Ensure a SHA2 hash algorithm is used when signing releases (#4384) (#4396)

* use gpg2 * explictly use sha256 (cherry picked from commit bf45cea7cd)
2026-05-28 04:34:11 -04:00 · 2017-03-22 14:24:42 -07:00 · 2017-03-22 14:24:42 -07:00 · f1322d9335
commit f1322d9335
parent d785fe8ae9
1 changed files with 3 additions and 3 deletions
--- a/tools/release.sh
+++ b/tools/release.sh
@ -109,7 +109,7 @@ do
  echo "Signing ($pkg_dir)"
  for x in dist/*.tar.gz dist/*.whl
  do
-      gpg -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign $x
+      gpg2 -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign --digest-algo sha256 $x
  done

  cd -
@ -194,7 +194,7 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
 done

 # This signature is not quite as strong, but easier for people to verify out of band
-gpg -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign letsencrypt-auto-source/letsencrypt-auto
+gpg2 -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign --digest-algo sha256 letsencrypt-auto-source/letsencrypt-auto
 # We can't rename the openssl letsencrypt-auto.sig for compatibility reasons,
 # but we can use the right name for certbot-auto.asc from day one
 mv letsencrypt-auto-source/letsencrypt-auto.asc letsencrypt-auto-source/certbot-auto.asc
@ -214,7 +214,7 @@ name=${root_without_le%.*}
 ext="${root_without_le##*.}"
 rev="$(git rev-parse --short HEAD)"
 echo tar cJvf $name.$rev.tar.xz $name.$rev
-echo gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz
+echo gpg2 -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz
 cd ~-

 echo "New root: $root"