Use SHA256 openssl signatures

twstrike · Jan 11, 2016 · be653e8 · be653e8
1 parent e17bb27
commit be653e8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/tools/half-sign.c b/tools/half-sign.c
@@ -12,18 +12,18 @@
 // To compile:
 // gcc half-sign.c -lssl -lcrypto -o half-sign
 
-// Sign with SHA1
-#define HASH_SIZE 20
+// Sign with SHA256
+#define HASH_SIZE 32
 
 void usage() {
 	printf("half-sign <private key file> [binary hash file]\n");
 	printf("\n");
-	printf("    Computes and prints a binary RSA signature over data given the SHA1 hash of\n");
+	printf("    Computes and prints a binary RSA signature over data given the SHA256 hash of\n");
 	printf("    the data as input.\n");
 	printf("\n");
 	printf("    <private key file> should be PEM encoded.\n");
 	printf("\n");
-	printf("    The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
+	printf("    The input SHA256 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
 	printf("    specified, it will be read from stdin.\n");
 	exit(1);
 }
@@ -41,7 +41,7 @@ void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) {
 	if ((!ctx) 
 	|| (EVP_PKEY_sign_init(ctx) <= 0) 
 	|| (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-	|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) {
+	|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)) {
 		fprintf(stderr, "Failure establishing ctx for signature\n");
 		exit(1);
 	}
@@ -108,7 +108,7 @@ int main(int argc, char *argv[]) {
 		exit(1);
 	}
 	if (fread(buffer, HASH_SIZE, 1, input) != 1) {
-		perror("half-sign: Failed to read SHA1 from input\n");
+		perror("half-sign: Failed to read SHA256 from input\n");
 		exit(1);
 	}
 

diff --git a/tools/release.sh b/tools/release.sh
@@ -34,8 +34,8 @@ else
     echo Releasing developer version "$version"...
 fi
 
-if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then
-    RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem"
+if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then
+    RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem"
 fi
 RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
 # Needed to fix problems with git signatures and pinentry
@@ -85,7 +85,7 @@ git checkout "$RELEASE_BRANCH"
 letsencrypt-auto-source/build.py
 
 # and that it's signed correctly
-if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \
+if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
         letsencrypt-auto-source/letsencrypt-auto.sig \
         letsencrypt-auto-source/letsencrypt-auto            ; then
    echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"