Support openssl and gpg signatures in parallel

2026-01-26 07:41:33 +03:00 · 2016-05-11 15:56:10 -07:00
parent 37efe30675
commit 407ebad36e
2 changed files with 5 additions and 2 deletions
--- a/README.rst
+++ b/README.rst
@@ -37,9 +37,9 @@ from your OS and puts others in a python virtual environment::
 .. hint:: The certbot-auto download is protected by HTTPS, which is pretty good, but if you'd like to
          double check the integrity of the ``certbot-auto`` script, you can use these steps for verification before running it::

-            user@server:~$ wget https://dl.eff.org/certbot-auto.sig
+            user@server:~$ wget https://dl.eff.org/certbot-auto.asc
            user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
-            user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.sig certbot-auto
+            user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto

 And for full command line help, you can type::

--- a/tools/release.sh
+++ b/tools/release.sh
@@ -187,6 +187,9 @@ while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
   read -p "Please correctly sign letsencrypt-auto with offline-signrequest.sh"
 done

+# This signature is not quite as strong, but easier for people to verify out of band
+gpg -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign letsencrypt-auto-source/letsencrypt-auto
+
 # copy leauto to the root, overwriting the previous release version
 cp -p letsencrypt-auto-source/letsencrypt-auto letsencrypt-auto