#12492 Create detached signatures for the butane 0.23.0 release
Closed: Fixed a month ago by spresti. Opened 2 months ago by spresti.

Please create detached signatures for the binaries we will upload to GitHub for the butane 0.23.0 release. This is a manual process for now, pending the automation discussed in https://pagure.io/robosignatory/issue/53 and https://github.com/coreos/fedora-coreos-tracker/issues/335.

The binaries themselves have been built in koji. Here is a small script to grab all of the rpms and the files out of the rpms and name them appropriately:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/bash
set -eux -o pipefail

# Use the Fedora 40 key for the detached signatures
KEYTOSIGNWITH='fedora-40'

VR='0.23.0-1.fc40'
RPMKEY='a15b79cc' # Fedora 40 key

do_sign() {
    # Sign with sigul unless FAKESIGN=1
    if [ ${FAKESIGN:-0} != 1 ]; then
        sigul sign-data -a $KEYTOSIGNWITH "$1" -o "$1.asc"
    else
        echo INVALID > "$1.asc"
    fi
}

# Grab the binaries out of the redistributable rpm
rpm="butane-redistributable-${VR}.noarch.rpm"
koji download-build --key $RPMKEY --rpm $rpm
rpm -qip $rpm | grep -P "^Signature.*${RPMKEY}$" # Verify the output has the key in it
rpm2cpio $rpm | cpio -idv './usr/share/butane/butane-*'

# Rename the binaries
mv usr/share/butane/butane-aarch64-apple-darwin \
    butane-aarch64-apple-darwin
mv usr/share/butane/butane-aarch64-unknown-linux-gnu-static \
    butane-aarch64-unknown-linux-gnu
mv usr/share/butane/butane-ppc64le-unknown-linux-gnu-static \
    butane-ppc64le-unknown-linux-gnu
mv usr/share/butane/butane-s390x-unknown-linux-gnu-static \
    butane-s390x-unknown-linux-gnu
mv usr/share/butane/butane-x86_64-apple-darwin \
    butane-x86_64-apple-darwin
mv usr/share/butane/butane-x86_64-pc-windows-gnu.exe \
    butane-x86_64-pc-windows-gnu.exe
mv usr/share/butane/butane-x86_64-unknown-linux-gnu-static \
    butane-x86_64-unknown-linux-gnu

# Sign them
do_sign butane-aarch64-apple-darwin
do_sign butane-aarch64-unknown-linux-gnu
do_sign butane-ppc64le-unknown-linux-gnu
do_sign butane-s390x-unknown-linux-gnu
do_sign butane-x86_64-apple-darwin
do_sign butane-x86_64-pc-windows-gnu.exe
do_sign butane-x86_64-unknown-linux-gnu

# Fix permissions and clean up
chmod go+r *.asc
rm $rpm; rmdir ./usr/share/butane; rmdir ./usr/share; rmdir ./usr

After running this you should end up with a directory with files in it like:

$ ls -1
butane-aarch64-apple-darwin
butane-aarch64-apple-darwin.asc
butane-aarch64-unknown-linux-gnu
butane-aarch64-unknown-linux-gnu.asc
butane-ppc64le-unknown-linux-gnu
butane-ppc64le-unknown-linux-gnu.asc
butane-s390x-unknown-linux-gnu
butane-s390x-unknown-linux-gnu.asc
butane-x86_64-apple-darwin
butane-x86_64-apple-darwin.asc
butane-x86_64-pc-windows-gnu.exe
butane-x86_64-pc-windows-gnu.exe.asc
butane-x86_64-unknown-linux-gnu
butane-x86_64-unknown-linux-gnu.asc

Metadata Update from @jnsamyak:
- Issue tagged with: low-gain, low-trouble, ops

2 months ago

Metadata Update from @jnsamyak:
- Issue assigned to jnsamyak

2 months ago

@jnsamyak sorry to bug you but do you know when we might get these bin's signed? our finalization of our upstream release has been pending them, and has caused some confusion in the community.

I went ahead and signed it.

https://kevin.fedorapeople.org/butane-0.23.0-1.fc40/

Can you take a look and confirm all looks well and close this?

@kevin Thank you for doing that, it looks like everything is good! @ydesouza just finalized the release upstream!

Metadata Update from @spresti:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Log in to comment on this ticket.

Metadata
Boards 1
Ops Status: Backlog