2 files changed, 42 insertions, 0 deletions

diff --git a/OSX/sparkle-bin/old_dsa_scripts/generate_dsa_keys_macos_10.12_only b/OSX/sparkle-bin/old_dsa_scripts/generate_dsa_keys_macos_10.12_only
new file mode 100755
index 0000000..56f195f
--- /dev/null
+++ b/OSX/sparkle-bin/old_dsa_scripts/generate_dsa_keys_macos_10.12_only
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+for file in "dsaparam.pem" "dsa_priv.pem" "dsa_pub.pem"; do
+  if [ -e "$file" ]; then
+    echo "There's already a $file here! Move it aside or be more careful!"
+    exit 1
+  fi
+done
+
+openssl="/usr/bin/openssl"
+$openssl gendsa <($openssl dsaparam 2047) -out dsa_priv.pem
+chmod 0400 dsa_priv.pem
+$openssl dsa -in dsa_priv.pem -pubout -out dsa_pub.pem
+
+echo "
+Generated two files:
+dsa_priv.pem: your private key. Keep it secret and don't share it!
+dsa_pub.pem: public counterpart to include in the app bundle.
+
+BACK UP YOUR PRIVATE KEY AND KEEP IT SAFE!
+If you lose it, your users will be unable to upgrade!
+"
+
+open -R dsa_priv.pem
diff --git a/OSX/sparkle-bin/old_dsa_scripts/sign_update b/OSX/sparkle-bin/old_dsa_scripts/sign_update
new file mode 100755
index 0000000..fddaae8
--- /dev/null
+++ b/OSX/sparkle-bin/old_dsa_scripts/sign_update
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+set -o pipefail
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 update_archive_file dsa_priv.pem"
+  echo "This is an old DSA signing script for deprecated DSA keys."
+  echo "Do not use this for new applications."
+  exit 1
+fi
+openssl=/usr/bin/openssl
+version=`$openssl version`
+if [[ $version =~ "OpenSSL 0.9" ]]; then
+	# pre-10.13 system: Fall back to OpenSSL DSS1 digest because it does not like the -sha1 option
+	$openssl dgst -sha1 -binary < "$1" | $openssl dgst -dss1 -sign "$2" | $openssl enc -base64
+else
+	# 10.13 and later: Use LibreSSL SHA1 digest
+	$openssl dgst -sha1 -binary < "$1" | $openssl dgst -sha1 -sign "$2" | $openssl enc -base64
+fi