#10713 Add ELN to the set of packages to be re-signed at each Branch
Opened 4 months ago by sgallagh. Modified 3 months ago

  • Describe the issue
    ELN builds track Rawhide and use the Rawhide key to validate the packages. Please ensure that we re-sign ELN builds with the Rawhide key at each Branch point.

Additionally, please re-sign the current ELN builds with the current (F37) Rawhide key.

  • When do you need this? (YYYY/MM/DD)
    As soon as possible, as many packages aren't installable and COPR is being forced to implement a workaround.

  • When is this no longer needed or useful? (YYYY/MM/DD)
    This will be needed until the heat death of the universe or the end of Fedora ELN, whichever comes first.

  • If we cannot complete your request, what is the impact?
    Unsigned ELN packages will lead to either lower usage or higher risk for those using it.


I can resign everything now, but we also need to adjust robosignatory to sign new builds with the new key too (which needs a freeze break).

Does anything need to adjust on your composes end? Or you can handle that change?

What are you telling pungi to gather currently? f36 key? or f37 key ? or both?

From pungi-fedora

# Fedora signing keys.
sigkeys = ['9867c58f', '45719a39', '9570FF31', 'D300E724', '38AB71F4', '5323552a']

I think that's actually F32 through F37.

This needs documentations updates.

Metadata Update from @mohanboddu:
- Issue tagged with: docs, medium-gain, medium-trouble, ops

4 months ago

ok. I have signed all currently tagged eln builds with fedora-37 key. Also, robosignatory will sign with fedora-37 key moving forward.
You should be able to nuke all the old keys from your compose and compose with just f37 key and it should work. Let me know if it doesn't.

@kevin It looks like you may have missed signing the ELN modules?

2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-modules-debugsource-0.15.0-11.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-modules-0.15.0-11.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-docs-6.0.9-1.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-devel-6.0.9-1.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-docs-6.0.9-1.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-6.0.9-1.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-devel-6.0.9-1.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-modules-debuginfo-0.15.0-11.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-modules-debugsource-0.15.0-11.module_eln+13661+d462384d
2022-03-25 15:08:52 [DEBUG   ] Waiting for signed package to appear for varnish-modules-0.15.0-11.module_eln+13661+d462384d

I didn't even know eln had modules. ;)

I am not sure how to sign them... perhaps @mohanboddu knows?

I have updated the SOP to make sure that ELN is signed by the rawhide key after branching.

Login to comment on this ticket.

Metadata
Boards 1
Ops Status: Backlog