robosignatory: add f39 signing before branching

This is an attempt to allow us to sign f38 with the f39 key also in addition to the f38 one. Using this we can make a ugly loop that signs all the stuff in the f38 tag with the f39 key. (Hopefully) Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-01-31 13:07:39 -08:00 · 2023-01-31 13:07:39 -08:00 · d4eeaa51b2
commit d4eeaa51b2
parent 3354d0b821
1 changed files with 8 additions and 5 deletions
--- a/roles/robosignatory/templates/robosignatory.toml.j2
+++ b/roles/robosignatory/templates/robosignatory.toml.j2
@ -195,14 +195,17 @@ handlers = ["console"]
            file_signing_key = "fedora-38-ima"
            {% endif %}

+            # sign f38 also with the f39 key
+            # remove this after branching is over and replace with f39 tags
+
            [[consumer_config.koji_instances.primary.tags]]
-            from = "f38-rebuild"
-            to = "f38-rebuild"
-            key = "{{ (env == 'production')|ternary('fedora-38', 'testkey') }}"
-            keyid = "{{ (env == 'production')|ternary('eb10b464', 'd300e724') }}"
+            from = "f38"
+            to = "f38"
+            key = "{{ (env == 'production')|ternary('fedora-39', 'testkey') }}"
+            keyid = "{{ (env == 'production')|ternary('18B8e74c', 'd300e724') }}"
            {% if env == "production" %}
            # ima file signing - enabled in f37
-            file_signing_key = "fedora-38-ima"
+            file_signing_key = "fedora-39-ima"
            {% endif %}

            [[consumer_config.koji_instances.primary.tags]]