#9811 Create detached signatures for the Ignition 2.7.0 release
Closed: Fixed 3 years ago by pingou. Opened 3 years ago by slowrie.

Please create detached signatures for the binaries we will upload to GitHub for the Ignition 2.7.0 release. This is a manual process for now, pending the automation discussed in https://pagure.io/releng/issue/9057 and https://github.com/coreos/fedora-coreos-tracker/issues/335.

The binaries themselves have been built in koji. Here is a small script to grab all of the rpms and the files out of the rpms and name them appropriately:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash
set -eux -o pipefail
# Use the Fedora 32 key for the detached signatures
KEYTOSIGNWITH='fedora-32'

VR='2.7.0-1.git5be43fd.fc32'
RPMKEY='12c944d0' # Fedora 32 key
ARCHES='x86_64 aarch64 ppc64le s390x'

# Grab the windows/mac binaries out of the nonlinux rpm
rpm="ignition-validate-nonlinux-${VR}.noarch.rpm"
koji download-build --key $RPMKEY --rpm $rpm
rpm -qip $rpm | grep -P "^Signature.*${RPMKEY}$" # Verify the output has the key in it
rpm2cpio $rpm | cpio -idv ./usr/share/ignition/ignition-validate-x86_64-apple-darwin ./usr/share/ignition/ignition-validate-x86_64-pc-windows-gnu.exe
mv ./usr/share/ignition/ignition-validate-* .
sigul sign-data -a $KEYTOSIGNWITH ./ignition-validate-x86_64-apple-darwin -o ./ignition-validate-x86_64-apple-darwin.asc
sigul sign-data -a $KEYTOSIGNWITH ./ignition-validate-x86_64-pc-windows-gnu.exe -o ./ignition-validate-x86_64-pc-windows-gnu.exe.asc 
rm $rpm; rm -r ./usr

# Grab the linux binary for a few arches we care about
for arch in $ARCHES; do
    mkdir $arch; pushd $arch
    rpm="ignition-validate-${VR}.${arch}.rpm"
    outfile="ignition-validate-${arch}-linux"
    koji download-build --key $RPMKEY --rpm $rpm
    rpm -qip $rpm | grep $RPMKEY # Verify the output has the key in it
    rpm2cpio "${rpm}" | cpio -idv ./usr/bin/ignition-validate
    mv ./usr/bin/ignition-validate "../${outfile}"
    # Add detached signature step here using $KEYTOSIGNWITH
    rm "${rpm}"; rmdir ./usr/bin; rmdir ./usr
    popd; rmdir $arch
    sigul sign-data -a $KEYTOSIGNWITH "./${outfile}" -o "./${outfile}.asc"
done

After running this you should end up with a directory with files in it like:

$ ls -1
ignition-validate-aarch64-linux
ignition-validate-ppc64le-linux
ignition-validate-s390x-linux
ignition-validate-x86_64-apple-darwin
ignition-validate-x86_64-linux
ignition-validate-x86_64-windows

Metadata Update from @smooge:
- Issue tagged with: medium-gain, medium-trouble

3 years ago

Metadata Update from @mohanboddu:
- Issue tagged with: ops

3 years ago

Metadata Update from @mohanboddu:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Issue status updated to: Open (was: Closed)

3 years ago

Issue status updated to: Closed (was: Open)
Issue close_status updated to: Fixed

3 years ago

Login to comment on this ticket.

Metadata
Boards 1
Ops Status: Done