= Pesign upgrades/reboots

Fedora has (currently) 2 special builders. These builders are used to
build a small set of packages that need to be signed for secure boot.
These packages include: _grub2_, _shim_, _kernel_, _pesign-test-app_

When rebooting or upgrading pesign on these machines, you have to follow
a special process to unlock the signing keys.

== Contact Information

Owner::
  Fedora Release Engineering, Kernel/grub2/shim/pesign maintainers
Contact::
  #fedora-admin, #fedora-kernel
Servers::
  bkernel01, bkernel02
Purpose::
  Upgrade or restart singning keys on kernel/grub2/shim builders

== Procedure

[arabic]
. Coordinate with pesign maintainers or _pesign-test-app_
commiters as well as releng folks that have the pin to unlock the
signing key.

. Remove builder from koji:
+
....
koji disable-host bkernel01.iad2.fedoraproject.org
....
. Make sure all builds have completed.
. Stop existing processes:
+
....
service pcscd stop
service pesign stop
....
. Perform updates or reboots.
. Restart services (if you didn't reboot):
+
....
service pcscd start
service pesign start
....
. Unlock signing key:
+
....
pesign-client -t "OpenSC Card (Fedora Signer)" -u
(enter pin when prompted)
....
. Make sure no builds are in progress, then Re-add builder to koji,
remove other builder:
+
....
koji enable-host bkernel01.iad2.fedoraproject.org
koji disable-host bkernel02.iad2.fedoraproject.org
....
. Have a commiter send a build of pesign-test-app and make sure it's
signed correctly.
. If so, repeat process with second builder.