diff --git a/modules/release_guide/pages/create_release_signing_key.adoc b/modules/release_guide/pages/create_release_signing_key.adoc index d3de34b..abf6dc7 100644 --- a/modules/release_guide/pages/create_release_signing_key.adoc +++ b/modules/release_guide/pages/create_release_signing_key.adoc @@ -10,6 +10,13 @@ At the beginning of each release under development, a new package signing key is Sigul is the signing server that holds our keys. To make use of a new key, it must be created and access to the key granted. The `new-key`, `grant-key-access`, and `change-passphrase` commands are used. +These are to be running on `bodhi-backend01` machine. + +[source, bash] +---- +$ ssh bodhi-backend01.iad2.fedoraproject.org +---- + [source, bash] ---- $ sigul new-key --help @@ -91,9 +98,16 @@ $ sigul new-key --key-admin ausil --key-type ECC fedora-23-ima $ sigul grant-key-access fedora-23 kevin ---- +[NOTE] +==== +You can add --key-admin=true here to make a particular user key-admin for the key +==== + [NOTE] ==== **IMPORTANT:** Grant access to the autopen user as it's required for robosignatory autosigning and then restart the robosignatory service. +Make sure when granting key access you should use the autosign/robosignatory passphrase. + ==== . Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase. Signers can change their passphrase using the `change-passphrase` command: @@ -119,6 +133,20 @@ sigul_setup_client to add a new one. +=== Adding Certificates for IMA Keys + +We now need to create an IMA certificate signed by our Sigul CA and get it to the kernel maintainers. This must be done after the IMA key is created. + +[source, bash] +---- +$ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate-name fedorasigulca --subject-certificate-name fedoraimafourtyone --validity 2y --certificate-type codesigning --subject "CN=Fedora 41 IMA Code-signing cert" > fedora-41-ima.pem +---- + +NOTE: Change the name from `41/fourtyone` to the appropriate release version. + +We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys. + + === fedora-repos The `fedora-repos` package houses a copy of the public key information. This is used by RPM to verify the signature on files encountered. Currently, the `fedora-repos` package has a single key file named after the version of the key and the arch the key is for. @@ -443,7 +471,7 @@ You may wish to do this in a tempoary directory to make cleaning it up easy. === Koji -Log into koji02.phx2.fedoraproject.org by way of bastion.fedoraproject.org. +Log into koji02.iad2.fedoraproject.org by way of bastion.fedoraproject.org. Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it.