summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2021-09-20 19:19:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2021-09-20 19:19:46 +0000
commit733e83946ead0db67dbe1d612c8a6363ab46ed91 (patch)
tree494f5a07f22082409715d125e08dd5fb72709503
parentAdding upstream version 0.7.0. (diff)
downloaddehydrated-733e83946ead0db67dbe1d612c8a6363ab46ed91.tar.xz
dehydrated-733e83946ead0db67dbe1d612c8a6363ab46ed91.zip
Adding debian version 0.7.0-3.debian/0.7.0-3debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/README.source22
-rw-r--r--debian/changelog254
-rw-r--r--debian/clean1
-rw-r--r--debian/config.sh15
-rw-r--r--debian/control49
-rw-r--r--debian/copyright32
-rw-r--r--debian/dehydrated-apache2.apache21
-rw-r--r--debian/dehydrated-apache2.lintian-overrides4
-rw-r--r--debian/dehydrated.README.Debian60
-rw-r--r--debian/dehydrated.conf34
-rw-r--r--debian/dehydrated.dirs2
-rw-r--r--debian/dehydrated.docs2
-rw-r--r--debian/dehydrated.examples1
-rwxr-xr-xdebian/dehydrated.install3
-rw-r--r--debian/dehydrated.manpages1
-rw-r--r--debian/gbp.conf12
-rw-r--r--debian/patches/Do-not-revalidate-authorizations-on-forced-renewal.patch75
-rw-r--r--debian/patches/Fixed-small-unassigned-variable-issue.patch21
-rw-r--r--debian/patches/Per-certificate-config-fixes.patch65
-rw-r--r--debian/patches/add-t-tls-alpn-01-to-command-line-help.patch23
-rw-r--r--debian/patches/fix-CN-extraction-for-older-openssl-versions.patch29
-rw-r--r--debian/patches/series6
-rw-r--r--debian/patches/update-copyright-year.patch20
-rwxr-xr-xdebian/rules13
-rw-r--r--debian/source/format1
-rw-r--r--debian/upstream/metadata4
-rw-r--r--debian/upstream/signing-key.asc114
-rw-r--r--debian/watch5
28 files changed, 869 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..3ad0198
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,22 @@
+Updating to a new upstream release
+==================================
+This packaging makes use of git-buildpackage. Having it in place you can
+follow the instructions below to import a new upstream release.
+
+0) Make sure upstream sure upstream's repository is added as a remote
+# git remote add upstream git://github.com/lukas2511/dehydrated.git
+
+1) Fetch upstream's tags
+# git fetch upstream --tags
+
+2) Merge in the version to import
+# git merge v<VERSION>
+
+3) Manually check that the just merged in code is sane (e.g. not evil)
+# git difftool origin/debian/master
+
+4) Make sure licensing still is correct
+
+5) Update the changelog
+# gbp dch --snapshot --auto -- debian/
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..a3e1082
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,254 @@
+dehydrated (0.7.0-3) unstable; urgency=medium
+
+ * d/README.Debian: fix typos. Closes: #990041
+ * d/watch: fix watchfile to match again after github.com changes.
+ * d/control: Bump Standards-Version to 4.6.0, no changes needed.
+
+ -- Mattia Rizzolo <mattia@debian.org> Mon, 20 Sep 2021 19:51:18 +0200
+
+dehydrated (0.7.0-2) unstable; urgency=medium
+
+ * Add some patches from upstream:
+ + Fix CN extraction for older openssl versions.
+ + New option to not revalidate authorizations on forced renewal.
+ + Fixed small unassigned variable issue.
+ + Update copyright year.
+ + Per-certificate config fixes. Closes: #981449
+ + Add -t tls-alpn-01 to command line help.
+ * Update d/copyright.
+
+ -- Mattia Rizzolo <mattia@debian.org> Thu, 25 Feb 2021 21:20:55 +0100
+
+dehydrated (0.7.0-1) unstable; urgency=medium
+
+ * New upstream release 0.7.0.
+ * Bump debhelper compat level to 13.
+ * Bump Standards-Version to 4.5.1, no changes needed.
+
+ -- Mattia Rizzolo <mattia@debian.org> Wed, 16 Dec 2020 18:39:01 +0100
+
+dehydrated (0.6.5-2) unstable; urgency=medium
+
+ [ Debian Janitor ]
+ * Use versioned copyright format URI.
+ * Update standards version to 4.5.0, no changes needed.
+ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
+ Repository-Browse.
+
+ [ Mattia Rizzolo ]
+ * d/watch: Update to the new github location.
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 15 Nov 2020 18:10:14 +0100
+
+dehydrated (0.6.5-1) unstable; urgency=medium
+
+ * New upstream release 0.6.5.
+ * Drop all patches, applied upstream.
+ * Bump debhelper compat level to 12.
+
+ -- Mattia Rizzolo <mattia@debian.org> Sat, 06 Jul 2019 16:55:46 +0200
+
+dehydrated (0.6.2-2) unstable; urgency=medium
+
+ * Add a number of patches from upstream.
+ Fixing the following bugs:
+ + HTTP/2 support, where header names are lowercase
+ + Avoid over matching, checking for the Replay-Nonce header only at BOL
+ + A bug causing deletion of domains.txt when incorrect parameters are used
+ + Document the DOMAINS_D config option
+ + Impoent POST-as-GET, for the upcoming change in LE's API
+ + Document PRIVATE_KEY_ROLLOVER per-cert config option
+ * d/control: bump Standards-Version to 4.3.0, no changes needed.
+
+ -- Mattia Rizzolo <mattia@debian.org> Mon, 11 Mar 2019 16:25:53 +0100
+
+dehydrated (0.6.2-1) unstable; urgency=medium
+
+ * New upstream release 0.6.2.
+ * Remove all patches - applied upstream.
+ * d/control: update Homepage field.
+
+ -- Mattia Rizzolo <mattia@debian.org> Tue, 08 May 2018 12:14:45 +0200
+
+dehydrated (0.6.1-2) unstable; urgency=medium
+
+ * Add patch from upstream to not duplicate the intermediate cert in the
+ fullchain.pem. Closes: #896697
+ * d/control:
+ + Bump Standards-Version to 4.1.4, no changes needed.
+ + Update maintainer address to use the tracker.debian.org team.
+
+ -- Mattia Rizzolo <mattia@debian.org> Mon, 23 Apr 2018 20:31:36 +0200
+
+dehydrated (0.6.1-1) unstable; urgency=low
+
+ * New upstream release 0.6.1.
+ Note: this release changes the default CA to use the ACMEv2 endpoint of
+ Let's Encrypt (previously it used the ACMEv1 endpoint).
+ Notable news of this realease is the support for wildcard certificates.
+ * d/patches:
+ - Remove patch present in the new upstream release.
+ - Add patch from upstream to have the example config reflect reality.
+ * d/copyright: Update.
+ * d/dehydrated.manapges: Update the path.
+ * Add a closes: to the previous changelog entry.
+
+ -- Mattia Rizzolo <mattia@debian.org> Wed, 14 Mar 2018 03:11:53 +0100
+
+dehydrated (0.5.0-2) unstable; urgency=medium
+
+ * Add patch from upstream to follow redirects on HTTP GET.
+ This fixes an error when creating the fullchain.pem after the LE API
+ introduced a new redirect. Closes: #892723
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 11 Mar 2018 19:25:13 +0100
+
+dehydrated (0.5.0-1) unstable; urgency=medium
+
+ * New upstream release 0.5.0.
+ * d/control:
+ + Mark dehydrated as Multi-Arch:foreign.
+ + Bump Standards-Version to 4.1.3, no changes needed.
+ + Set Rules-Requires-Root:no.
+ + Change Vcs-* fields to point to Salsa.
+ + Change homepage to https://dehydrated.de.
+ * d/rules:
+ + Remove simple get-orig-source target just calling uscan.
+ + Avoid gz-compressing the example config file.
+ * d/copyright: update.
+ * Bump debhelper compat version to 11.
+ * Drop lintian override for a false positive now fixed in lintian.
+ * Ship the new manpage from upstream instead of our auto-generated one.
+
+ -- Mattia Rizzolo <mattia@debian.org> Mon, 22 Jan 2018 22:12:23 +0100
+
+dehydrated (0.4.0-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Mattia Rizzolo <mattia@debian.org> Sat, 17 Jun 2017 15:33:47 +0200
+
+dehydrated (0.4.0-1) experimental; urgency=medium
+
+ * Import new upstream release 0.4.0.
+ * Drop all Debian patches.
+ They are either applied upstream, or related to some past migration
+ we're not dropping support for.
+ * Drop letsencrypt.sh and letsencrypt.sh-apache2 transitional packages.
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 12 Feb 2017 09:17:31 +0100
+
+dehydrated (0.3.1-3) unstable; urgency=medium
+
+ * Fix typo s/know/now/ in letsencrypt.sh wrapper.
+ Thanks to jcristau for spotting.
+ * Verify the upstream tarball signature.
+ Thanks to Georg Faerber <georg@riseup.net> for prodding upstream and
+ providing the patch. Closes: #853068
+ * Fix path to the configuration example in the main config. Closes: #854328
+
+ -- Mattia Rizzolo <mattia@debian.org> Wed, 08 Feb 2017 18:45:09 +0100
+
+dehydrated (0.3.1-2) unstable; urgency=medium
+
+ [ Jan Wagner ]
+ * d/dehydrated.conf: Add apache < 2.3 compatibility.
+
+ [ Mattia Rizzolo ]
+ * Add transitional packages from letsencrypt.sh and letsencrypt.sh-apache2.
+ * Includes several patches from upstream, including a letsencrypt.sh
+ wrapper.
+ * Add several patches to improve the letsencrypt.sh wrapper, i.e. to make it
+ actually work with the version of letsencrypt.sh Debian is shipping.
+ * Fix syntax error that could cause "unbound variable" errors in some cases
+ * Override several lintian warnings.
+ * Rewrite README.Debian of letsencrypt.sh with a pointer to dehydrated's.
+
+ -- Mattia Rizzolo <mattia@debian.org> Thu, 12 Jan 2017 21:48:48 +0100
+
+dehydrated (0.3.1-1) unstable; urgency=low
+
+ * Import new upstream release 0.3.1.
+ * Rename project to dehydrated. Closes: #839853
+ * Cancel the temporary revert of the config.sh → config rename.
+
+ -- Mattia Rizzolo <mattia@debian.org> Thu, 08 Dec 2016 16:18:03 +0100
+
+letsencrypt.sh (0.3.0-1) unstable; urgency=medium
+
+ * Import new upstream release 0.3.0.
+ + Remove all Debian patches (as they were coming from upstream).
+ + Add patch to revert the upstream commit renaming config.sh to config.
+ Let's avoid another breaking change at this point, keep it for the
+ dehydrated upload.
+ + Add NEWS entry about the ACCOUNT_KEY move.
+ + Closes: #839851
+ * Bump debhelper compat level to 10.
+ * Add dependency on ca-certificates. Closes: #838942
+ * Add patch from upstream to fix support of OpenSSL 1.1.0. Closes: #846319
+ * Add patch to account for an already set ACCOUNT_KEY option when upgrading
+ to the multi-account structure. Closes: #837308
+
+ -- Mattia Rizzolo <mattia@debian.org> Fri, 02 Dec 2016 00:04:30 +0100
+
+letsencrypt.sh (0.2.0-4) unstable; urgency=medium
+
+ * Install NEWS only in the letsencrypt.sh binary.
+
+ -- Mattia Rizzolo <mattia@debian.org> Tue, 16 Aug 2016 12:03:12 +0000
+
+letsencrypt.sh (0.2.0-3) unstable; urgency=medium
+
+ * postinst: don't print warnings if PRIVATE_KEY or PRIVATE_KEY_JSON aren't set
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 14 Aug 2016 11:38:05 +0000
+
+letsencrypt.sh (0.2.0-2) unstable; urgency=medium
+
+ * Update license agreement url. Closes: #833336
+
+ -- Mattia Rizzolo <mattia@debian.org> Wed, 03 Aug 2016 15:53:39 +0000
+
+letsencrypt.sh (0.2.0-1) unstable; urgency=medium
+
+ [ Mattia Rizzolo ]
+ * Import new upstream release 0.2.0.
+ * Install the new docs from upstream.
+ * deiban/patches:
+ + drop compatibility-with-pretty-json-fixes-202.patch: applied upstream
+ + backport from upstream Make-location-of-domains.txt-configurable-204.patch
+ * d/rules: drop unneeded override_dh_installchangelogs.
+ * d/NEWS: document the PRIVATE_KEY → ACCOUNT_KEY rename.
+
+ [ Daniel Beyer ]
+ * Change default location of domains file to /etc/letsencrypt.sh/domains.txt.
+ Closes: #824928
+ * Provide maintainer scripts in order to support 0.1.x configurations (in
+ particular, old DOMAINS_TXT location, and old PRIVATE_KEY).
+ * d/NEWS: document the DOMAINS_TXT location change.
+
+ -- Mattia Rizzolo <mattia@debian.org> Tue, 02 Aug 2016 11:16:55 +0000
+
+letsencrypt.sh (0.1.0-3) unstable; urgency=medium
+
+ [ Daniel Beyer ]
+ * Add a README.Debian for binary package letsencrypt.sh. Closes: #822493
+
+ [ Mattia Rizzolo ]
+ * Import patch from upstream to work with the new "pretty" json used in the
+ Let's Encrypt API. Closes: #824903
+
+ -- Mattia Rizzolo <mattia@debian.org> Sat, 21 May 2016 13:37:22 +0000
+
+letsencrypt.sh (0.1.0-2) unstable; urgency=medium
+
+ * Generate the manpage in a reproducible way, regardless of the timezone.
+ * Bump Standards-Version to 3.9.8, no changes needed.
+
+ -- Mattia Rizzolo <mattia@debian.org> Sat, 23 Apr 2016 02:08:17 +0000
+
+letsencrypt.sh (0.1.0-1) unstable; urgency=medium
+
+ * Initial release. (Closes: #812174)
+
+ -- Daniel Beyer <dabe@deb.ymc.ch> Wed, 20 Jan 2016 17:58:20 +0100
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..ca4ca24
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1 @@
+debian/dehydrated.1
diff --git a/debian/config.sh b/debian/config.sh
new file mode 100644
index 0000000..1fe71d4
--- /dev/null
+++ b/debian/config.sh
@@ -0,0 +1,15 @@
+#############################################################
+# This is the main config file for dehydrated #
+# #
+# This is the default configuration for the Debian package. #
+# To see a more comprehensive example, see #
+# /usr/share/doc/dehydrated/examples/config #
+# #
+# For details please read: #
+# /usr/share/doc/dehydrated/README.Debian #
+#############################################################
+
+CONFIG_D=/etc/dehydrated/conf.d
+BASEDIR=/var/lib/dehydrated
+WELLKNOWN="${BASEDIR}/acme-challenges"
+DOMAINS_TXT="/etc/dehydrated/domains.txt"
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..15cf618
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,49 @@
+Source: dehydrated
+Section: misc
+Priority: optional
+Maintainer: Debian Let's Encrypt Team <team+letsencrypt@tracker.debian.org>
+Uploaders:
+ Daniel Beyer <dabe@deb.ymc.ch>,
+ Mattia Rizzolo <mattia@debian.org>,
+Build-Depends:
+ apache2-dev,
+ debhelper-compat (= 13),
+ dh-apache2,
+ dh-exec,
+Standards-Version: 4.6.0
+Rules-Requires-Root: no
+Vcs-Git: https://salsa.debian.org/letsencrypt-team/dehydrated.git
+Vcs-Browser: https://salsa.debian.org/letsencrypt-team/dehydrated
+Homepage: https://dehydrated.io
+
+Package: dehydrated
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ca-certificates,
+ curl,
+ openssl,
+ ${misc:Depends},
+Description: ACME client implemented in Bash
+ The dehydrated ACME client allows signing certificates with an
+ ACME server, like the one provided by the Let’s Encrypt certificate
+ authority (letsencrypt.org). It is implemented as a relatively simple
+ Bash script, which uses curl to communicate with the ACME server and
+ OpenSSL to deal with keys, sign requests and certificates.
+ .
+ The ACME (Automated Certificate Management Environment) protocol makes
+ it possible to automatically obtain browser-trusted certificate.
+
+Package: dehydrated-apache2
+Architecture: all
+Depends:
+ ${misc:Depends},
+Recommends:
+ dehydrated,
+ ${misc:Recommends},
+Description: dehydrated challenge response support for Apache2
+ This package provides an Apache2 config snippet to serve the http-01 challenge
+ responses for dehydrated.
+ .
+ Installing this package together with dehydrated is enough to have a fully
+ functional ACME client, including replying to the HTTP challenge.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..f290f13
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,32 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: dehydrated
+Upstream-Contact: Lukas Schauer <lukas.schauer@googlemail.com>
+Source: https://github.com/lukas2511/dehydrated
+
+Files: *
+Copyright: 2015-2021 Lukas Schauer
+License: Expat
+
+Files: debian/*
+Copyright: 2016 Daniel Beyer <dabe@deb.ymc.ch>
+ 2016-2021 Mattia Rizzolo <mattia@debian.org>
+License: Expat
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
diff --git a/debian/dehydrated-apache2.apache2 b/debian/dehydrated-apache2.apache2
new file mode 100644
index 0000000..a03e133
--- /dev/null
+++ b/debian/dehydrated-apache2.apache2
@@ -0,0 +1 @@
+conf debian/dehydrated.conf
diff --git a/debian/dehydrated-apache2.lintian-overrides b/debian/dehydrated-apache2.lintian-overrides
new file mode 100644
index 0000000..2bf34eb
--- /dev/null
+++ b/debian/dehydrated-apache2.lintian-overrides
@@ -0,0 +1,4 @@
+# dehydrated.conf is a cool name for this configuration file, and doesn't
+# really need to be named after the actual binary that ships it.
+# (and of course there is no risk of name collisions)
+non-standard-apache2-configuration-name
diff --git a/debian/dehydrated.README.Debian b/debian/dehydrated.README.Debian
new file mode 100644
index 0000000..06b0e91
--- /dev/null
+++ b/debian/dehydrated.README.Debian
@@ -0,0 +1,60 @@
+Configuring dehydrated in Debian
+================================
+A list of possible configurations options can be found in the example at:
+/usr/share/doc/dehydrated/examples/config.example
+
+Using /etc/dehydrated/conf.d/ to configure dehydrated
+-----------------------------------------------------
+Rather than modifying the main configuration /etc/dehydrated/config,
+it is recommended to change dehydrated's configuration by adding one or
+more configuration files in the directory /etc/dehydrated/conf.d/.
+
+Notable things about the behavior of conf.d:
+* Configuration files in the conf.d directory need to have a file name
+ ending with '.sh'. Any other files within this directory will be ignored
+ by dehydrated.
+* Configurations in the conf.d directory overrides dehydrated's build-in
+ defaults, as well as the main configuration (/etc/dehydrated/config).
+ They are loaded in alphanumerical order, so configuration in a file named
+ '9_foo' overrides what is defined in a file named '1stuff'.
+ They do not override command line parameters provided to dehydrated.
+
+
+Providing a list of domains to dehydrated
+=========================================
+If the parameter --domains is not given to dehydrated, it tries to get
+a list of domains from the file /etc/dehydrated/domains.txt.
+This file is not shipped with the package dehydrated in Debian and has
+to be manually added to make use of this feature. An example for a domains.txt
+can be found at /usr/share/doc/dehydrated/examples/domains.txt.
+The file format is explained in /usr/share/doc/dehydrated/docs/domains_txt.md.
+
+
+Default location of certificates and private keys
+=================================================
+In Debian's version of dehydrated, certificates and private keys for
+domains are stored in subdirectories located at /var/lib/dehydrated/certs/.
+
+
+Automation of dehydrated
+========================
+Certificates issued by letsencrypt have a relative short time to live
+(currently 3 months, maybe shorter in the future) it is advised to run
+a cronjob which calls
+
+/usr/bin/dehydrated -c [your specific options]
+
+on a regular basis to renew certificates. You may also need to
+reload/restart your daemons to use a renewed certificate.
+
+
+Migrating from certbot to dehydrated
+====================================
+While generally possible, Debian's version of dehydrated currently does
+not officially support migration of existing certificates generated with
+certbot to dehydrated.
+For details see Debian bug #824270: <https://bugs.debian.org/824270>
+
+
+ -- Daniel Beyer <dabe@deb.ymc.ch> Sat, 14 May 2016 17:14:37 +0200
+ -- Mattia Rizzolo <mattia@debian.org> Tue, 02 Aug 2016 11:16:55 +0000
diff --git a/debian/dehydrated.conf b/debian/dehydrated.conf
new file mode 100644
index 0000000..1206e43
--- /dev/null
+++ b/debian/dehydrated.conf
@@ -0,0 +1,34 @@
+#
+# Apache configuration to serve http-01 ACME challenges responses.
+# This is included from the dehydrated-apache2 package, thought to be used
+# with dehydrated as packaged in Debian.
+
+
+<IfModule proxy_module>
+ # Do not proxy ACME challenge responses
+ ProxyPass /.well-known/acme-challenge/ !
+</IfModule>
+<IfModule !alias_module>
+ # Load the alias module, if not loaded already
+ Include /etc/apache2/mods-available/alias.load
+ Include /etc/apache2/mods-available/alias.conf
+</IfModule>
+<IfModule alias_module>
+ # Serve ACME challenge responses
+ Alias /.well-known/acme-challenge/ /var/lib/dehydrated/acme-challenges/
+</IfModule>
+
+<Directory /var/lib/dehydrated/acme-challenges/>
+ Options FollowSymlinks
+ Options -Indexes
+ AllowOverride None
+ # Apache >= 2.3
+ <IfModule mod_authz_core.c>
+ Require all granted
+ </IfModule>
+ # Apache < 2.3
+ <IfModule !mod_authz_core.c>
+ Order Allow,Deny
+ Allow from all
+ </IfModule>
+</Directory>
diff --git a/debian/dehydrated.dirs b/debian/dehydrated.dirs
new file mode 100644
index 0000000..1b402fa
--- /dev/null
+++ b/debian/dehydrated.dirs
@@ -0,0 +1,2 @@
+/etc/dehydrated/conf.d/
+/var/lib/dehydrated/acme-challenges/
diff --git a/debian/dehydrated.docs b/debian/dehydrated.docs
new file mode 100644
index 0000000..86f744e
--- /dev/null
+++ b/debian/dehydrated.docs
@@ -0,0 +1,2 @@
+README.md
+docs
diff --git a/debian/dehydrated.examples b/debian/dehydrated.examples
new file mode 100644
index 0000000..684a743
--- /dev/null
+++ b/debian/dehydrated.examples
@@ -0,0 +1 @@
+docs/examples/*
diff --git a/debian/dehydrated.install b/debian/dehydrated.install
new file mode 100755
index 0000000..7700849
--- /dev/null
+++ b/debian/dehydrated.install
@@ -0,0 +1,3 @@
+#! /usr/bin/dh-exec
+debian/config.sh => /etc/dehydrated/config
+dehydrated /usr/bin/
diff --git a/debian/dehydrated.manpages b/debian/dehydrated.manpages
new file mode 100644
index 0000000..3dc88af
--- /dev/null
+++ b/debian/dehydrated.manpages
@@ -0,0 +1 @@
+docs/man/dehydrated.1
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..af310f8
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,12 @@
+[DEFAULT]
+upstream-branch = upstream/master
+debian-branch = debian/master
+upstream-tag = v%(version)s
+pristine-tar = True
+pristine-tar-commit = True
+
+[buildpackage]
+sign-tags = True
+
+[pq]
+patch-numbers = False
diff --git a/debian/patches/Do-not-revalidate-authorizations-on-forced-renewal.patch b/debian/patches/Do-not-revalidate-authorizations-on-forced-renewal.patch
new file mode 100644
index 0000000..8185db8
--- /dev/null
+++ b/debian/patches/Do-not-revalidate-authorizations-on-forced-renewal.patch
@@ -0,0 +1,75 @@
+From: Lukas Schauer <lukas@schauer.so>
+Date: Sat, 12 Dec 2020 03:01:47 +0100
+Subject: Do not revalidate authorizations on forced renewal
+
+This commit introduces a new cli argument `--force-validation` which,
+when used in combination with `--force` ignores valid domain
+authorizations and forces a revalidation.
+
+This has been implemented since at least LE seems to have changed some
+behavior on valid authorizations. Only the previously validated
+authorization-type is reusable, causing dehydrated to error out when
+changing from recently validated authorization types while still trying
+to force-renew certificates for whatever reason (e.g. changing algorithms).
+---
+ README.md | 1 +
+ dehydrated | 20 +++++++++++++++++---
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/README.md b/README.md
+index a35660a..67031af 100644
+--- a/README.md
++++ b/README.md
+@@ -74,6 +74,7 @@ Parameters:
+ --alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
+ --keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
+ --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
++ --force-validation Force revalidation of domain names (used in combination with --force)
+ --no-lock (-n) Don't use lockfile (potentially dangerous!)
+ --lock-suffix example.com Suffix lockfile name with a string (useful for with -d)
+ --ocsp Sets option in CSR indicating OCSP stapling to be mandatory
+diff --git a/dehydrated b/dehydrated
+index 1c98252..d1395c9 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -512,6 +512,10 @@ load_config() {
+ [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
+ [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
+
++ if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
++ _exiterr "Argument --force-validation can only be used in combination with --force (-x)"
++ fi
++
+ if [ ! "${1:-}" = "noverify" ]; then
+ verify_config
+ fi
+@@ -1010,9 +1014,13 @@ sign_csr() {
+ fi
+
+ # Check if authorization has already been validated
+- if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
+- echo " + Found valid authorization for ${identifier}"
+- continue
++ if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then
++ if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then
++ echo " + A valid authorization has been found but will be ignored"
++ else
++ echo " + Found valid authorization for ${identifier}"
++ continue
++ fi
+ fi
+
+ # Find challenge in authorization
+@@ -2107,6 +2115,12 @@ main() {
+ PARAM_FORCE="yes"
+ ;;
+
++ # PARAM_Usage: --force-validation
++ # PARAM_Description: Force revalidation of domain names (used in combination with --force)
++ --force-validation)
++ PARAM_FORCE_VALIDATION="yes"
++ ;;
++
+ # PARAM_Usage: --no-lock (-n)
+ # PARAM_Description: Don't use lockfile (potentially dangerous!)
+ --no-lock|-n)
diff --git a/debian/patches/Fixed-small-unassigned-variable-issue.patch b/debian/patches/Fixed-small-unassigned-variable-issue.patch
new file mode 100644
index 0000000..14c4772
--- /dev/null
+++ b/debian/patches/Fixed-small-unassigned-variable-issue.patch
@@ -0,0 +1,21 @@
+From: Lukas Schauer <lukas@schauer.so>
+Date: Sat, 12 Dec 2020 03:12:13 +0100
+Subject: Fixed small unassigned variable issue
+
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index d1395c9..838ab3d 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -738,7 +738,7 @@ _exiterr() {
+ if [ -n "${1:-}" ]; then
+ echo "ERROR: ${1}" >&2
+ fi
+- [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1}" || echo 'exit_hook returned with non-zero exit code!' >&2)
++ [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1:-}" || echo 'exit_hook returned with non-zero exit code!' >&2)
+ exit 1
+ }
+
diff --git a/debian/patches/Per-certificate-config-fixes.patch b/debian/patches/Per-certificate-config-fixes.patch
new file mode 100644
index 0000000..d662471
--- /dev/null
+++ b/debian/patches/Per-certificate-config-fixes.patch
@@ -0,0 +1,65 @@
+From: Michel Lespinasse <michel@lespinasse.org>
+Date: Mon, 1 Feb 2021 19:42:09 -0800
+Subject: Per-certificate config fixes
+
+- Ensure that all per-certificate settings are saved and restored in
+ store_configvars() and reset_configvars() - that's what makes them
+ per-certificate in the first place...
+
+- Add OCSP_FETCH and OCSP_DAYS in the documented list of supported
+ per-certificate configs, since the code does allow these.
+
+Bug-Debian: https://bugs.debian.org/981449
+---
+ dehydrated | 8 ++++++++
+ docs/per-certificate-config.md | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/dehydrated b/dehydrated
+index 838ab3d..837ca2b 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -254,7 +254,10 @@ check_dependencies() {
+ store_configvars() {
+ __KEY_ALGO="${KEY_ALGO}"
+ __OCSP_MUST_STAPLE="${OCSP_MUST_STAPLE}"
++ __OCSP_FETCH="${OCSP_FETCH}"
++ __OCSP_DAYS="${OCSP_DAYS}"
+ __PRIVATE_KEY_RENEW="${PRIVATE_KEY_RENEW}"
++ __PRIVATE_KEY_ROLLOVER="${PRIVATE_KEY_ROLLOVER}"
+ __KEYSIZE="${KEYSIZE}"
+ __CHALLENGETYPE="${CHALLENGETYPE}"
+ __HOOK="${HOOK}"
+@@ -269,7 +272,10 @@ store_configvars() {
+ reset_configvars() {
+ KEY_ALGO="${__KEY_ALGO}"
+ OCSP_MUST_STAPLE="${__OCSP_MUST_STAPLE}"
++ OCSP_FETCH="${__OCSP_FETCH}"
++ OCSP_DAYS="${__OCSP_DAYS}"
+ PRIVATE_KEY_RENEW="${__PRIVATE_KEY_RENEW}"
++ PRIVATE_KEY_ROLLOVER="${__PRIVATE_KEY_ROLLOVER}"
+ KEYSIZE="${__KEYSIZE}"
+ CHALLENGETYPE="${__CHALLENGETYPE}"
+ HOOK="${__HOOK}"
+@@ -1622,6 +1628,8 @@ command_sign_domains() {
+ ); do
+ config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
+ config_value="$(echo "${cfgline:1}" | cut -d'=' -f2- | tr -d "'")"
++ # All settings that are allowed here should also be stored and
++ # restored in store_configvars() and reset_configvars()
+ case "${config_var}" in
+ KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
+ echo " + ${config_var} = ${config_value}"
+diff --git a/docs/per-certificate-config.md b/docs/per-certificate-config.md
+index 9c3176a..3dd34dc 100644
+--- a/docs/per-certificate-config.md
++++ b/docs/per-certificate-config.md
+@@ -11,6 +11,8 @@ Currently supported options:
+ - KEY_ALGO
+ - KEYSIZE
+ - OCSP_MUST_STAPLE
++- OCSP_FETCH
++- OCSP_DAYS
+ - CHALLENGETYPE
+ - HOOK
+ - HOOK_CHAIN
diff --git a/debian/patches/add-t-tls-alpn-01-to-command-line-help.patch b/debian/patches/add-t-tls-alpn-01-to-command-line-help.patch
new file mode 100644
index 0000000..06c7374
--- /dev/null
+++ b/debian/patches/add-t-tls-alpn-01-to-command-line-help.patch
@@ -0,0 +1,23 @@
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 1 Feb 2021 04:41:17 -0500
+Subject: add -t tls-alpn-01 to command line help
+
+---
+ dehydrated | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 837ca2b..8935721 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -2205,8 +2205,8 @@ main() {
+ PARAM_ALPNCERTDIR="${1}"
+ ;;
+
+- # PARAM_Usage: --challenge (-t) http-01|dns-01
+- # PARAM_Description: Which challenge should be used? Currently http-01 and dns-01 are supported
++ # PARAM_Usage: --challenge (-t) http-01|dns-01|tls-alpn-01
++ # PARAM_Description: Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
+ --challenge|-t)
+ shift 1
+ check_parameters "${1:-}"
diff --git a/debian/patches/fix-CN-extraction-for-older-openssl-versions.patch b/debian/patches/fix-CN-extraction-for-older-openssl-versions.patch
new file mode 100644
index 0000000..8a4b806
--- /dev/null
+++ b/debian/patches/fix-CN-extraction-for-older-openssl-versions.patch
@@ -0,0 +1,29 @@
+From: Lukas Schauer <lukas@schauer.so>
+Date: Fri, 11 Dec 2020 18:02:51 +0100
+Subject: fix CN extraction for older openssl versions
+
+---
+ dehydrated | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 6c671fc..1c98252 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -926,14 +926,14 @@ extract_altnames() {
+ printf "%s" "${altnames}" | tr '\n' ' '
+ else
+ # No SANs, extract CN
+- altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.* CN ?= ?([^ /,]*).*/\1/' )"
++ altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.*[ /]CN ?= ?([^ /,]*).*/\1/' )"
+ printf "%s" "${altnames}"
+ fi
+ }
+
+ # Get last issuer CN in certificate chain
+ get_last_cn() {
+- <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.* CN ?= ?([^/,]*).*/\1/'
++ <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.*[ /]CN ?= ?([^/,]*).*/\1/'
+ }
+
+ # Create certificate for domain(s) and outputs it FD 3
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..0c3d1d3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+fix-CN-extraction-for-older-openssl-versions.patch
+Do-not-revalidate-authorizations-on-forced-renewal.patch
+Fixed-small-unassigned-variable-issue.patch
+update-copyright-year.patch
+Per-certificate-config-fixes.patch
+add-t-tls-alpn-01-to-command-line-help.patch
diff --git a/debian/patches/update-copyright-year.patch b/debian/patches/update-copyright-year.patch
new file mode 100644
index 0000000..c890d60
--- /dev/null
+++ b/debian/patches/update-copyright-year.patch
@@ -0,0 +1,20 @@
+From: Lukas Schauer <lukas@schauer.dev>
+Date: Thu, 18 Feb 2021 16:46:06 +0100
+Subject: update copyright year
+
+---
+ LICENSE | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/LICENSE b/LICENSE
+index 6fd58d7..094280e 100644
+--- a/LICENSE
++++ b/LICENSE
+@@ -1,6 +1,6 @@
+ The MIT License (MIT)
+
+-Copyright (c) 2015-2018 Lukas Schauer
++Copyright (c) 2015-2021 Lukas Schauer
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..912b551
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,13 @@
+#!/usr/bin/make -f
+
+export DH_VERBOSE = 1
+
+%:
+ dh $@ --with apache2
+
+override_dh_installdocs:
+ dh_installdocs
+ rm -rv $(CURDIR)/debian/dehydrated/usr/share/doc/dehydrated/docs/examples
+
+override_dh_compress:
+ dh_compress -Xconfig -Xhook.sh
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..46ebe02
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt) \ No newline at end of file
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..18edf36
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+Bug-Database: https://github.com/lukas2511/dehydrated/issues
+Bug-Submit: https://github.com/lukas2511/dehydrated/issues/new
+Repository: https://github.com/lukas2511/dehydrated.git
+Repository-Browse: https://github.com/lukas2511/dehydrated
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..cf9b3a6
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,114 @@
+pub rsa2048 2013-04-05 [SC]
+ 3C2F 2605 E078 A1E1 8F47 9390 9C4D BE6C F438 F333
+uid [ unknown] Lukas Schauer <lukas@schauer.so>
+uid [ unknown] Lukas Schauer <lukas2511@xxpro.net>
+uid [ unknown] [jpeg image of size 2989]
+sub rsa2048 2013-04-05 [E]
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg
+zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW
+H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV
+cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE
+dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b
+YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAG0IEx1a2FzIFNjaGF1ZXIg
+PGx1a2FzQHNjaGF1ZXIuc28+iQE5BBMBAgAjBQJSHiDfAhsDBwsJCAcDAgEGFQgC
+CQoLBBYCAwECHgECF4AACgkQnE2+bPQ48zPRxgf/Y1pJ9H6uB6rmCa3VHoxhvLkV
+ruUSpI+JXNUhwpUWUKNE1yk78jmjRhMMZf7UMYifyGkuK/0/cErktr5j8kqJ2r60
+hOnmkC3jEq5H0hKfGzhosenUvzR9cENYzgnm/4BNWWz1I16jkWRcEGjeC8y033U3
+Tjrtc6f0jLe7R6LzospUCWKzp8WUWgTgqpAyjJY6I44Y6QpTjmRF6t1Nz2yRxxf2
+NAbOQWkSTueusgLVYyvqLZ51u3fsuDJxbQiBnNt0ZGYSDBKrs59Rvg0Xj1cBv1t7
+SrzHuwyiiCQsEaLMvYCygk7qRmZBZ6PKA0gE8oYIr5f10Kx0Mjqnrs8wmpegiLQj
+THVrYXMgU2NoYXVlciA8bHVrYXMyNTExQHh4cHJvLm5ldD6JATgEEwECACIFAlFf
+GhMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJxNvmz0OPMzHXoH/jCy
+wwo+W3hy7WAzaKqgnIjRfMQD63OFSwrPI8P7mU0WWrxURwET4C/i+eYHIZYPVaP0
+HvdMMcpgSbBZ0sAW+gtv2qMtL+kB4s+FGVchV4lfh4q5w4EDRknuCEpD5bj7NsOT
+ROvGu0gSvGbGG/EFLJuhrkct5s7ESH5sWonxstk6Ea9L5STR4PGH6swTq0WggbMq
+VFQuWOkjw6KpQOeFTp9koQl3R6P6I0uqe6tVLKJD/nSTKbMYPMZX9Q+TvzqRSRlH
+wL509ZIZV4IzdDFXGM28xvC7KIifbxEzWHVci2afdqbVNH2MBhgHt/SIaW8xBab2
+wnd45rkdHuoK2wBPlPvRywDK/gEQAAEBAAAAAAAAAAAAAAAA/9j/4AAQSkZJRgAB
+AQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwg
+JC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
+MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
+MjL/wAARCACHAIcDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQF
+BgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKB
+kaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVW
+V1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKz
+tLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QA
+HwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQA
+AQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcY
+GRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE
+hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX
+2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDiVPPWng5quGBqQNik
+QWA1PBquG96kVqQ0ThqkBqsGrM1TXorEGOP55vTsPrQM3GmjjXc7BQOpJrOn8Tad
+bkgSFyP7grg7rULi6dmklY5OcZ4qqXJFHKB3h8a2mfkgkIHqQKnt/GdhIwWSOWP3
+4IrzsMRxSlielHKhnsNpqFveRiSCVXHsatK+a8cgu5oSDHKyMOhBxXYaL4t3IIr8
+4xx5o/rUuIHbBqfuqjBdRTxh4nDqehBqcSVIFgNTg/vVXzKUPmgC1u5oquHNFO4H
+Ghvenq/pVRXqQNWrJLQfpUm8AE5qqGHrWFrWpSbzBE2FHUg9aVrjL+q64kCNDbtu
+k7sD92uVkdnJZiSx7mk5PJ5JqzBZyXJwikmrUG1oFynijBq/LpskbFQM4qA20isy
+lTkD0puEkFyvilwR1qTy2B6GrCWjzDco5qbMe5UGQRUsf3sdjWjDoszrkjHpVuLw
+/M6sSMEUmrblKLZDpupz6dMAGYxZyVzwa7qz1CK8hEkbZyOnpXBXVhJbphwevB9K
+n0rUZbNsbsx9xWfXQGj0AS0pmA7gfjWdbXEVxEHT5gfU1YDKOcAUuoiyLgdiT9AT
+RVfzh/eH4UUaiOSDjjmniUDj+tUgRgcn86eHjHTbxWrEXPOG04PNYF7A4LOwGM9e
+ma1fPJ6A/gKpagGaIsQeKcHZiZnQwGRwoHWu90nTEhtI/lG4jk1ymgRebdjIzjtX
+ologWMD0ruox0MpMpvpMTvuKj61Sk0ZPtRfAwVxXRfhUMnrWsoxHG5z40CLaFZR6
+Z9qLfQhBO3Qof0NbgOTSk81lKKZtFNFJbJU4xV22thxkDmkHNXIlIUVxVlbQ6aep
+keINLVrXeq9fSuJa2MUmAOe4r2CWwNzpb4GWUZrzua13am8fYVyQnuhziSaRGyRk
+PwPStQBfQflUEQCKBjFS5qznZLu4oqLPSimhHFhh6VIGyOMVAMj1p67vQ1qySdW4
+69KjucvbuvtSqjk8Kc/Sho5Bn5D+VIB/hFC99I3ZVruluoIR+9lVfYmuW8L2ZT7Z
+0D5A4p1zpW52eW4YP6sa9OimoI55yXNY7GOeORcqwOfenMikHvXnMj3Vm/7nUo8D
+p8xrY0vVNQdSZSshxwQa15k9GhptanT7Oc9qQgCqMF7J/wAtR9eKSR7mZ90akKO5
+6VjNxjqzeLcti/uVOWPSk/ti1t3Adxg+lclqTXUkjI15HHH/AL1WtF0C1vmyb4TM
+OyngVx1bSVzohJrQ9X8OXVtfwMsMiuCMECvP9ShWPW75VXBWVlH4GvQvCHhqDTsT
+RtkkdR0rkNdh8nxNqQx1lyPxGa86PxuxU5aWMYIxx8pP4U8QyHotWgKeK2MCqLdz
+6UVcAooEcGowen6VKvXtiquG/vmi0dmaTc2cHjNa2ZJfjI8xTRq1w8FjvjOG6Zqb
+ylKK23t2rN1hv9Cxk9RS6jNrwe7mKQy/fkw2fUVsajpyXhwQwHoDjNY3hyUG3s3B
+H3DG34Hj+ddiqKwFetTV4o5pL3jlrzw+Jkj+VV2DHyjGR71LZ2Bim3MOAMAAV0Lg
+5xjimFAqZ6Vo1rcLNLUrpHGYyCo3VLrK+XpyRwjGV+YjrUSN856da1rmNJ7MMOeO
+tebjJ+8jvw0FyHArZNLavAwGWOQ+MGup8O262+l/Yp/KSFTvLKv7x27fN2FU2jCS
+cCrdsNzCipLngOMLSudr4VvZhN9nDHyQeBXO+KIyfEd7MB8jOF/EAV1vhizCru7g
+VzXiRl898feeZ3P04H9K85fGXNKzMJelPFNXgU8Vsc4oooA4ooEeaC+DqQCM4p+m
+uXEjHuRVNbeMthSc+laFijJEVZNuD+dbaWEjaB/dfhWRq5/0T6sMVrA/ufSsnVub
+YD/aFQtwIvD15JBqEUO7927dD616lbHKCvILVmhuYpR/CwNer2MoaJOc5FelhJXT
+Rz1dHctygBeKoXDnyyCcL3q3PKqJlu1UGnSYYQhhXVISloJGInVSCea6MWtidOFt
+9uVLorvKlhx7VyxkMDLs7nuOlPuGNzIGJJIGDx1rzcVDmaO7Dz01IImZ22n1rb06
+38yZRjvWTCUSTbxXS6JHuuEyO9ROygaqV2dzpsC2unsehxXl19O1xezSMSdzHH0z
+Xp+oXC2uiXEh/hjOPrivKDySa4Kau2zObHKOKeBTI87afWpmOXpRSL0opAeUwtuu
+QemAa2DcQhMNMufc9KwPMKOSp59ajJLEkkmuhxb3IOqbUbTaF85c+1Zuo3MUkQCO
+rHdnANY2aUUuVBcurcRr1B/CvQvD18l1p8TIeVG059q8wrb8Oau1heeU3+qlIB9j
+610UJqEvUzqRuj0a/jNzEIwTzxxWLc2L2wCxvII/Y9K1obtHIJqw6JKvABruavqY
+wlY5gvcqcLMD9as2a3czHFwQfYVdn09WOQMVLbWu0YArkrrQ9ClU8iilpOl2TJMZ
+PU4rufDsecOeqisNLTjJ4FbOnXCWsRCnPrXFVmuTlNIL3rmp4qvCuiiBSPmYBq4Q
+e1anjkT3Hg6WaIkTCdJMg9AMivOtP8VXEJEV3H5mP4uhrCkrxIqqzO1UYFPqhY6n
+aXq4ikG/+43BFXhVGYqk80Uq0UXEeOZ5ooPUUV13IE70tAopABNOjbZKrDqpzTaO
+9HmB6TEd9qlxECyMoJA6/hTotV2dDvT1HUVj+E9UV4vsUjYdfuZ7it650uGc+ZH+
+7k/vJxn616MXzRvE5GuV2ZG2tW8jf60AjqDVq21aI42nPvWPNpdwrZBjbHdhSJY3
+QPLqo/2RXPWjKWh10ppHRXOrIUCqcHH40Wd3JMwGNq/zrHitCpyck+pq9BIsPJPS
+uCdJxWp2Qndm/rFwraA8LEZbFeT6nbLHKXxjmuzv9Q85Ngb5RXE6xdK83loc4POK
+inFoVVqxRjnZHyG6dK1rLxLeWYClvNT+63+NYQ9R1pTwBW9k9zmO6s/FtrLxcIYm
+9eoorhQexoqORBcg60GiitmIXoKO1FFD7AHekFFFSwJIZXhlWSNirqcgiu50TxTF
+chYLpSs3TcBkN/hRRW1GpJSsZzimtTpPldQexpjKB2oorukZwKtxMIgTWTJdtITz
+hR1ooriqK71OpOyMLUdZAzFBknoWNYZYkkk8miisJCbbEXrS55zRRS6iCiiihjP/
+2YkBOAQTAQIAIgUCUV8eMwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
+nE2+bPQ48zM78ggAg9ufcEM3FaxCNI1N78RUMCgobhCAan+AC/e1a9FSBhfKrBZI
+a4VkGwkVkOn5KJz9+YUY1/jXVZYRxHrqS7rREnrDDtBdgIOZENmZfkLE9JSKUHys
+DQeRNyQh6pPoa3DFpomw2VpCRWLgvqc9dzcLgjQoiDalJnayigV/J5Jw02dT/CZX
+c4qwKhTzyuBp9ITLRaPvbrmz9cYQfYM7vkmNWG7oQ0vd6cg7v+oP4kk2eJ4OVnyH
+Xr2+tNPVWHt0ZsZnnTyy43wf/H3MoAn9eoHWmlAkqG4s5wkGmaxEfPASX/Ccz/us
+2yeA3R3dPIJhotnMOH1TJiAxeH9mVwC6m+cp+bkBDQRRXxoTAQgAzV3THoH89SVd
+9TOROVi0WZ+brs449bYQiaV37ndGBVz8cZj1HJg/RjDE2zWaNZqXMlhXr9pD3GR7
+8PPSktjAiXZzVMLPCKeqDKaRHXuSsMn/6GPYZkGyIQeUwNtaySDAhztaV2FybGw6
++y9GsdIJzDtkUP6ID2XpcmhSu0/1CEktqPpahfR9Tfvu3eZ7qGOLnfzunNigMqKr
+xx8m7ir8rqgHjaSaj4s9W5v4O8EFk8NqQOcTjq/Qt9uC8+qNpXEzYoeOqWV6mTUI
+g4BtRu3IL2RW5q8OCcg4x7Vyi4ezLT7t9d5ATTEws+MYZkBe3o5Ujyj/UhuADYRu
+JVHbblO7ZwARAQABiQEfBBgBAgAJBQJRXxoTAhsMAAoJEJxNvmz0OPMzT1wIAIZ0
+Q23vWXHnoSPMfpbmj8U5gcdObh7Bx+AZIdaZ1JyryA4jjXiQGQ6D12z0gxC3mGnr
+SFe15LEbWXSrERdsxftw7kU2eN6v+KRzA8NLp5nZrkaeL+H9QVGdVhzDZz7tQACC
+i6zCHCpuRVStEwOh0bYNPTl9Ah2B9tAtQFbmoVOhL8Jc3O8bjuOoERRL+YUy1mAX
+b6bJTZu4yUheZqtOLQoRgy3SB4ZeGlLYM32JCtDNDyCNXP8QGB0dsRk6wdbgkxBr
+Jxi+i48VWoIhxmg3Szxz0CKWoS71XxcstYDTNFULwWnqb9mkxfy3aRVB0EowdvU1
+TPRv64fKcA0JFBQYoiA=
+=p5IV
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..fdafa3a
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+version=4
+opts="\
+pgpsigurlmangle=s/archive\/v(.+)\.tar\.gz/releases\/download\/v$1\/@PACKAGE@-$1\.tar\.gz\.asc/\
+" \
+https://github.com/dehydrated-io/@PACKAGE@/releases/ (?:.*/)?v?@ANY_VERSION@@ARCHIVE_EXT@