Always sign certbot-auto with a yubikey (#8600)

* always sign certbot-auto with the yubikey * remove tools/offline-sigrequest.sh
2026-06-14 19:20:09 -04:00 · 2021-01-12 13:45:26 -08:00 · 2021-01-12 13:45:26 -08:00 · b9de48e93e
commit b9de48e93e
parent 7a02deeeba
2 changed files with 4 additions and 63 deletions
--- a/tools/_release.sh
+++ b/tools/_release.sh
@ -216,18 +216,10 @@ fi
 # ensure we have the latest built version of leauto
 letsencrypt-auto-source/build.py

-# Now we have to sign the built version of leauto. If
-# RELEASE_OPENSSL_WITH_YUBIKEY is set, try to use the yubikey to sign
-# letsencrypt-auto, otherwise, use tools/offline-sigrequest.sh.
-if [ -n "$RELEASE_OPENSSL_WITH_YUBIKEY" ]; then
-    SignLEAuto() {
-        yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
-    }
-else
-    SignLEAuto() {
-        tools/offline-sigrequest.sh
-    }
-fi
+# Now we have to sign the built version of leauto.
+SignLEAuto() {
+    yubico-piv-tool -a verify-pin --sign -s 9c -i letsencrypt-auto-source/letsencrypt-auto -o letsencrypt-auto-source/letsencrypt-auto.sig
+}

 # Loop until letsencrypt-auto is signed correctly.
 SignLEAuto || true
--- a/tools/offline-sigrequest.sh
+++ b/tools/offline-sigrequest.sh
@ -1,51 +0,0 @@
-#!/bin/bash
-
-set -o errexit
-
-function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL
-  while read -p "Press Enter to read the hash aloud or type 'done':  " INP && [ "$INP" = "" ] ; do
-    if ! `which festival > /dev/null` ; then
-      echo \`festival\` is not installed!
-      echo Please install it to read the hash aloud
-    else
-      cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \
-                  echo -n '(SayText "'; \
-                  sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \
-                  echo '")' ) | festival
-    fi
-  done
-
-  echo 'Paste in the data from the QR code, then type Ctrl-D:'
-  cat > $2
-}
-
-function offlinesign {  # $1 <-- INPFILE ; $2 <---SIGFILE
-  echo HASH FOR SIGNING:
-  SIGFILEBALL="$2.lzma.base64"
-  #echo "(place the resulting raw binary signature in $SIGFILEBALL)"
-  sha256sum $1
-  echo metahash for confirmation only $(sha256sum $1   |cut -d' ' -f1 | tr -d '\n' | sha256sum  | cut -c1-6) ...
-  echo
-  sayhash $1 $SIGFILEBALL
-}
-
-function oncesigned { # $1 <-- INPFILE ; $2 <--SIGFILE
-  SIGFILEBALL="$2.lzma.base64"
-  cat $SIGFILEBALL | tr -d '\r' | base64 -d | unlzma -c > $2 || exit 1
-  if ! [ -f $2 ] ; then
-    echo "Failed to find $2"'!'
-    exit 1
-  fi
-
-  if file $2 | grep -qv " data" ; then
-    echo "WARNING WARNING $2 does not look like a binary signature:"
-    echo `file $2`
-    exit 1
-  fi
-}
-
-HERE=`dirname $0`
-LEAUTO="`realpath $HERE`/../letsencrypt-auto-source/letsencrypt-auto"
-SIGFILE="$LEAUTO".sig
-offlinesign $LEAUTO $SIGFILE
-oncesigned $LEAUTO $SIGFILE