Infrastructure/infra-docs-fpo
1
0
Fork 0
Code Issues 100 Pull requests 6 Projects Releases Packages Wiki Activity Actions

add a first cut at the horrible mass resigning process

Browse source 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2023-08-28 15:39:23 -07:00
parent 62b5a3e9f6
commit 0384c92973
1 changed files with 45 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

45
modules/release_guide/pages/sop_mass_branching.adoc
View file

@ -10,6 +10,51 @@ bugfix and polish mode.
You will find below the list of steps to follow to branch a new Fedora release.
== Mass resigning
When we branch off of rawhide, the branched release packages are already signed by
the F{release} key, but we need to resign everything in rawhide for the new F+1 key.
ie, When we branch f39 off rawhide, all it's packages are already signed by the f39
key, but we need to resign everything with the f40 key for rawhide.
* Add a new config for the new key to robosignatory. Something like:
```
[[consumer_config.koji_instances.primary.tags]]
from = "f39"
to = "f39"
key = "{{ (env == 'production')|ternary('fedora-40', 'testkey') }}"
keyid = "{{ (env == 'production')|ternary('a15B79cc', 'd300e724') }}"
{% if env == "production" %}
file_signing_key = "fedora-40-ima"
{% endif %}
```
This allows robosignatory to sign packages in the f39 tag with the f40 key.
* git clone https://pagure.io/releng
* confirm the new key fingerprint is in scripts/sigulsign_unsigned.py
* run sigulsign_unsigned.py to gather list of packages to sign:
```
./sigulsign_unsigned.py --just-list --tag f39 fedora-40 | grep src | sed -e 's|.src||' > unsigned-packages
```
You should get a list of all the source packages by name.
* copy unsigned-packages list to autosign01
* on autosign01 run in a tmux session:
```
sudo -su robosignatory
passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
(enter the autosign passphrase)
keyctl add user "sigul:autosign" "${passphrase}" @s
for i in `cat unsigned-packages`
do
echo $i;
robosignatory sign-tag primary $i f39;
sleep 1;
done
```
This will iterate over all packages and sign them with the new f40 key.
Once complete, re-run the ./sigulsign_unsigned.py command to confirm all are signed.
On branching day, remove the robosignatory config for this resigning.
== Send announcement
One day before the mass branching, we send out announcemt because during mass branching,