robosignatory: resign f40 tagged packages with f41 key

This is to prep for branching next week. We want to set this so we can tell robosgnatory to resign all the f40 tagged packages with f41. Also, newly tagged packages will also be signed, so by the time we branch everything should be signed for both branched (f40) and new rawhide (f41). Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2024-02-08 15:18:44 -08:00 · 2024-02-08 15:18:44 -08:00 · 100c9b484d
commit 100c9b484d
parent ae91b69f62
1 changed files with 9 additions and 1 deletions
--- a/roles/robosignatory/templates/robosignatory.toml.j2
+++ b/roles/robosignatory/templates/robosignatory.toml.j2
@ -408,7 +408,7 @@ handlers = ["console"]
            # ima file signing - enabled in f37
            file_signing_key = "fedora-38-ima"
            {% endif %}
-            
+
            # f38 resigning
            [[consumer_config.koji_instances.primary.tags]]
            from = "f38"
@ -433,6 +433,14 @@ handlers = ["console"]
            keyid = "{{ (env == 'production')|ternary('18B8e74c', 'd300e724') }}"
            file_signing_key = "fedora-39-ima"

+            # resigning f40 builds with f41 key before branching. Remove after branching.
+            [[consumer_config.koji_instances.primary.tags]]
+            from = "f40"
+            to = "f40"
+            key = "{{ (env == 'production')|ternary('fedora-41', 'testkey') }}"
+            keyid = "{{ (env == 'production')|ternary('2e99d6ad1', 'd300e724') }}"
+            file_signing_key = "fedora-41-ima"
+
            # F40 Mass Rebuild
            [[consumer_config.koji_instances.primary.tags]]
            from = "f40-rebuild"