Upgrade half-sign to sha256. Bring back old le-auto temporarily. Improve le-auto's option parsing.

If the new le-auto works well in the minutes or hours after release, we'll make another commit to master that removes the old le-auto and bootstrap scripts.

Close https://github.com/erikrose/letsencrypt/pull/2.

bootstrap/_arch_common.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Tested with:
+#   - ArchLinux (x86_64)
+#
+# "python-virtualenv" is Python3, but "python2-virtualenv" provides
+# only "virtualenv2" binary, not "virtualenv" necessary in
+# ./bootstrap/dev/_common_venv.sh
+
+deps="
+  python2
+  python-virtualenv
+  gcc
+  dialog
+  augeas
+  openssl
+  libffi
+  ca-certificates
+  pkg-config
+"
+
+missing=$(pacman -T $deps)
+
+if [ "$missing" ]; then
+  pacman -S --needed $missing
+fi

bootstrap/_deb_common.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+
+# Current version tested with:
+#
+# - Ubuntu
+#     - 14.04 (x64)
+#     - 15.04 (x64)
+# - Debian
+#     - 7.9 "wheezy" (x64)
+#     - sid (2015-10-21) (x64)
+
+# Past versions tested with:
+#
+# - Debian 8.0 "jessie" (x64)
+# - Raspbian 7.8 (armhf)
+
+# Believed not to work:
+#
+# - Debian 6.0.10 "squeeze" (x64)
+
+apt-get update
+
+# virtualenv binary can be found in different packages depending on
+# distro version (#346)
+
+virtualenv=
+if apt-cache show virtualenv > /dev/null 2>&1; then
+  virtualenv="virtualenv"
+fi
+
+if apt-cache show python-virtualenv > /dev/null 2>&1; then
+  virtualenv="$virtualenv python-virtualenv"
+fi
+
+augeas_pkg="libaugeas0 augeas-lenses"
+AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2`
+
+AddBackportRepo() {
+    # ARGS:
+    BACKPORT_NAME="$1"
+    BACKPORT_SOURCELINE="$2"
+    if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q "$BACKPORT_NAME" ; then
+        # This can theoretically error if sources.list.d is empty, but in that case we don't care.
+        if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q "$BACKPORT_NAME"; then
+            /bin/echo -n "Installing augeas from $BACKPORT_NAME in 3 seconds..."
+            sleep 1s
+            /bin/echo -ne "\e[0K\rInstalling augeas from $BACKPORT_NAME in 2 seconds..."
+            sleep 1s
+            /bin/echo -e "\e[0K\rInstalling augeas from $BACKPORT_NAME in 1 second ..."
+            sleep 1s
+            if echo $BACKPORT_NAME | grep -q wheezy ; then
+                /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")'
+            fi
+
+            echo $BACKPORT_SOURCELINE >> /etc/apt/sources.list.d/"$BACKPORT_NAME".list
+            apt-get update
+        fi
+    fi
+    apt-get install -y --no-install-recommends -t "$BACKPORT_NAME" $augeas_pkg
+    augeas_pkg=
+
+}
+
+
+if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then
+    if lsb_release -a | grep -q wheezy ; then
+        AddBackportRepo wheezy-backports "deb http://http.debian.net/debian wheezy-backports main"
+    elif lsb_release -a | grep -q precise ; then
+        # XXX add ARM case
+        AddBackportRepo precise-backports "deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse"
+    else
+        echo "No libaugeas0 version is available that's new enough to run the"
+        echo "Let's Encrypt apache plugin..."
+    fi
+    # XXX add a case for ubuntu PPAs
+fi
+
+apt-get install -y --no-install-recommends \
+  python \
+  python-dev \
+  $virtualenv \
+  gcc \
+  dialog \
+  $augeas_pkg \
+  libssl-dev \
+  libffi-dev \
+  ca-certificates \
+
+
+
+if ! command -v virtualenv > /dev/null ; then
+  echo Failed to install a working \"virtualenv\" command, exiting
+  exit 1
+fi

bootstrap/_gentoo_common.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+PACKAGES="
+  dev-lang/python:2.7
+  dev-python/virtualenv
+  dev-util/dialog
+  app-admin/augeas
+  dev-libs/openssl
+  dev-libs/libffi
+  app-misc/ca-certificates
+  virtual/pkgconfig"
+
+case "$PACKAGE_MANAGER" in
+  (paludis)
+    cave resolve --keep-targets if-possible $PACKAGES -x
+    ;;
+  (pkgcore)
+    pmerge --noreplace $PACKAGES
+    ;;
+  (portage|*)
+    emerge --noreplace $PACKAGES
+    ;;
+esac

bootstrap/_rpm_common.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# Tested with:
+#   - Fedora 22, 23 (x64)
+#   - Centos 7 (x64: on DigitalOcean droplet)
+
+if type dnf 2>/dev/null
+then
+  tool=dnf
+elif type yum 2>/dev/null
+then
+  tool=yum
+
+else
+  echo "Neither yum nor dnf found. Aborting bootstrap!"
+  exit 1
+fi
+
+# Some distros and older versions of current distros use a "python27"
+# instead of "python" naming convention. Try both conventions.
+if ! $tool install -y \
+       python \
+       python-devel \
+       python-virtualenv
+then
+  if ! $tool install -y \
+         python27 \
+         python27-devel \
+         python27-virtualenv
+  then
+    echo "Could not install Python dependencies. Aborting bootstrap!"
+    exit 1
+  fi
+fi
+
+if ! $tool install -y \
+       gcc \
+       dialog \
+       augeas-libs \
+       openssl-devel \
+       libffi-devel \
+       redhat-rpm-config \
+       ca-certificates
+then
+    echo "Could not install additional dependencies. Aborting bootstrap!"
+    exit 1
+fi
+
+
+if $tool list installed "httpd" >/dev/null 2>&1; then
+  if ! $tool install -y mod_ssl
+  then
+    echo "Apache found, but mod_ssl could not be installed."
+  fi
+fi

bootstrap/_suse_common.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# SLE12 don't have python-virtualenv
+
+zypper -nq in -l \
+  python \
+  python-devel \
+  python-virtualenv \
+  gcc \
+  dialog \
+  augeas-lenses \
+  libopenssl-devel \
+  libffi-devel \
+  ca-certificates \

bootstrap/archlinux.sh

@@ -0,0 +1 @@
+_arch_common.sh

bootstrap/centos.sh

@@ -0,0 +1 @@
+_rpm_common.sh

bootstrap/debian.sh

@@ -0,0 +1 @@
+_deb_common.sh

bootstrap/fedora.sh

@@ -0,0 +1 @@
+_rpm_common.sh

bootstrap/freebsd.sh

@@ -0,0 +1,7 @@
+#!/bin/sh -xe
+
+pkg install -Ay \
+  python \
+  py27-virtualenv \
+  augeas \
+  libffi \

bootstrap/gentoo.sh

@@ -0,0 +1 @@
+_gentoo_common.sh

bootstrap/install-deps.sh

@@ -0,0 +1,46 @@
+#!/bin/sh -e
+#
+# Install OS dependencies.  In the glorious future, letsencrypt-auto will
+# source this...
+
+if test "`id -u`" -ne "0" ; then
+  SUDO=sudo
+else
+  SUDO=
+fi
+
+BOOTSTRAP=`dirname $0`
+if [ ! -f $BOOTSTRAP/debian.sh ] ; then
+  echo "Cannot find the letsencrypt bootstrap scripts in $BOOTSTRAP"
+  exit 1
+fi
+if [ -f /etc/debian_version ] ; then
+  echo "Bootstrapping dependencies for Debian-based OSes..."
+  $SUDO $BOOTSTRAP/_deb_common.sh
+elif [ -f /etc/arch-release ] ; then
+  echo "Bootstrapping dependencies for Archlinux..."
+  $SUDO $BOOTSTRAP/archlinux.sh
+elif [ -f /etc/redhat-release ] ; then
+  echo "Bootstrapping dependencies for RedHat-based OSes..."
+  $SUDO $BOOTSTRAP/_rpm_common.sh
+elif [ -f /etc/gentoo-release ] ; then
+  echo "Bootstrapping dependencies for Gentoo-based OSes..."
+  $SUDO $BOOTSTRAP/_gentoo_common.sh
+elif uname | grep -iq FreeBSD ; then
+  echo "Bootstrapping dependencies for FreeBSD..."
+  $SUDO $BOOTSTRAP/freebsd.sh
+elif `grep -qs openSUSE /etc/os-release` ; then
+  echo "Bootstrapping dependencies for openSUSE.."
+  $SUDO $BOOTSTRAP/suse.sh
+elif uname | grep -iq Darwin ; then
+  echo "Bootstrapping dependencies for Mac OS X..."
+  echo "WARNING: Mac support is very experimental at present..."
+  $BOOTSTRAP/mac.sh
+else
+  echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!"
+  echo
+  echo "You will need to bootstrap, configure virtualenv, and run a pip install manually"
+  echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites"
+  echo "for more info"
+  exit 1
+fi

bootstrap/mac.sh

@@ -0,0 +1,18 @@
+#!/bin/sh -e
+if ! hash brew 2>/dev/null; then
+    echo "Homebrew Not Installed\nDownloading..."
+    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
+fi
+
+brew install augeas
+brew install dialog
+
+if ! hash pip 2>/dev/null; then
+    echo "pip Not Installed\nInstalling python from Homebrew..."
+    brew install python
+fi
+
+if ! hash virtualenv 2>/dev/null; then
+    echo "virtualenv Not Installed\nInstalling with pip"
+    pip install virtualenv
+fi

bootstrap/manjaro.sh

@@ -0,0 +1 @@
+_arch_common.sh

bootstrap/suse.sh

@@ -0,0 +1 @@
+_suse_common.sh

bootstrap/ubuntu.sh

@@ -0,0 +1 @@
+_deb_common.sh

letsencrypt-auto

@@ -0,0 +1,204 @@
+#!/bin/sh -e
+#
+# A script to run the latest release version of the Let's Encrypt in a
+# virtual environment
+#
+# Installs and updates the letencrypt virtualenv, and runs letsencrypt
+# using that virtual environment.  This allows the client to function decently
+# without requiring specific versions of its dependencies from the operating
+# system.
+
+# Note: you can set XDG_DATA_HOME or VENV_PATH before running this script,
+# if you want to change where the virtual environment will be installed
+XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share}
+VENV_NAME="letsencrypt"
+VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"}
+VENV_BIN=${VENV_PATH}/bin
+# The path to the letsencrypt-auto script.  Everything that uses these might
+# at some point be inlined...
+LEA_PATH=`dirname "$0"`
+BOOTSTRAP=${LEA_PATH}/bootstrap
+
+# This script takes the same arguments as the main letsencrypt program, but it
+# additionally responds to --verbose (more output) and --debug (allow support
+# for experimental platforms)
+for arg in "$@" ; do
+  # This first clause is redundant with the third, but hedging on portability
+  if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then
+    VERBOSE=1
+  elif [ "$arg" = "--debug" ] ; then
+    DEBUG=1
+  fi
+done
+
+# letsencrypt-auto needs root access to bootstrap OS dependencies, and
+# letsencrypt itself needs root access for almost all modes of operation
+# The "normal" case is that sudo is used for the steps that need root, but
+# this script *can* be run as root (not recommended), or fall back to using
+# `su`
+if test "`id -u`" -ne "0" ; then
+  if command -v sudo 1>/dev/null 2>&1; then
+    SUDO=sudo
+  else
+    echo \"sudo\" is not available, will use \"su\" for installation steps...
+    # Because the parameters in `su -c` has to be a string,
+    # we need properly escape it
+    su_sudo() {
+      args=""
+      # This `while` loop iterates over all parameters given to this function.
+      # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
+      # will be wrapped in a pair of `'`, then appended to `$args` string
+      # For example, `echo "It's only 1\$\!"` will be escaped to:
+      #   'echo' 'It'"'"'s only 1$!'
+      #     │       │└┼┘│
+      #     │       │ │ └── `'s only 1$!'` the literal string
+      #     │       │ └── `\"'\"` is a single quote (as a string)
+      #     │       └── `'It'`, to be concatenated with the strings following it
+      #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
+      while [ $# -ne 0 ]; do
+        args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
+        shift
+      done
+      su root -c "$args"
+    }
+    SUDO=su_sudo
+  fi
+else
+  SUDO=
+fi
+
+ExperimentalBootstrap() {
+  # Arguments: Platform name, boostrap script name, SUDO command (iff needed)
+  if [ "$DEBUG" = 1 ] ; then
+    if [ "$2" != "" ]  ; then
+      echo "Bootstrapping dependencies for $1..."
+      if [ "$3" != "" ] ; then
+        "$3" "$BOOTSTRAP/$2"
+      else
+        "$BOOTSTRAP/$2"
+      fi
+    fi
+  else
+    echo "WARNING: $1 support is very experimental at present..."
+    echo "if you would like to work on improving it, please ensure you have backups"
+    echo "and then run this script again with the --debug flag!"
+    exit 1
+  fi
+}
+
+DeterminePythonVersion() {
+  if command -v python2.7 > /dev/null ; then
+    export LE_PYTHON=${LE_PYTHON:-python2.7}
+  elif command -v python27 > /dev/null ; then
+    export LE_PYTHON=${LE_PYTHON:-python27}
+  elif command -v python2 > /dev/null ; then
+    export LE_PYTHON=${LE_PYTHON:-python2}
+  elif command -v python > /dev/null ; then
+    export LE_PYTHON=${LE_PYTHON:-python}
+  else
+    echo "Cannot find any Pythons... please install one!"
+    exit 1
+  fi
+
+  PYVER=`$LE_PYTHON --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'`
+  if [ $PYVER -eq 26 ] ; then
+    ExperimentalBootstrap "Python 2.6"
+  elif [ $PYVER -lt 26 ] ; then
+    echo "You have an ancient version of Python entombed in your operating system..."
+    echo "This isn't going to work; you'll need at least version 2.6."
+    exit 1
+  fi
+}
+
+
+# virtualenv call is not idempotent: it overwrites pip upgraded in
+# later steps, causing "ImportError: cannot import name unpack_url"
+if [ ! -d $VENV_PATH ]
+then
+  if [ ! -f $BOOTSTRAP/debian.sh ] ; then
+    echo "Cannot find the letsencrypt bootstrap scripts in $BOOTSTRAP"
+    exit 1
+  fi
+
+  if [ -f /etc/debian_version ] ; then
+    echo "Bootstrapping dependencies for Debian-based OSes..."
+    $SUDO $BOOTSTRAP/_deb_common.sh
+  elif [ -f /etc/redhat-release ] ; then
+    echo "Bootstrapping dependencies for RedHat-based OSes..."
+    $SUDO $BOOTSTRAP/_rpm_common.sh
+  elif `grep -q openSUSE /etc/os-release` ; then
+    echo "Bootstrapping dependencies for openSUSE-based OSes..."
+    $SUDO $BOOTSTRAP/_suse_common.sh
+  elif [ -f /etc/arch-release ] ; then
+    if [ "$DEBUG" = 1 ] ; then
+      echo "Bootstrapping dependencies for Archlinux..."
+      $SUDO $BOOTSTRAP/archlinux.sh
+    else
+      echo "Please use pacman to install letsencrypt packages:"
+      echo "# pacman -S letsencrypt letsencrypt-apache"
+      echo
+      echo "If you would like to use the virtualenv way, please run the script again with the"
+      echo "--debug flag."
+      exit 1
+    fi
+  elif [ -f /etc/manjaro-release ] ; then
+    ExperimentalBootstrap "Manjaro Linux" manjaro.sh "$SUDO"
+  elif [ -f /etc/gentoo-release ] ; then
+    ExperimentalBootstrap "Gentoo" _gentoo_common.sh "$SUDO"
+  elif uname | grep -iq FreeBSD ; then
+    ExperimentalBootstrap "FreeBSD" freebsd.sh "$SUDO"
+  elif uname | grep -iq Darwin ; then
+    ExperimentalBootstrap "Mac OS X" mac.sh # homebrew doesn't normally run as root
+  elif grep -iq "Amazon Linux" /etc/issue ; then
+    ExperimentalBootstrap "Amazon Linux" _rpm_common.sh "$SUDO"
+  else
+    echo "Sorry, I don't know how to bootstrap Let's Encrypt on your operating system!"
+    echo
+    echo "You will need to bootstrap, configure virtualenv, and run a pip install manually"
+    echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites"
+    echo "for more info"
+  fi
+
+  DeterminePythonVersion
+  echo "Creating virtual environment..."
+  if [ "$VERBOSE" = 1 ] ; then
+    virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH
+  else
+    virtualenv --no-site-packages --python $LE_PYTHON $VENV_PATH > /dev/null
+  fi
+else
+  DeterminePythonVersion
+fi
+
+
+printf "Updating letsencrypt and virtual environment dependencies..."
+if [ "$VERBOSE" = 1 ]  ; then
+  echo
+  $VENV_BIN/pip install -U setuptools
+  $VENV_BIN/pip install -U pip
+  $VENV_BIN/pip install -U letsencrypt letsencrypt-apache
+  # nginx is buggy / disabled for now, but upgrade it if the user has
+  # installed it manually
+  if $VENV_BIN/pip freeze | grep -q letsencrypt-nginx ; then
+    $VENV_BIN/pip install -U letsencrypt letsencrypt-nginx
+  fi
+else
+  $VENV_BIN/pip install -U setuptools > /dev/null
+  printf .
+  $VENV_BIN/pip install -U pip > /dev/null
+  printf .
+  # nginx is buggy / disabled for now...
+  $VENV_BIN/pip install -U letsencrypt > /dev/null
+  printf .
+  $VENV_BIN/pip install -U letsencrypt-apache > /dev/null
+  if $VENV_BIN/pip freeze | grep -q letsencrypt-nginx ; then
+    printf .
+    $VENV_BIN/pip install -U letsencrypt-nginx > /dev/null
+  fi
+  echo
+fi
+
+# Explain what's about to happen, for the benefit of those getting sudo
+# password prompts...
+echo "Requesting root privileges to run with virtualenv:" $SUDO $VENV_BIN/letsencrypt "$@"
+$SUDO $VENV_BIN/letsencrypt "$@"

letsencrypt-auto-source/letsencrypt-auto.template

@@ -2,8 +2,14 @@
 #
 # Download and run the latest release version of the Let's Encrypt client.
 #
-# WARNING: "letsencrypt-auto" IS A GENERATED FILE. EDIT
-# letsencrypt-auto.template INSTEAD.
+# NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING
+#
+# IF YOU WANT TO EDIT IT LOCALLY, *ALWAYS* RUN YOUR COPY WITH THE
+# "--no-self-upgrade" FLAG
+#
+# IF YOU WANT TO SEND PULL REQUESTS, THE REAL SOURCE FOR THIS FILE IS
+# letsencrypt-auto-source/letsencrypt-auto.template AND
+# letsencrypt-auto-source/pieces/bootstrappers/*
 
 set -e  # Work even if somebody does "sh thisscript.sh".
 
@@ -15,6 +21,24 @@ VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"}
 VENV_BIN=${VENV_PATH}/bin
 LE_AUTO_VERSION="{{ LE_AUTO_VERSION }}"
 
+# This script takes the same arguments as the main letsencrypt program, but it
+# additionally responds to --verbose (more output) and --debug (allow support
+# for experimental platforms)
+for arg in "$@" ; do
+  # This first clause is redundant with the third, but hedging on portability
+  if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then
+    VERBOSE=1
+  elif [ "$arg" = "--no-self-upgrade" ] ; then
+    # Do not upgrade this script (also prevents client upgrades, because each
+    # copy of the script pins a hash of the python client)
+    NO_SELF_UPGRADE=1
+  elif [ "$arg" = "--os-packages-only" ] ; then
+    OS_PACKAGES_ONLY=1
+  elif [ "$arg" = "--debug" ]; then
+    DEBUG=1
+  fi
+done
+
 # letsencrypt-auto needs root access to bootstrap OS dependencies, and
 # letsencrypt itself needs root access for almost all modes of operation
 # The "normal" case is that sudo is used for the steps that need root, but
@@ -144,22 +168,11 @@ TempDir() {
   mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || OS X
 }
 
-# This script takes the same arguments as the main letsencrypt program, but it
-# additionally responds to --verbose (more output) and --debug (allow support
-# for experimental platforms)
-for arg in "$@" ; do
-  # This first clause is redundant with the third, but hedging on portability
-  if [ "$arg" = "-v" ] || [ "$arg" = "--verbose" ] || echo "$arg" | grep -E -- "-v+$" ; then
-    VERBOSE=1
-  elif [ "$arg" = "--debug" ]; then
-    DEBUG=1
-  fi
-done
 
-if [ "$1" = "--no-self-upgrade" ]; then
+
+if [ "$NO_SELF_UPGRADE" = 1 ]; then
   # Phase 2: Create venv, install LE, and run.
 
-  shift 1  # the --no-self-upgrade arg
   if [ -f "$VENV_BIN/letsencrypt" ]; then
     INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | cut -d " " -f 2)
   else
@@ -220,7 +233,7 @@ else
     # If it looks like we've never bootstrapped before, bootstrap:
     Bootstrap
   fi
-  if [ "$1" = "--os-packages-only" ]; then
+  if [ "$OS_PACKAGES_ONLY" = 1 ]; then
     echo "OS packages installed."
     exit 0
   fi

letsencrypt-auto-source/tests/auto_test.py

@@ -252,7 +252,7 @@ class AutoTests(TestCase):
         """
         NEW_LE_AUTO = build_le_auto(
                 version='99.9.9',
-                requirements='# sha256: 7NpInQZj4v2dvdCBUYtcBHqVlBfnUmlsKF_oSOzU9zY\n'
+                requirements='# sha256: HMFNYatCTN7kRvUeUPESP4SC7HQFh_54YmyTO7ooc6A\n'
                              'letsencrypt==99.9.9')
         NEW_LE_AUTO_SIG = signed(NEW_LE_AUTO)
 

letsencrypt-auto-source/tests/fake-letsencrypt/letsencrypt.py

@@ -4,5 +4,5 @@ from sys import argv, stderr
 def main():
     """Act like letsencrypt --version insofar as printing the version number to
     stderr."""
-    if len(argv) >= 2 and argv[1] == '--version':
+    if '--version' in argv:
         stderr.write('letsencrypt 99.9.9\n')

letsencrypt/cli.py

@@ -998,6 +998,13 @@ def prepare_and_parse_args(plugins, args):
         "automation", "--duplicate", dest="duplicate", action="store_true",
         help="Allow making a certificate lineage that duplicates an existing one "
              "(both can be renewed in parallel)")
+    helpful.add(
+        "automation", "--os-packages-only", action="store_true",
+        help="(letsencrypt-auto only) install OS package dependencies and then stop")
+    helpful.add(
+        "automation", "--no-self-upgrade", action="store_true",
+        help="(letsencrypt-auto only) prevent the letsencrypt-auto script from"
+             " upgrading itself to newer released versions")
 
     helpful.add_group(
         "testing", description="The following flags are meant for "

tools/half-sign.c

@@ -12,18 +12,18 @@
 // To compile:
 // gcc half-sign.c -lssl -lcrypto -o half-sign
 
-// Sign with SHA1
-#define HASH_SIZE 20
+// Sign with SHA256
+#define HASH_SIZE 32
 
 void usage() {
 	printf("half-sign <private key file> [binary hash file]\n");
 	printf("\n");
-	printf("    Computes and prints a binary RSA signature over data given the SHA1 hash of\n");
+	printf("    Computes and prints a binary RSA signature over data given the SHA256 hash of\n");
 	printf("    the data as input.\n");
 	printf("\n");
 	printf("    <private key file> should be PEM encoded.\n");
 	printf("\n");
-	printf("    The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
+	printf("    The input SHA256 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
 	printf("    specified, it will be read from stdin.\n");
 	exit(1);
 }
@@ -41,7 +41,7 @@ void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) {
 	if ((!ctx) 
 	|| (EVP_PKEY_sign_init(ctx) <= 0) 
 	|| (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-	|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) {
+	|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)) {
 		fprintf(stderr, "Failure establishing ctx for signature\n");
 		exit(1);
 	}
@@ -108,7 +108,7 @@ int main(int argc, char *argv[]) {
 		exit(1);
 	}
 	if (fread(buffer, HASH_SIZE, 1, input) != 1) {
-		perror("half-sign: Failed to read SHA1 from input\n");
+		perror("half-sign: Failed to read SHA256 from input\n");
 		exit(1);
 	}
 

tools/release.sh

@@ -34,8 +34,8 @@ else
     echo Releasing developer version "$version"...
 fi
 
-if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then
-    RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem"
+if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then
+    RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem"
 fi
 RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
 # Needed to fix problems with git signatures and pinentry
@@ -85,7 +85,7 @@ git checkout "$RELEASE_BRANCH"
 letsencrypt-auto-source/build.py
 
 # and that it's signed correctly
-if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \
+if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
         letsencrypt-auto-source/letsencrypt-auto.sig \
         letsencrypt-auto-source/letsencrypt-auto            ; then
    echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"