#7183 RFE: Sign builds in staging
Closed: Fixed 2 months ago by smooge. Opened a year ago by bowlofeggs.

  • Describe what you need us to do:
    It would be ideal if we could sign staging koji builds in a similar fashion to what we do in production. When I test Bodhi in staging, I currently need to go in Bodhi's database to mark builds as signed, which is a slight amount of work but also means that I am not able to test Bodhi's integration with signing fedmsgs in staging.

  • When do you need this? (YYYY/MM/DD)
    No due date, it's an RFE.

  • When is this no longer needed or useful? (YYYY/MM/DD)
    If we stop signing builds.

  • If we cannot complete your request, what is the impact?
    We won't have the ability to test the signing infrastructure in staging or the systems that integrate with it (like Bodhi's signing fedmsg listener).

This is not high priority, but would be appreciated if someone has time to do it (hahahah, time).


First of all, only builds completed in staging Koji can be signed in staging. Builds that were copied from production Koji during pod->stg sync can't be signed as their files reside on production volume, which is read-only, so signatures can't be written to it.

How about manual signing in staging? It should be fairly easily doable. Would it work for you?

On 08/30/2018 06:46 PM, Mikolaj Izdebski wrote:

First of all, only builds completed in staging Koji can be signed in st=
aging. Builds that were copied from production Koji during pod->stg sync =
can't be signed as their files reside on production volume, which is read=
-only, so signatures can't be written to it.
=20
How about manual signing in staging? It should be fairly easily doable.=
Would it work for you?

To clarify, for my purposes I only need the builds that are built in
staging to be signed. Could that be automated?

My current workflow is that I build a test build in staging, go to Bodhi
to make an update for it, then go in Bodhi's database to manually mark
it signed. It's this last step that I'd like to eliminate. And of course
the other benefit is that we can test the signing integration points
with other systems like Bodhi in staging as well.

Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk

10 months ago

I've taken this issue, as I've previously set up most of sigul and robosig in staging already.
So if this is useful, I can finish that set up to get it working in stg, with the mentioned caveat of stg-only builds for signing.

So if this is useful, I can finish that set up to get it working in stg, with the mentioned caveat of stg-only builds for signing.

It would be useful even with this caveat as it would allow closer-to-prod testing of the update workflow in staging.
With the ongoing testing of rawhide gating in staging it would be most useful :)

All parts were set up that had config files in ansible. There may have been 1-2 items which still needed setup by releng but once those configs are put in and then the playbook is run it should work.

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata