diff --git a/tools/half-sign.c b/tools/half-sign.c index b4ab99e4c..e56bc397c 100644 --- a/tools/half-sign.c +++ b/tools/half-sign.c @@ -12,18 +12,18 @@ // To compile: // gcc half-sign.c -lssl -lcrypto -o half-sign -// Sign with SHA1 -#define HASH_SIZE 20 +// Sign with SHA256 +#define HASH_SIZE 32 void usage() { printf("half-sign [binary hash file]\n"); printf("\n"); - printf(" Computes and prints a binary RSA signature over data given the SHA1 hash of\n"); + printf(" Computes and prints a binary RSA signature over data given the SHA256 hash of\n"); printf(" the data as input.\n"); printf("\n"); printf(" should be PEM encoded.\n"); printf("\n"); - printf(" The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); + printf(" The input SHA256 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); printf(" specified, it will be read from stdin.\n"); exit(1); } @@ -41,7 +41,7 @@ void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) { if ((!ctx) || (EVP_PKEY_sign_init(ctx) <= 0) || (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) { + || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)) { fprintf(stderr, "Failure establishing ctx for signature\n"); exit(1); } @@ -108,7 +108,7 @@ int main(int argc, char *argv[]) { exit(1); } if (fread(buffer, HASH_SIZE, 1, input) != 1) { - perror("half-sign: Failed to read SHA1 from input\n"); + perror("half-sign: Failed to read SHA256 from input\n"); exit(1); } diff --git a/tools/release.sh b/tools/release.sh index 61506f79e..0d3aa8808 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -34,8 +34,8 @@ else echo Releasing developer version "$version"... fi -if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then - RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem" +if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then + RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem" fi RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2} # Needed to fix problems with git signatures and pinentry @@ -85,7 +85,7 @@ git checkout "$RELEASE_BRANCH" letsencrypt-auto-source/build.py # and that it's signed correctly -if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \ +if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \ letsencrypt-auto-source/letsencrypt-auto.sig \ letsencrypt-auto-source/letsencrypt-auto ; then echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"