDNeutF25n1Uz2kvuSVSS94qTEmlteCPZGBQb9Rr2wn
 I2OU8tPRzqKdQ6AwS9wvqscCAwEAAQ==
 -----END PUBLIC KEY-----
-""")  # TODO: Replace with real one.
-
+""")
+# real
+PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
+OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
+xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
+9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
+n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
+cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
+CQIDAQAB
+-----END PUBLIC KEY-----
+""")
 
 class ExpectedError(Exception):
     """A novice-readable exception that also carries the original exception for

letsencrypt-auto-source/pieces/fetch.py

@@ -19,23 +19,16 @@ from subprocess import check_call, CalledProcessError
 from sys import argv, exit
 from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError
 
-
 PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnwHkSuCSy3gIHawaCiIe
-4ilJ5kfEmSoiu50uiimBhTESq1JG2gVqXVXFxxVgobGhahSF+/iRVp3imrTtGp1B
-2heoHbELnPTTZ8E36WHKf4gkLEo0y0XgOP3oBJ9IM5q8J68x0U3Q3c+kTxd/sgww
-s5NVwpjw4aAZhgDPe5u+rvthUYOD1whYUANgYvooCpV4httNv5wuDjo7SG2V797T
-QTE8aG3AOhWzdsLm6E6Tl2o/dR6XKJi/RMiXIk53SzArimtAJXe/1GyADe1AgIGE
-33Ja3hU3uu9lvnnkowy1VI0qvAav/mu/APahcWVYkBAvSVAhH3zGNAGZUnP2zfcP
-rH7OPw/WrxLVGlX4trLnvQr1wzX7aiM2jdikcMiaExrP0JfQXPu00y3c+hjOC5S0
-+E5P+e+8pqz5iC5mmvEqy2aQJ6pV7dSpYX3mcDs8pCYaVXXtCPXS1noWirCcqCMK
-EHGGdJCTXXLHaWUaGQ9Gx1An1gU7Ljkkji2Al65ZwYhkFowsLfuniYKuAywRrCNu
-q958HnzFpZiQZAqZYtOHaiQiaHPs/36ZN0HuOEy0zM9FEHbp4V/DEn4pNCfAmRY5
-3v+3nIBhgiLdlM7cV9559aDNeutF25n1Uz2kvuSVSS94qTEmlteCPZGBQb9Rr2wn
-I2OU8tPRzqKdQ6AwS9wvqscCAwEAAQ==
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
+OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
+xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
+9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
+n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
+cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
+CQIDAQAB
 -----END PUBLIC KEY-----
-""")  # TODO: Replace with real one.
-
+""")
 
 class ExpectedError(Exception):
     """A novice-readable exception that also carries the original exception for

tools/half-sign.c

@@ -9,6 +9,9 @@
 // This program can be used to perform RSA public key signatures given only
 // the hash of the file to be signed as input.
 
+// To compile:
+// gcc half-sign.c -lssl -lcrypto -o half-sign
+
 // Sign with SHA1
 #define HASH_SIZE 20
 

tools/offline-sigrequest.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -o errexit
+
+if ! `which festival > /dev/null` ; then
+    echo Please install \'festival\'!
+    exit 1
+fi
+
+function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL
+  while read -p "Press Enter to read the hash aloud or type 'done':  " INP && [ "$INP" = "" ] ; do
+    cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.5)"; \
+                echo -n '(SayText "'; \
+                sha1sum | cut -c1-40 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \
+                echo '")' ) | festival
+  done
+
+  echo 'Paste in the data from the QR code, then type Ctrl-D:'
+  cat > $2
+}
+
+function offlinesign {  # $1 <-- INPFILE ; $2 <---SIGFILE
+  echo HASH FOR SIGNING:
+  SIGFILEBALL="$2.lzma.base64"
+  #echo "(place the resulting raw binary signature in $SIGFILEBALL)"
+  sha1sum $1 
+  echo metahash for confirmation only $(sha1sum $1   |cut -d' ' -f1 | tr -d '\n' | sha1sum  | cut -c1-6) ...
+  echo
+  sayhash $1 $SIGFILEBALL
+}
+
+function oncesigned { # $1 <-- INPFILE ; $2 <--SIGFILE
+  SIGFILEBALL="$2.lzma.base64"
+  cat $SIGFILEBALL | tr -d '\r' | base64 -d | unlzma -c > $2 || exit 1
+  if ! [ -f $2 ] ; then
+    echo "Failed to find $2"'!'
+    exit 1
+  fi
+
+  if file $2 | grep -qv " data" ; then
+    echo "WARNING WARNING $2 does not look like a binary signature:"
+    echo `file $2`
+    exit 1
+  fi
+}
+
+HERE=`dirname $0`
+LEAUTO="`realpath $HERE`/../letsencrypt-auto-source/letsencrypt-auto"
+SIGFILE="$LEAUTO".sig
+offlinesign $LEAUTO $SIGFILE
+oncesigned $LEAUTO $SIGFILE

tools/release.sh

@@ -34,6 +34,9 @@ else
     echo Releasing developer version "$version"...
 fi
 
+if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then
+    RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem"
+fi
 RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
 # Needed to fix problems with git signatures and pinentry
 export GPG_TTY=$(tty)
@@ -78,6 +81,21 @@ if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then
 fi
 git checkout "$RELEASE_BRANCH"
 
+# ensure we have the latest built version of leauto
+letsencrypt-auto-source/build.py
+
+# and that it's signed correctly
+if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \
+        letsencrypt-auto-source/letsencrypt-auto.sig \
+        letsencrypt-auto-source/letsencrypt-auto            ; then
+   echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"
+   echo please fix that and re-run
+   exit 1
+else
+    echo Signature check on letsencrypt-auto successful
+fi
+
+
 SetVersion() {
     ver="$1"
     for pkg_dir in $SUBPKGS
@@ -112,6 +130,7 @@ do
   cd -
 done
 
+
 mkdir "dist.$version"
 mv dist "dist.$version/letsencrypt"
 for pkg_dir in $SUBPKGS