From 7a02deeeba4e823c9b947a311fd85a5497a9dd30 Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@users.noreply.github.com>
Date: Mon, 11 Jan 2021 15:41:55 -0800
Subject: [PATCH] Modify release script to support yubikey sig (#8574)

Using `tools/offline-sigrequest.sh` is annoying. A while ago I looked into how we could use our yubikeys for our Windows code signing signatures and in the process of doing that learned how to use them for the certbot-auto signature. The certbot-auto signature won't be needed once https://github.com/certbot/certbot/issues/8526 is resolved and we've implemented that plan which will hopefully be in 2-3 months, but despite that, doing this still felt worth it to me.

The script still defaults to using `tools/offline-sign.sh`, but you can set an environment variable to use the yubikey instead. I tested both branches here and it worked.
---
 tools/_release.sh | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/tools/_release.sh b/tools/_release.sh
index e17332f30..d1fe55ae9 100755
--- a/tools/_release.sh
+++ b/tools/_release.sh
@@ -216,8 +216,21 @@ fi
 # ensure we have the latest built version of leauto
 letsencrypt-auto-source/build.py
 
-# and that it's signed correctly
-tools/offline-sigrequest.sh || true
+# Now we have to sign the built version of leauto. If
+# RELEASE_OPENSSL_WITH_YUBIKEY is set, try to use the yubikey to sign
+# letsencrypt-auto, otherwise, use tools/offline-sigrequest.sh.
+if [ -n "$RELEASE_OPENSSL_WITH_YUBIKEY" ]; then
+    SignLEAuto() {
+        yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
+    }
+else
+    SignLEAuto() {
+        tools/offline-sigrequest.sh
+    }
+fi
+
+# Loop until letsencrypt-auto is signed correctly.
+SignLEAuto || true
 while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
         letsencrypt-auto-source/letsencrypt-auto.sig \
         letsencrypt-auto-source/letsencrypt-auto            ; do
@@ -225,7 +238,7 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
     read -p "Would you like this script to try and sign it again [Y/n]?" response
     case $response in
       [yY][eE][sS]|[yY]|"")
-        tools/offline-sigrequest.sh || true;;
+        SignLEAuto || true;;
       *)
         ;;
     esac