From 0384c929738f2a69316cb96d524c1fbccbc6bbfc Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Aug 28 2023 22:39:23 +0000 Subject: add a first cut at the horrible mass resigning process Signed-off-by: Kevin Fenzi --- diff --git a/modules/release_guide/pages/sop_mass_branching.adoc b/modules/release_guide/pages/sop_mass_branching.adoc index 02d1764..0221b4b 100644 --- a/modules/release_guide/pages/sop_mass_branching.adoc +++ b/modules/release_guide/pages/sop_mass_branching.adoc @@ -10,6 +10,51 @@ bugfix and polish mode. You will find below the list of steps to follow to branch a new Fedora release. +== Mass resigning + +When we branch off of rawhide, the branched release packages are already signed by +the F{release} key, but we need to resign everything in rawhide for the new F+1 key. +ie, When we branch f39 off rawhide, all it's packages are already signed by the f39 +key, but we need to resign everything with the f40 key for rawhide. + +* Add a new config for the new key to robosignatory. Something like: + +``` + [[consumer_config.koji_instances.primary.tags]] + from = "f39" + to = "f39" + key = "{{ (env == 'production')|ternary('fedora-40', 'testkey') }}" + keyid = "{{ (env == 'production')|ternary('a15B79cc', 'd300e724') }}" + {% if env == "production" %} + file_signing_key = "fedora-40-ima" + {% endif %} +``` +This allows robosignatory to sign packages in the f39 tag with the f40 key. +* git clone https://pagure.io/releng +* confirm the new key fingerprint is in scripts/sigulsign_unsigned.py +* run sigulsign_unsigned.py to gather list of packages to sign: +``` +./sigulsign_unsigned.py --just-list --tag f39 fedora-40 | grep src | sed -e 's|.src||' > unsigned-packages +``` +You should get a list of all the source packages by name. +* copy unsigned-packages list to autosign01 +* on autosign01 run in a tmux session: +``` +sudo -su robosignatory +passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ") +(enter the autosign passphrase) +keyctl add user "sigul:autosign" "${passphrase}" @s +for i in `cat unsigned-packages` +do + echo $i; + robosignatory sign-tag primary $i f39; + sleep 1; +done +``` +This will iterate over all packages and sign them with the new f40 key. +Once complete, re-run the ./sigulsign_unsigned.py command to confirm all are signed. +On branching day, remove the robosignatory config for this resigning. + == Send announcement One day before the mass branching, we send out announcemt because during mass branching,