#2066 Add epel-10 sidetag signing
Merged 7 months ago by zlopez. Opened 7 months ago by jrichardson.
fedora-infra/ jrichardson/ansible robosignatory  into  main

Add epel-10 sidetag signing
james02135 • 7 months ago  
@@ -234,6 +234,18 @@ 

              # Gated bodhi updates

  

              [[consumer_config.koji_instances.primary.tags]]

+             from = "epel10.0-signing-pending"

+             to = "epel10.0-testing-pending"

+             key = "{{ (env == 'production')|ternary('epel-10', 'testkey') }}"

+             keyid = "{{ (env == 'production')|ternary('e37ed158', 'd300e724') }}"
fche commented 7 months ago

Are these keyids used for file-level IMA signatures? Are the corresponding public keys / certificates posted somewhere?

+ 

+             [consumer_config.koji_instances.primary.tags.sidetags]

+             pattern = 'epel10.0-build-side-<seq_id>'

+             from = '<sidetag>-signing-pending'

+             to = '<sidetag>-testing-pending'

+             trusted_taggers = ['bodhi']

+ 

+             [[consumer_config.koji_instances.primary.tags]]

              from = "epel9-signing-pending"

              to = "epel9-testing-pending"

              key = "{{ (env == 'production')|ternary('epel-9', 'testkey') }}"

rebased onto 9170bf5

7 months ago

rebased onto 9170bf5

7 months ago

rebased onto 46b86e3

7 months ago

rebased onto 46b86e3

7 months ago

rebased onto 40c0408

7 months ago

rebased onto 40c0408

7 months ago

Pull-Request has been merged by zlopez

7 months ago

I tried to deploy the change by running ansible-playbook /srv/web/infra/ansible/playbooks/manual/autosign.yml -t config, but it failed with:

fatal: [autosign01.stg.iad2.fedoraproject.org]: FAILED! => {"changed": false, "msg": "Could not find the requested service robosignatory: host"}

when restarting robosignatory.

Also the autosign02 was unreachable.

@kevin is that OK?

Yes, the autosign playbook is definitely 'manual'. You must login to autosign02 and start sshd (it's normally not running there) and then after the playbook runs, you must restart robosignatory and know the correct passphrase to do so and then stop sshd. I have done so, so this pr is deployed.

I fixed the problem with autosign01.stg... it was a mistake I introduced. ;)

Are these keyids used for file-level IMA signatures? Are the corresponding public keys / certificates posted somewhere?

Yes, but I am not sure how IMA is going to work for epel... we can of course publish certs/keys, but... I doubt centos stream or rhel kernels will trust those, so I am not sure if it's even worth doing IMA signing on epel builds in the end. I suppose non kernel tools could still use it.

Metadata