From 2eb3e09ca96b7b186ae2122510a0452036b86363 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 10 Jan 2016 22:57:49 -0800 Subject: [PATCH 1/7] Check correct signature presence for release --- tools/release.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tools/release.sh b/tools/release.sh index 172f6fea1..2d427d49d 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -34,6 +34,9 @@ else echo Releasing developer version "$version"... fi +if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then + RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem" +fi RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2} # Needed to fix problems with git signatures and pinentry export GPG_TTY=$(tty) @@ -78,6 +81,14 @@ if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then fi git checkout "$RELEASE_BRANCH" +if ! openssl dgst -sha1 -verify $RELEASE_OPENSSL_KEY -signature \ + letsencrypt-auto-source/letsencrypt-auto.sig \ + letsencrypt-auto-source/letsencrypt-auto ; then + echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH" + echo please fix that and re-run +fi + + SetVersion() { ver="$1" for pkg_dir in $SUBPKGS @@ -112,6 +123,7 @@ do cd - done + mkdir "dist.$version" mv dist "dist.$version/letsencrypt" for pkg_dir in $SUBPKGS From 7cfb10ba27cb7ae322edb8f81fab909867441184 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 10 Jan 2016 23:12:48 -0800 Subject: [PATCH 2/7] These signatures should be in git --- letsencrypt-auto-source/letsencrypt-auto.sig | Bin 0 -> 256 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 letsencrypt-auto-source/letsencrypt-auto.sig diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig new file mode 100644 index 0000000000000000000000000000000000000000..fb506192ef7acbb10108b61c1316e49c95ef61e8 GIT binary patch literal 256 zcmV+b0ssEJGl2Gn_~YU#dGI-^Lc7_m6k4IVwG`UW#cB)BTJLa(xYM*HS1Z9=PfI7J z9Kis?O}poysJeZr+Jn@dD#roxlBvQ>D?hNec99NuaF&*<#Y4;K6HiV1A zo)Bi^(8G;g^KrN#grE3{bUH4GeW?2EibWfc1$Nx?y#4$7>u)wkEWvtWBTi2xB>;B*^iwL{@;Q#+Vgp-*Ij|xj~}FxT*VD z1V~@Hk*+TJr7a@}ZfhBsVqzXW>3@WI9s%Kt;5E&-OLZrc0 Date: Sun, 10 Jan 2016 23:14:44 -0800 Subject: [PATCH 3/7] helpful documentation --- tools/half-sign.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/half-sign.c b/tools/half-sign.c index 454201799..b4ab99e4c 100644 --- a/tools/half-sign.c +++ b/tools/half-sign.c @@ -9,6 +9,9 @@ // This program can be used to perform RSA public key signatures given only // the hash of the file to be signed as input. +// To compile: +// gcc half-sign.c -lssl -lcrypto -o half-sign + // Sign with SHA1 #define HASH_SIZE 20 From bbd53d6d7d803cd02afd6d26b0ad4ed3266bd21b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 10 Jan 2016 23:15:29 -0800 Subject: [PATCH 4/7] Ensure we have an leauto signature before releasing --- tools/release.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/release.sh b/tools/release.sh index 2d427d49d..61506f79e 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -81,11 +81,18 @@ if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then fi git checkout "$RELEASE_BRANCH" -if ! openssl dgst -sha1 -verify $RELEASE_OPENSSL_KEY -signature \ +# ensure we have the latest built version of leauto +letsencrypt-auto-source/build.py + +# and that it's signed correctly +if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \ letsencrypt-auto-source/letsencrypt-auto.sig \ letsencrypt-auto-source/letsencrypt-auto ; then echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH" echo please fix that and re-run + exit 1 +else + echo Signature check on letsencrypt-auto successful fi From 0c09eaff3c8ebeb3bdee1d13761c633abcffec07 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 10 Jan 2016 23:18:19 -0800 Subject: [PATCH 5/7] Switch to real release key (though this is still a test signature) --- letsencrypt-auto-source/letsencrypt-auto | 15 +++++++++++++-- letsencrypt-auto-source/letsencrypt-auto.sig | Bin 256 -> 256 bytes letsencrypt-auto-source/pieces/fetch.py | 15 +++++++++++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index dfefe1c46..3ae182853 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1656,6 +1656,7 @@ from sys import argv, exit from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError +#test PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnwHkSuCSy3gIHawaCiIe 4ilJ5kfEmSoiu50uiimBhTESq1JG2gVqXVXFxxVgobGhahSF+/iRVp3imrTtGp1B @@ -1670,8 +1671,18 @@ q958HnzFpZiQZAqZYtOHaiQiaHPs/36ZN0HuOEy0zM9FEHbp4V/DEn4pNCfAmRY5 3v+3nIBhgiLdlM7cV9559aDNeutF25n1Uz2kvuSVSS94qTEmlteCPZGBQb9Rr2wn I2OU8tPRzqKdQ6AwS9wvqscCAwEAAQ== -----END PUBLIC KEY----- -""") # TODO: Replace with real one. - +""") +# real +PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq +OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18 +xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp +9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij +n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH +cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+ +CQIDAQAB +-----END PUBLIC KEY----- +""") class ExpectedError(Exception): """A novice-readable exception that also carries the original exception for diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig index fb506192ef7acbb10108b61c1316e49c95ef61e8..7db9da58e067d7e48975769a81e467cb06234515 100644 GIT binary patch literal 256 zcmV+b0ssE6R`Nfv8?!-f+CE*@!S0ACLy{E|JU%tqM7iG<#6M@Em3w}HKKYC`bS}vU z?tho}W5otLnsyNAzcq4|hTYh=T4~PtnG(4zn1eAn*g16JvDb7epvvsQrug@k2A43S zy^l@bGyvyzkqA6eWW<{1OppQsGomAa!R!SuP2jT@@T+4;Q9;JX*VG(&_n`oA2v^l( zDnkV5lw?Gtc&~2`EE~cMe(|$75%?VS?Tr<-1V5HGOpA5rpuzv_&_sD?hNec99NuaF&*<#Y4;K6HiV1A zo)Bi^(8G;g^KrN#grE3{bUH4GeW?2EibWfc1$Nx?y#4$7>u)wkEWvtWBTi2xB>;B*^iwL{@;Q#+Vgp-*Ij|xj~}FxT*VD z1V~@Hk*+TJr7a@}ZfhBsVqzXW>3@WI9s%Kt;5E&-OLZrc0 Date: Sun, 10 Jan 2016 23:22:04 -0800 Subject: [PATCH 6/7] Add tool for requesting & handling offline signatures --- tools/offline-sigrequest.sh | 51 +++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100755 tools/offline-sigrequest.sh diff --git a/tools/offline-sigrequest.sh b/tools/offline-sigrequest.sh new file mode 100755 index 000000000..ca349f629 --- /dev/null +++ b/tools/offline-sigrequest.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +set -o errexit + +if ! `which festival > /dev/null` ; then + echo Please install \'festival\'! + exit 1 +fi + +function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL + while read -p "Press Enter to read the hash aloud or type 'done': " INP && [ "$INP" = "" ] ; do + cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.5)"; \ + echo -n '(SayText "'; \ + sha1sum | cut -c1-40 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \ + echo '")' ) | festival + done + + echo 'Paste in the data from the QR code, then type Ctrl-D:' + cat > $2 +} + +function offlinesign { # $1 <-- INPFILE ; $2 <---SIGFILE + echo HASH FOR SIGNING: + SIGFILEBALL="$2.lzma.base64" + #echo "(place the resulting raw binary signature in $SIGFILEBALL)" + sha1sum $1 + echo metahash for confirmation only $(sha1sum $1 |cut -d' ' -f1 | tr -d '\n' | sha1sum | cut -c1-6) ... + echo + sayhash $1 $SIGFILEBALL +} + +function oncesigned { # $1 <-- INPFILE ; $2 <--SIGFILE + SIGFILEBALL="$2.lzma.base64" + cat $SIGFILEBALL | tr -d '\r' | base64 -d | unlzma -c > $2 || exit 1 + if ! [ -f $2 ] ; then + echo "Failed to find $2"'!' + exit 1 + fi + + if file $2 | grep -qv " data" ; then + echo "WARNING WARNING $2 does not look like a binary signature:" + echo `file $2` + exit 1 + fi +} + +HERE=`dirname $0` +LEAUTO="`realpath $HERE`/../letsencrypt-auto-source/letsencrypt-auto" +SIGFILE="$LEAUTO".sig +offlinesign $LEAUTO $SIGFILE +oncesigned $LEAUTO $SIGFILE From e17bb2750877801b15fc914599152a36cb592c0b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 11 Jan 2016 09:19:21 -0800 Subject: [PATCH 7/7] Remove test key --- letsencrypt-auto-source/pieces/fetch.py | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/letsencrypt-auto-source/pieces/fetch.py b/letsencrypt-auto-source/pieces/fetch.py index bf270cdc4..39ff7777c 100644 --- a/letsencrypt-auto-source/pieces/fetch.py +++ b/letsencrypt-auto-source/pieces/fetch.py @@ -19,24 +19,6 @@ from subprocess import check_call, CalledProcessError from sys import argv, exit from urllib2 import build_opener, HTTPHandler, HTTPSHandler, HTTPError - -#test -PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnwHkSuCSy3gIHawaCiIe -4ilJ5kfEmSoiu50uiimBhTESq1JG2gVqXVXFxxVgobGhahSF+/iRVp3imrTtGp1B -2heoHbELnPTTZ8E36WHKf4gkLEo0y0XgOP3oBJ9IM5q8J68x0U3Q3c+kTxd/sgww -s5NVwpjw4aAZhgDPe5u+rvthUYOD1whYUANgYvooCpV4httNv5wuDjo7SG2V797T -QTE8aG3AOhWzdsLm6E6Tl2o/dR6XKJi/RMiXIk53SzArimtAJXe/1GyADe1AgIGE -33Ja3hU3uu9lvnnkowy1VI0qvAav/mu/APahcWVYkBAvSVAhH3zGNAGZUnP2zfcP -rH7OPw/WrxLVGlX4trLnvQr1wzX7aiM2jdikcMiaExrP0JfQXPu00y3c+hjOC5S0 -+E5P+e+8pqz5iC5mmvEqy2aQJ6pV7dSpYX3mcDs8pCYaVXXtCPXS1noWirCcqCMK -EHGGdJCTXXLHaWUaGQ9Gx1An1gU7Ljkkji2Al65ZwYhkFowsLfuniYKuAywRrCNu -q958HnzFpZiQZAqZYtOHaiQiaHPs/36ZN0HuOEy0zM9FEHbp4V/DEn4pNCfAmRY5 -3v+3nIBhgiLdlM7cV9559aDNeutF25n1Uz2kvuSVSS94qTEmlteCPZGBQb9Rr2wn -I2OU8tPRzqKdQ6AwS9wvqscCAwEAAQ== ------END PUBLIC KEY----- -""") -# real PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18