From 1f8a275000fd2ccecca3e7eb8cbe7bbd34bf12ce Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 12:41:31 -0800 Subject: [PATCH 01/27] Import dev-release2.sh (not currently public) --- tools/dev-release2.sh | 51 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100755 tools/dev-release2.sh diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh new file mode 100755 index 000000000..3ddacb8f0 --- /dev/null +++ b/tools/dev-release2.sh @@ -0,0 +1,51 @@ +#!/bin/sh -xe + +# This script should be put into `./tools/dev-release2.sh`, in the repo. +# +# 1. Create packages. +# +# script -c ./tools/dev-release2.sh log2 +# mv *.tar.xz* dev-releases/ +# mv log2 dev-releases/${version?}.log +# +# 2. Test them. +# +# Copy stuff to VPS and EFF server: +# +# rsync -avzP dev-releases/ le:~/le-dev-releases +# rsync -avzP dev-releases/ ubuntu@letsencrypt-demo.org:~/le-dev-releases +# +# Now test using similar method as in `dev-release.sh` script. On +# remote server `cd ~/le-dev-releases`, extract tarballs, `cd +# $dir/dist.$version; python -m SimpleHTTPServer 1234`. In another +# terminal, outside `le-dev-releases` directory, create new +# virtualenv, `for pkg in setuptools pip wheel; do pip install -U $pkg; done`, +# confirm new installed versions by `pip list`, and try +# to install stuff with `pip install --extra-index-url http://localhost:$PORT +#`. Then play with the client until you're sure +# everything works :) +# +# 3. Upload. +# +# Upload to PyPI using the twine command that was printed earlier. +# +# Now, update tags in git: +# +# git remote remove tmp || true +# git remote add tmp /tmp/le.XXX +# git fetch tmp +# git push github/letsencrypt v0.0.0.dev$date +# +# Create a GitHub issue with the release information, ask someone to +# pull in the tag. + +script --return --command ./tools/dev-release.sh log + +root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" +root_without_le="${root##le.}" +name=${root_without_le%.*} +ext="${root_without_le##*.}" +rev="$(git rev-parse --short HEAD)" +cp -r /tmp/le.$name.$ext/ $name.$rev +tar cJvf $name.$rev.tar.xz log $name.$rev +gpg --detach-sign --armor $name.$rev.tar.xz From e705502ad014949c8eaebee7b4b5d56c05607f11 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:30:16 -0800 Subject: [PATCH 02/27] This might be useful. --- tools/half-sign.c | 117 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 tools/half-sign.c diff --git a/tools/half-sign.c b/tools/half-sign.c new file mode 100644 index 000000000..561fa22be --- /dev/null +++ b/tools/half-sign.c @@ -0,0 +1,117 @@ +#include +#include +#include +#include +#include +#include +#include + +// Sign with SHA1 +#define HASH_SIZE 20 + +void usage() { + printf("half-sign [binary hash file]\n"); + printf("\n"); + printf(" Computes and prints a binary RSA signature over data given the SHA1 hash of\n"); + printf(" the data as input.\n"); + printf("\n"); + printf(" should be PEM encoded.\n"); + printf("\n"); + printf(" The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); + printf(" specified, it will be read from stdin.\n"); + exit(1); +} + +void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) { + // cribbed from the openssl EVP_PKEY_sign man page + EVP_PKEY_CTX *ctx; + unsigned char *sig; + size_t siglen; + + /* NB: assumes signing_key, md and mdlen are already set up + * and that signing_key is an RSA private key + */ + ctx = EVP_PKEY_CTX_new(signing_key, NULL); + if ((!ctx) + || (EVP_PKEY_sign_init(ctx) <= 0) + || (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) + || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) { + fprintf(stderr, "Failure establishing ctx for signature\n"); + exit(1); + } + + /* Determine buffer length */ + if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0) { + fprintf(stderr, "Unable to determine buffer length for signature\n"); + exit(1); + } + + sig = OPENSSL_malloc(siglen); + + if (!sig) { + fprintf(stderr, "Malloc failed\n"); + exit(1); + } + + if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) { + fprintf(stderr, "Signature error\n"); + exit(1); + } + + /* Signature is siglen bytes written to buffer sig */ + fwrite(sig, siglen, 1, stdout); +} + +EVP_PKEY *read_private_key(char *filename) { + FILE *keyfile; + EVP_PKEY *privkey; + keyfile = fopen(filename, "r"); + if (!keyfile) { + fprintf(stderr, "Failed to open private key.pem file %s\n", filename); + exit(1); + } + privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL); + if (!privkey) { + fprintf(stderr, "Failed to read PEM private key from %s\n", filename); + exit(1); + } + if (EVP_PKEY_type(privkey->type) != EVP_PKEY_RSA) { + fprintf(stderr, "%s was a non-RSA key\n", filename); + exit(1); + } + return privkey; +} + +int main(int argc, char *argv[]) { + FILE *input; + unsigned char *buffer; + int test; + EVP_PKEY *privkey; + if (argc > 3 || argc < 2) + usage(); + if (argc < 3 || strcmp(argv[2],"-") == 0) + input = stdin; + else { + input = fopen(argv[2], "r"); + if (!input) usage(); + } + privkey = read_private_key(argv[1]); + buffer = malloc(HASH_SIZE); + if (!buffer) { + fprintf(stderr, "Argh, malloc failed\n"); + exit(1); + } + if (fread(buffer, HASH_SIZE, 1, input) != 1) { + perror("half-sign: Failed to read SHA1 from input\n"); + exit(1); + } + + test = fgetc(input); + if (test != EOF && test != '\n') { + fprintf(stderr,"Error, more than %d bytes fed to half-sign\n", HASH_SIZE); + fprintf(stderr,"Last byte was :%d\n" , (int) test); + exit(1); + } + sign_hashed_data(privkey, buffer, HASH_SIZE); + return 0; +} From 75a5e57230e13c6a8b2a325b6c65a956c1541c0b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:31:34 -0800 Subject: [PATCH 03/27] Work in progress --- tools/dev-release.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index bd86bff44..f66ce345c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -1,8 +1,32 @@ #!/bin/sh -xe # Release dev packages to PyPI -version="0.0.0.dev$(date +%Y%m%d)" -DEV_RELEASE_BRANCH="dev-release" +Usage() { + echo Usage: + echo "$0 [ --production ]" + exit 1 +} + +if [ "`dirname $0`" != "tools" ] ; then + echo Please run this script from the repo root + exit 1 +fi + +version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` +if [ "$1" = "--production" ] ; then + echo Releasing production version "$version"... + if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then + echo "Version doesn't look like 1.2.3" + fi + exit 0 +else + # XXX replace 0.0.0 with the last-released-version + version="$version.dev$(date +%Y%m%d)" + DEV_RELEASE_BRANCH="dev-release" + echo Releasing developer version "$version"... + exit 0 +fi + # TODO: create a real release key instead of using Kuba's personal one RELEASE_GPG_KEY="${RELEASE_GPG_KEY:-148C30F6F7E429337A72D992B00B9CC82D7ADF2C}" From 013a3f11453787e18f7acd08c7e54fede59b1b01 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:31:40 -0800 Subject: [PATCH 04/27] Switch to "next production release" as the version in the tree --- letsencrypt/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 1155a5b0c..ecab4ccbb 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,5 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.1.0.dev0' +# '0.1.0.dev0' +__version__ = '0.1.0' From aa10799e15c3aa5a00f6d598cbf69bb9640d8f9f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:36:33 -0800 Subject: [PATCH 05/27] Add a sub-day digit to the datestamp, just in case... --- tools/dev-release.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index f66ce345c..3b1e72900 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,13 +18,11 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi - exit 0 else # XXX replace 0.0.0 with the last-released-version - version="$version.dev$(date +%Y%m%d)" + version="$version.dev$(date +%Y%m%d)1" DEV_RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... - exit 0 fi # TODO: create a real release key instead of using Kuba's personal one From be2be2ef94339ea2fd40c941616570bdcabd6c36 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:43:04 -0800 Subject: [PATCH 06/27] Declare partial victory on version numbers --- tools/dev-release.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 3b1e72900..8f1ca458c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,8 +18,9 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi + # XXX TODO rename to RELEASE_BRANCH once bmw isn't editing the same file + DEV_RELEASE_BRANCH="master" else - # XXX replace 0.0.0 with the last-released-version version="$version.dev$(date +%Y%m%d)1" DEV_RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... @@ -130,3 +131,6 @@ echo "New root: $root" echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" + +echo "Edit and commit letsencrypt/__init__.py to contain the next anticipated" +echo "release version" From 5a554bdaa7db39f5058ff236f57a8aa8bf72f469 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Dec 2015 15:12:00 -0800 Subject: [PATCH 07/27] less confusing variable name --- tools/dev-release.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 4a169ab51..8bbe9e4f5 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,11 +18,10 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi - # XXX TODO rename to RELEASE_BRANCH once bmw isn't editing the same file - DEV_RELEASE_BRANCH="master" + RELEASE_BRANCH="master" else version="$version.dev$(date +%Y%m%d)1" - DEV_RELEASE_BRANCH="dev-release" + RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... fi @@ -63,8 +62,8 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -git branch -f "$DEV_RELEASE_BRANCH" -git checkout "$DEV_RELEASE_BRANCH" +git branch -f "$RELEASE_BRANCH" +git checkout "$RELEASE_BRANCH" for pkg_dir in $SUBPKGS do From fe4cefb5182172793d2865d9dfa971382de071f1 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 3 Dec 2015 01:41:24 -0800 Subject: [PATCH 08/27] Fix various bugs exposed by actually making a release --- letsencrypt/cli.py | 2 +- tools/dev-release.sh | 8 +++++--- tools/dev-release2.sh | 7 +++++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 9835fa126..2a3f3d18a 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -881,7 +881,7 @@ def prepare_and_parse_args(plugins, args): version="%(prog)s {0}".format(letsencrypt.__version__), help="show program's version number and exit") helpful.add( - "automation", "--renew-by-default", action="store_true", + "automation", "--renew-by-default", "--replace", action="store_true", help="Select renewal by default when domains are a superset of a " "previously attained cert") helpful.add( diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 8bbe9e4f5..ae808117a 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -62,7 +62,9 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -git branch -f "$RELEASE_BRANCH" +if [ "$RELEASE_BRANCH" != master ] ; then + git branch -f "$RELEASE_BRANCH" +fi git checkout "$RELEASE_BRANCH" for pkg_dir in $SUBPKGS @@ -71,7 +73,7 @@ do done sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py -git add -p # interactive user input +git add -p $SUBPKGS # interactive user input git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -89,7 +91,7 @@ do echo "Signing ($pkg_dir)" for x in dist/*.tar.gz dist/*.whl do - gpg2 --detach-sign --armor --sign $x + gpg -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign $x done cd - diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh index 3ddacb8f0..5f1bf00fa 100755 --- a/tools/dev-release2.sh +++ b/tools/dev-release2.sh @@ -39,7 +39,10 @@ # Create a GitHub issue with the release information, ask someone to # pull in the tag. -script --return --command ./tools/dev-release.sh log +RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 +export GPG_TTY=$(tty) + +#script --return --command ./tools/dev-release.sh log root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" root_without_le="${root##le.}" @@ -48,4 +51,4 @@ ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" cp -r /tmp/le.$name.$ext/ $name.$rev tar cJvf $name.$rev.tar.xz log $name.$rev -gpg --detach-sign --armor $name.$rev.tar.xz +gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz From 06175fa2aa22a8060a0f71566420bc02dd278f87 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:14:55 -0800 Subject: [PATCH 09/27] We don't use dev-release2.sh --- tools/dev-release2.sh | 54 ------------------------------------------- 1 file changed, 54 deletions(-) delete mode 100755 tools/dev-release2.sh diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh deleted file mode 100755 index 5f1bf00fa..000000000 --- a/tools/dev-release2.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -xe - -# This script should be put into `./tools/dev-release2.sh`, in the repo. -# -# 1. Create packages. -# -# script -c ./tools/dev-release2.sh log2 -# mv *.tar.xz* dev-releases/ -# mv log2 dev-releases/${version?}.log -# -# 2. Test them. -# -# Copy stuff to VPS and EFF server: -# -# rsync -avzP dev-releases/ le:~/le-dev-releases -# rsync -avzP dev-releases/ ubuntu@letsencrypt-demo.org:~/le-dev-releases -# -# Now test using similar method as in `dev-release.sh` script. On -# remote server `cd ~/le-dev-releases`, extract tarballs, `cd -# $dir/dist.$version; python -m SimpleHTTPServer 1234`. In another -# terminal, outside `le-dev-releases` directory, create new -# virtualenv, `for pkg in setuptools pip wheel; do pip install -U $pkg; done`, -# confirm new installed versions by `pip list`, and try -# to install stuff with `pip install --extra-index-url http://localhost:$PORT -#`. Then play with the client until you're sure -# everything works :) -# -# 3. Upload. -# -# Upload to PyPI using the twine command that was printed earlier. -# -# Now, update tags in git: -# -# git remote remove tmp || true -# git remote add tmp /tmp/le.XXX -# git fetch tmp -# git push github/letsencrypt v0.0.0.dev$date -# -# Create a GitHub issue with the release information, ask someone to -# pull in the tag. - -RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 -export GPG_TTY=$(tty) - -#script --return --command ./tools/dev-release.sh log - -root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" -root_without_le="${root##le.}" -name=${root_without_le%.*} -ext="${root_without_le##*.}" -rev="$(git rev-parse --short HEAD)" -cp -r /tmp/le.$name.$ext/ $name.$rev -tar cJvf $name.$rev.tar.xz log $name.$rev -gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz From 57a8eae28923e9e0c1f8d47312247bf56d31382f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:30:04 -0800 Subject: [PATCH 10/27] Release script cleanups: - accept GPG env param - Automate version bumping - don't work in /tmp/ --- tools/dev-release.sh | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index ae808117a..a4f4fc345 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -12,12 +12,20 @@ if [ "`dirname $0`" != "tools" ] ; then exit 1 fi +CheckVersion() { + # Args: + if ! echo "$2" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then + echo "$1 doesn't look like 1.2.3" + exit 1 + fi +} + version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... - if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then - echo "Version doesn't look like 1.2.3" - fi + CheckVersion Version "$version" + nextversion="$2" + CheckVersion "Next version" "$nextversion" RELEASE_BRANCH="master" else version="$version.dev$(date +%Y%m%d)1" @@ -25,7 +33,7 @@ else echo Releasing developer version "$version"... fi -RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 +RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2} # Needed to fix problems with git signatures and pinentry export GPG_TTY=$(tty) @@ -57,7 +65,7 @@ pip install -U wheel # setup.py bdist_wheel # from current env when creating a child env pip install -U virtualenv -root="$(mktemp -d -t le.$version.XXX)" +root="./releases/le.$version.$$" echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD @@ -67,13 +75,16 @@ if [ "$RELEASE_BRANCH" != master ] ; then fi git checkout "$RELEASE_BRANCH" -for pkg_dir in $SUBPKGS -do - sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py -done -sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py +SetVersion() { + for pkg_dir in $SUBPKGS + do + sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py + done + sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py -git add -p $SUBPKGS # interactive user input + git add -p $SUBPKGS # interactive user input +} +SetVersion git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -134,5 +145,7 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -echo "Edit and commit letsencrypt/__init__.py to contain the next anticipated" -echo "release version" +export version="$nextversion" +SetVersion +git diff +git commit -m "Bump version to $version" From f31f637a8edbc8dd842d1f590fa69b565167170c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:45:53 -0800 Subject: [PATCH 11/27] Be agnostic about whether the tree has a dev/nondev version in it (though it should always be dev, I think) --- tools/dev-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index a4f4fc345..96b9cb7c9 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -20,7 +20,7 @@ CheckVersion() { fi } -version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` +version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... CheckVersion Version "$version" From 01fba752b570af6fbc0b688e2864bee2a1fbe3e6 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:47:42 -0800 Subject: [PATCH 12/27] Only autogenerate versions of dev releases --- tools/dev-release.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 96b9cb7c9..a3461dc4d 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -20,14 +20,15 @@ CheckVersion() { fi } -version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` if [ "$1" = "--production" ] ; then - echo Releasing production version "$version"... + version="$2" CheckVersion Version "$version" - nextversion="$2" + echo Releasing production version "$version"... + nextversion="$3" CheckVersion "Next version" "$nextversion" RELEASE_BRANCH="master" else + version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` version="$version.dev$(date +%Y%m%d)1" RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... From a253e35967a9979af8ff0fc911fd5c7c414389d3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 15:06:41 -0800 Subject: [PATCH 13/27] Cleanups & bug fixes --- letsencrypt/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index ecab4ccbb..535ec6c40 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -2,4 +2,4 @@ # version number like 1.2.3a0, must have at least 2 parts, like 1.2 # '0.1.0.dev0' -__version__ = '0.1.0' +__version__ = '0.2.0.dev0' From aea2bcc0f5a17183f1390a31ff195befd038c9eb Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 17:57:26 -0800 Subject: [PATCH 14/27] Make and sign tarball --- tools/dev-release.sh | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index a3461dc4d..bd7c86642 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -1,4 +1,4 @@ -#!/bin/sh -xe +#!/bin/bash -xe # Release dev packages to PyPI Usage() { @@ -66,7 +66,9 @@ pip install -U wheel # setup.py bdist_wheel # from current env when creating a child env pip install -U virtualenv -root="./releases/le.$version.$$" +root_without_le="$version.$$" +root="./releases/le.$root_without_le" + echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD @@ -77,15 +79,16 @@ fi git checkout "$RELEASE_BRANCH" SetVersion() { + ver="$1" for pkg_dir in $SUBPKGS do - sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py + sed -i $x "s/^version.*/version = '$ver'/" $pkg_dir/setup.py done - sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py + sed -i "s/^__version.*/__version__ = '$ver'/" letsencrypt/__init__.py git add -p $SUBPKGS # interactive user input } -SetVersion +SetVersion "$version" git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -132,21 +135,33 @@ pip install \ letsencrypt $SUBPKGS # stop local PyPI kill $! +cd ~- # freeze before installing anything else, so that we know end-user KGS # make sure "twine upload" doesn't catch "kgs" +if [ -d ../kgs ] ; then + echo Deleting old kgs... + rm -rf ../kgs +fi mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose nosetests letsencrypt $subpkgs_modules +cd releases +name=${root_without_le%.*} +ext="${root_without_le##*.}" +rev="$(git rev-parse --short HEAD)" +echo tar cJvf $name.$rev.tar.xz $name.$rev +echo gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz +cd ~- + echo "New root: $root" echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -export version="$nextversion" -SetVersion +SetVersion "$nextversion" git diff -git commit -m "Bump version to $version" +git commit -m "Bump version to $nextversion" From 9a0d819626ba0646c1bc006c293207bfd71534f0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sat, 12 Dec 2015 00:38:45 -0800 Subject: [PATCH 15/27] Only bump versions if we're making production releases --- tools/dev-release.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index bd7c86642..3232ba946 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -162,6 +162,8 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -SetVersion "$nextversion" -git diff -git commit -m "Bump version to $nextversion" +if [ "$RELEASE_BRANCH" = master ] ; then + SetVersion "$nextversion" + git diff + git commit -m "Bump version to $nextversion" +fi From f5029d5eafa63418c560f21ce103eb58e4961eb3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 11:44:57 -0800 Subject: [PATCH 16/27] Remove a change that shouldn't have been in the release-engineering branch Reverts part of fe4cefb51 --- letsencrypt/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 1793f2be7..5e06d00d6 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -982,7 +982,7 @@ def prepare_and_parse_args(plugins, args): version="%(prog)s {0}".format(letsencrypt.__version__), help="show program's version number and exit") helpful.add( - "automation", "--renew-by-default", "--replace", action="store_true", + "automation", "--renew-by-default", action="store_true", help="Select renewal by default when domains are a superset of a " "previously attained cert (often --keep-until-expiring is " "more appropriate). Implies --expand.") From 7193296a2246f85b910384c2f223c89144b6756c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:12:20 -0800 Subject: [PATCH 17/27] For some reason, nosetests only survives one subpackage at a time? --- tools/dev-release.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 3232ba946..9cbffea53 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -147,9 +147,13 @@ mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose -nosetests letsencrypt $subpkgs_modules +for thing in letsencrypt $subpkgs_modules ; do + echo testing $thing + nosetests $thing +done +deactivate -cd releases +cd .. name=${root_without_le%.*} ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" From 1f58e069c526237554b7e465eadcdc1f7d4d73e0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:13:00 -0800 Subject: [PATCH 18/27] Fix stray $x bug from the old version of this script --- tools/dev-release.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 9cbffea53..41e3f9236 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -82,7 +82,7 @@ SetVersion() { ver="$1" for pkg_dir in $SUBPKGS do - sed -i $x "s/^version.*/version = '$ver'/" $pkg_dir/setup.py + sed -i "s/^version.*/version = '$ver'/" $pkg_dir/setup.py done sed -i "s/^__version.*/__version__ = '$ver'/" letsencrypt/__init__.py @@ -147,13 +147,14 @@ mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose -for thing in letsencrypt $subpkgs_modules ; do - echo testing $thing - nosetests $thing +for module in letsencrypt $subpkgs_modules ; do + echo testing $module + nosetests $module done deactivate cd .. +echo Now in $PWD name=${root_without_le%.*} ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" From 57ea80ca5db6afb5d226ceb4071b340fd6fc48f4 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:13:18 -0800 Subject: [PATCH 19/27] Production releases come from the candidate-$version branch (then get merged into master with a PR afterwards) --- tools/dev-release.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 41e3f9236..76223d123 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -26,7 +26,7 @@ if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... nextversion="$3" CheckVersion "Next version" "$nextversion" - RELEASE_BRANCH="master" + RELEASE_BRANCH="candidate-$version" else version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` version="$version.dev$(date +%Y%m%d)1" @@ -73,7 +73,7 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -if [ "$RELEASE_BRANCH" != master ] ; then +if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then git branch -f "$RELEASE_BRANCH" fi git checkout "$RELEASE_BRANCH" @@ -167,7 +167,7 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -if [ "$RELEASE_BRANCH" = master ] ; then +if [ "$RELEASE_BRANCH" = candidate-"$version" ] ; then SetVersion "$nextversion" git diff git commit -m "Bump version to $nextversion" From 49e7e830ebab41502983081874700f6cbdae426b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:17:11 -0800 Subject: [PATCH 20/27] Echo testing instructions --- tools/dev-release.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 76223d123..f3912e67c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -164,6 +164,10 @@ cd ~- echo "New root: $root" echo "KGS is at $root/kgs" +echo "Test commands (in the letstest repo):" +echo 'python multitester.py targets.yaml $AWS_KEY $USERNAME scripts/test_leauto_upgrades.sh --alt_pip $YOUR_PIP_REPO --branch public-beta' +echo 'python multitester.py targets.yaml $AWK_KEY $USERNAME scripts/test_letsencrypt_auto_certonly_standalone.sh --branch candidate-0.1.1' +echo 'python multitester.py --saveinstances targets.yaml $AWS_KEY $USERNAME scripts/test_apache2.sh' echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" From adfed7f4c525f8e20a243761f18461141c6d06c7 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:17:56 -0800 Subject: [PATCH 21/27] dev-release.sh -> release.sh --- tools/{dev-release.sh => release.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/{dev-release.sh => release.sh} (100%) diff --git a/tools/dev-release.sh b/tools/release.sh similarity index 100% rename from tools/dev-release.sh rename to tools/release.sh From cb713a200b0a951f81018ed647e6002f09cb2ceb Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:21:02 -0800 Subject: [PATCH 22/27] Release 0.1.1 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index e35b40d6e..ffaff618b 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 58008e1e4..265101628 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index 1d42fe488..bb4100c98 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'acme=={0}'.format(version), diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index d487e556d..762eab396 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'setuptools', # pkg_resources From 19353d6eb1d5abd7bfde6fdd6b5fa28571981409 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:23:08 -0800 Subject: [PATCH 23/27] Bump version to 0.2.0 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index ffaff618b..2eb2623fd 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 265101628..67556fb90 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index bb4100c98..d63ac9549 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index 762eab396..3e0128ccb 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'setuptools', # pkg_resources From 80b71bfe9f54ffa65030ee1020b6c2b7d47a4b7c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 19:01:18 -0800 Subject: [PATCH 24/27] An actually correct version bump --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 2eb2623fd..8e6c1790a 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 67556fb90..7a47946a7 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index d63ac9549..0177c4a81 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 1c7815f78..57024bdb6 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.2.0.dev0' +__version__ = '0.2.0dev0' From 59f717fc480318cdb11364cc40438fa869ac95d2 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 12:48:36 -0800 Subject: [PATCH 25/27] Further fixes to version strings --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 8e6c1790a..e35b40d6e 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 7a47946a7..58008e1e4 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index 0177c4a81..1d42fe488 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 57024bdb6..1c7815f78 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.2.0dev0' +__version__ = '0.2.0.dev0' diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index 3e0128ccb..d487e556d 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0.dev0' install_requires = [ 'setuptools', # pkg_resources From 5666cf9e0e3dac30d94ea6958bd8fa8af56afcbc Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 12:50:21 -0800 Subject: [PATCH 26/27] Perform "nextversion" incrementing correctly in release.sh --- tools/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/release.sh b/tools/release.sh index f3912e67c..eeabfd4a3 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -172,7 +172,7 @@ echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" if [ "$RELEASE_BRANCH" = candidate-"$version" ] ; then - SetVersion "$nextversion" + SetVersion "$nextversion".dev0 git diff git commit -m "Bump version to $nextversion" fi From b8c2118434877d0c42ba0d1b856db3fda546777a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 14:19:22 -0800 Subject: [PATCH 27/27] Add explanatory comment --- tools/half-sign.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/half-sign.c b/tools/half-sign.c index 561fa22be..454201799 100644 --- a/tools/half-sign.c +++ b/tools/half-sign.c @@ -6,6 +6,9 @@ #include #include +// This program can be used to perform RSA public key signatures given only +// the hash of the file to be signed as input. + // Sign with SHA1 #define HASH_SIZE 20