#12230 Create rawhide+1+1 (F43) keys
Closed: Fixed 5 months ago by kevin. Opened 6 months ago by jnsamyak.

  • Describe the issue

We have been requested from the last branching that we create the rawhide+1 keys weeks before the mass branching so it will stay there for an ample amount if folks want to migrate their stuff to rawhide keys!

However, this issue will also be used for creating an SOP for how the keys are generated, and what steps are required for that; The end goal is that everyone with the right access can create these!

!action - @jnsamyak will create an SOP from the steps we discuss here!

  • When do you need this?
    Before end of this week!

  • When is this no longer needed or useful?
    F41 Branching

  • If we cannot complete your request, what is the impact?
    :) We will not have new rawhide keys ;)


Metadata Update from @jnsamyak:
- Issue tagged with: high-gain, medium-trouble, ops

6 months ago

So, we actually already have the 42 keys. We need to make f43. ;)

Here's the old SOP:

https://docs.pagure.org/releng/sop_create_release_signing_key.html

but it needs some work. ;)

  • We need to add how to create certs for ima keys
  • The getfedora section can be removed.
  • The sigul sign_unsigned section can be removed
  • The public keyservers parts can be dropped.

I guess it's not that bad. ;) Would you like to make a pr adding it to new docs and I can provide the certs info...

Okay, let's do this I'll create PR for migrating it from the old doc to the new one, and then you can take over to add the certs info, and I can follow that sop to create F43 keys? What say?

@kevin the migration is done, and I converted, and as per the last three points I have added it to the document.

One thing, that will be very nice to add here is, if you know, to use which machine while running sigul etc

https://pagure.io/infra-docs-fpo/pull-request/311

Metadata Update from @jnsamyak:
- Issue assigned to jnsamyak

6 months ago

Added comments/review/additional things to add. ;)

Hey Kevin while on running

sigul new-key --key-admin jnsamyak --key-type gnupg         --gnupg-name-real Fedora         --gnupg-name-comment 43         --gnupg-name-email fedora-43-primary@fedoraproject.org fedora-43

it asks for admin password Administrator's password; where can we fetch it from?

It should be your nss password I think? but you were not an admin, so I made you one. Please try again now?

The nss password didn't work; It mentions having an admin password.

For example:

If I want to do `sigul --list-keys, it even asks for an Administrative Password, which is not an NSS password for sure, I tried resetting it before as well, but no didn't work

Can you check with this command, and see if your nss password works?

Yeah, sorry, it is another passphrase for that. I will try and figure the best way to get one to you...

Meanwhile, can you create the key and certs if you get time? And grant me access to that one? So I can add it on the places as part of the rest of the SOP?

I tried one more thing, can you try again? If it's still failing I can make things later tonight/tomorrow...

One last attempt before I give up for now... ;) please try again.

I think this is all working now. If not, feel free to reopen.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Log in to comment on this ticket.

Metadata
Boards 1
Ops Status: Backlog