#12415 Create detached signatures for the ignition 2.20.0 release
Closed: Fixed a month ago by jnsamyak. Opened a month ago by spresti.

Please create detached signatures for the binaries we will upload to GitHub for the ignition 2.20.0 release. This is a manual process for now, pending the automation discussed in https://pagure.io/robosignatory/issue/53 and https://github.com/coreos/fedora-coreos-tracker/issues/335.

The binaries themselves have been built in koji. Here is a small script to grab all of the rpms and the files out of the rpms and name them appropriately:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/bash
set -eux -o pipefail

# Use the Fedora 40 key for the detached signatures
KEYTOSIGNWITH='fedora-40'

VR='2.20.0-1.fc40'
RPMKEY='a15b79cc' # Fedora 40 key

do_sign() {
    # Sign with sigul unless FAKESIGN=1
    if [ ${FAKESIGN:-0} != 1 ]; then
        sigul sign-data -a $KEYTOSIGNWITH "$1" -o "$1.asc"
    else
        echo INVALID > "$1.asc"
    fi
}

# Grab the binaries out of the redistributable rpm
rpm="ignition-validate-redistributable-${VR}.noarch.rpm"
koji download-build --key $RPMKEY --rpm $rpm
rpm -qip $rpm | grep -P "^Signature.*${RPMKEY}$" # Verify the output has the key in it
rpm2cpio $rpm | cpio -idv './usr/share/ignition/ignition-validate-*'

# Rename the binaries
mv usr/share/ignition/ignition-validate-aarch64-apple-darwin \
    ignition-validate-aarch64-apple-darwin
mv usr/share/ignition/ignition-validate-aarch64-unknown-linux-gnu-static \
    ignition-validate-aarch64-linux
mv usr/share/ignition/ignition-validate-ppc64le-unknown-linux-gnu-static \
    ignition-validate-ppc64le-linux
mv usr/share/ignition/ignition-validate-s390x-unknown-linux-gnu-static \
    ignition-validate-s390x-linux
mv usr/share/ignition/ignition-validate-x86_64-apple-darwin \
    ignition-validate-x86_64-apple-darwin
mv usr/share/ignition/ignition-validate-x86_64-pc-windows-gnu.exe \
    ignition-validate-x86_64-pc-windows-gnu.exe
mv usr/share/ignition/ignition-validate-x86_64-unknown-linux-gnu-static \
    ignition-validate-x86_64-linux

# Sign them
do_sign ignition-validate-aarch64-apple-darwin
do_sign ignition-validate-aarch64-linux
do_sign ignition-validate-ppc64le-linux
do_sign ignition-validate-s390x-linux
do_sign ignition-validate-x86_64-apple-darwin
do_sign ignition-validate-x86_64-pc-windows-gnu.exe
do_sign ignition-validate-x86_64-linux

# Fix permissions and clean up
chmod go+r *.asc
rm $rpm; rmdir ./usr/share/ignition; rmdir ./usr/share; rmdir ./usr

After running this you should end up with a directory with files in it like:

$ ls -1
ignition-validate-aarch64-apple-darwin
ignition-validate-aarch64-apple-darwin.asc
ignition-validate-aarch64-linux
ignition-validate-aarch64-linux.asc
ignition-validate-ppc64le-linux
ignition-validate-ppc64le-linux.asc
ignition-validate-s390x-linux
ignition-validate-s390x-linux.asc
ignition-validate-x86_64-apple-darwin
ignition-validate-x86_64-apple-darwin.asc
ignition-validate-x86_64-linux
ignition-validate-x86_64-linux.asc
ignition-validate-x86_64-pc-windows-gnu.exe
ignition-validate-x86_64-pc-windows-gnu.exe.asc

Metadata Update from @phsmoura:
- Issue tagged with: low-gain, low-trouble, ops

a month ago

Metadata Update from @phsmoura:
- Issue assigned to jnsamyak

a month ago

Thanks for opening this request, the detached signatures are created for ignition 2.20.0 release, can be found at: https://jnsamyak.fedorapeople.org/ignition/2.20.0/; In case of any queries, please let us know!

Metadata Update from @jnsamyak:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Log in to comment on this ticket.

Metadata
Boards 1
Ops Status: Backlog