From 881cc3e109583b59e836e28d4cdf90e781fc09ae Mon Sep 17 00:00:00 2001 From: Mohan Boddu Date: Jan 11 2017 21:40:28 +0000 Subject: Adding signing builds sop Signed-off-by: Mohan Boddu --- diff --git a/docs/source/sop.rst b/docs/source/sop.rst index d0c7f86..756e5b8 100644 --- a/docs/source/sop.rst +++ b/docs/source/sop.rst @@ -63,6 +63,7 @@ Standard Operating Procedures sop_package_blocking sop_package_unblocking sop_pdc + sop_signing_builds sop_pushing_updates sop_release_package_signing sop_remote_dist_git_branches diff --git a/docs/source/sop_pushing_updates.rst b/docs/source/sop_pushing_updates.rst index b2ff621..5d880f6 100644 --- a/docs/source/sop_pushing_updates.rst +++ b/docs/source/sop_pushing_updates.rst @@ -90,59 +90,14 @@ will file a ticket with the nvrs to push $ sudo -u apache bodhi-push --builds ' ...' --username -Sign the packages ------------------ - -* Sign builds using scripts/sigulsign_unsigned.py from releng git repo - - :: - - $ ./sigulsign_unsigned.py -vv --write-all \ - --sigul-batch-size=25 fedora-22 \ - $(cat /var/cache/sigul/Stable-F22 /var/cache/sigul/Testing-F22) - -(Make sure you sign each release with the right key... ie, 'fedora-19' key -with F19 packages, or 'epel-5' with EL-5 packages) - -Here is another example, inside a loop: - -:: - - for i in 24 23 22; - do - ~/releng/scripts/sigulsign_unsigned.py \ - fedora-$i -v --write-all \ - --sigul-batch-size=25 $(cat /var/cache/sigul/{Stable,Testing}-F${i}); - done - - for i in 7 6 5; - do - ~/releng/scripts/sigulsign_unsigned.py \ - epel-$i -v --write-all \ - --sigul-batch-size=25 $(cat /var/cache/sigul/{Stable,Testing}-*EL-${i}); - done - - -* If signing process struggles to finish, then consider adjusting the - ``--sigul-batch-size=N`` to ``1``, which is more resilient but much slower. - -Repeat gathering updates and signing steps ------------------------------------------- - -After gathering the list of updates and signing them, repeat the process until -there are no new updates to be signed. You want to do this because as you are -signing updates, maintainers are submitting new ones. There is a window while -you are signing that a new update will be added and if you just push then, the -push will fail with an unsigned package. - Perform the bodhi push ---------------------- -Re-run the earlier bodhi command from step 2 and say 'y' to push. +Say 'y' to push for the above command. Verification ============ -#. Monitor the sysemd journal +#. Monitor the systemd journal :: diff --git a/docs/source/sop_signing_builds.rst b/docs/source/sop_signing_builds.rst new file mode 100644 index 0000000..6660aa7 --- /dev/null +++ b/docs/source/sop_signing_builds.rst @@ -0,0 +1,37 @@ +Sign the packages +----------------- + +* This doc explains how to sign builds in the release(s). + +* Sign builds using scripts/sigulsign_unsigned.py from releng git repo + + :: + + $ ./sigulsign_unsigned.py -vv --write-all \ + --sigul-batch-size=25 fedora-22 \ + $(cat /var/cache/sigul/Stable-F22 /var/cache/sigul/Testing-F22) + +(Make sure you sign each release with the right key... ie, 'fedora-19' key +with F19 packages, or 'epel-5' with EL-5 packages) + +Here is another example, inside a loop: + +:: + + for i in 24 23 22; + do + ~/releng/scripts/sigulsign_unsigned.py \ + fedora-$i -v --write-all \ + --sigul-batch-size=25 $(cat /var/cache/sigul/{Stable,Testing}-F${i}); + done + + for i in 7 6 5; + do + ~/releng/scripts/sigulsign_unsigned.py \ + epel-$i -v --write-all \ + --sigul-batch-size=25 $(cat /var/cache/sigul/{Stable,Testing}-*EL-${i}); + done + + +* If signing process struggles to finish, then consider adjusting the + ``--sigul-batch-size=N`` to ``1``, which is more resilient but much slower.