infra-docs-fpo/modules/sysadmin_guide/pages/pesign-upgrade.adoc

= Pesign upgrades/reboots

Fedora has (currently) 2 special builders. These builders are used to
build a small set of packages that need to be signed for secure boot.
These packages include: _grub2_, _shim_, _kernel_, _pesign-test-app_

When rebooting or upgrading pesign on these machines, you have to follow
a special process to unlock the signing keys.

== Contact Information

Owner::
  Fedora Release Engineering, Kernel/grub2/shim/pesign maintainers
Contact::
  #fedora-admin, #fedora-kernel
Servers::
  bkernel01, bkernel02
Purpose::
  Upgrade or restart singning keys on kernel/grub2/shim builders

== Procedure

[arabic]
. Coordinate with pesign maintainers or _pesign-test-app_
commiters as well as releng folks that have the pin to unlock the
signing key.

. Remove builder from koji:
+
....
koji disable-host bkernel01.rdu3.fedoraproject.org
....
. Make sure all builds have completed.
. Stop existing processes:
+
....
service pcscd stop
service pesign stop
....
. Perform updates or reboots.
. Restart services (if you didn't reboot):
+
....
service pcscd start
service pesign start
....
. Unlock signing key:
+
....
pesign-client -t "OpenSC Card (Fedora Signer)" -u
(enter pin when prompted)
....
. Make sure no builds are in progress, then Re-add builder to koji,
remove other builder:
+
....
koji enable-host bkernel01.rdu3.fedoraproject.org
koji disable-host bkernel02.rdu3.fedoraproject.org
....
. Have a commiter send a build of pesign-test-app and make sure it's
signed correctly.
. If so, repeat process with second builder.
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`= Pesign upgrades/reboots`

			`Fedora has (currently) 2 special builders. These builders are used to`
			`build a small set of packages that need to be signed for secure boot.`
Review pesign-upgrade SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-09-09 15:16:31 +02:00			`These packages include: _grub2_, _shim_, _kernel_, _pesign-test-app_`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
			`When rebooting or upgrading pesign on these machines, you have to follow`
			`a special process to unlock the signing keys.`

			`== Contact Information`

			`Owner::`
			`Fedora Release Engineering, Kernel/grub2/shim/pesign maintainers`
			`Contact::`
			`#fedora-admin, #fedora-kernel`
			`Servers::`
			`bkernel01, bkernel02`
			`Purpose::`
			`Upgrade or restart singning keys on kernel/grub2/shim builders`

			`== Procedure`

Review pesign-upgrade SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-09-09 15:16:31 +02:00			`[arabic]`
			`. Coordinate with pesign maintainers or _pesign-test-app_`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`commiters as well as releng folks that have the pin to unlock the`
			`signing key.`

Review pesign-upgrade SOP Signed-off-by: Michal Konečný <mkonecny@redhat.com> 2021-09-09 15:16:31 +02:00			`. Remove builder from koji:`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`+`
			`....`
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`koji disable-host bkernel01.rdu3.fedoraproject.org`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`....`
			`. Make sure all builds have completed.`
			`. Stop existing processes:`
			`+`
			`....`
			`service pcscd stop`
			`service pesign stop`
			`....`
			`. Perform updates or reboots.`
			`. Restart services (if you didn't reboot):`
			`+`
			`....`
			`service pcscd start`
			`service pesign start`
			`....`
			`. Unlock signing key:`
			`+`
			`....`
			`pesign-client -t "OpenSC Card (Fedora Signer)" -u`
			`(enter pin when prompted)`
			`....`
			`. Make sure no builds are in progress, then Re-add builder to koji,`
			`remove other builder:`
			`+`
			`....`
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`koji enable-host bkernel01.rdu3.fedoraproject.org`
			`koji disable-host bkernel02.rdu3.fedoraproject.org`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00			`....`
			`. Have a commiter send a build of pesign-test-app and make sure it's`
			`signed correctly.`
			`. If so, repeat process with second builder.`