For CI gating of multi-build updates in Bodhi, Robosignatory should be able to sign builds tagged into the corresponding *-pending-signing tag of a side-tag and tag these builds into the corresponding *-testing tag (both of which are created by Bodhi when update containg the builds in the side-tag is created).
*-pending-signing
*-testing
I wonder how you intend to implement this, since signing anything ending with *-pending-signing would be unacceptable. I think that we should have Bodhi send a message to request signing on everything in a side tag as soon as it's submitted or something of that sort.
Here's the rough idea (what I plan to implement in robosignatory in italics):
f32-build-side-1234
f32-build-side-1234-pending-signing
f32-build-side-1234-testing
f32
f32-build-side-<number>
Starting with the example in README.rst, here's how I'd extend its configuration:
README.rst
{ "from": "f26-pending", "to": "f26", "key": "fedora-26", "keyid": "64dab85d", "sidetags": { "pattern": "<to>-build-side-<seq_id>", "from": "<sidetag>-pending-signing", "to:" "<sidetag>-testing" } }
The placeholders in angle brackets allow us simply copying and pasting from one release to the next without having to worry about making mistakes there.
Okay. So in that case, should we maybe also add a configuration for trusted_tagger for the tag messages, and only sign if the tag operation was performed by Bodhi? So as to avoid someone randomly creating a mytag-pending-signing and getting it signed by robosignatory by just tagging things in that would not be tracked anywhere.
trusted_tagger
mytag-pending-signing
That's a good idea! Another idea to improve safety would be to check that the build actually was built in the matching side tag (by querying its tag history from Koji).
@abompard do you know if this ticket is fixed?
It is my understand that this feature is in the release that we're trying to deploy currently. If so I guess the ticket can be closed. If it is not in the code, then I'll need to track this :)
Yes, this should have been fixed by PR#29.
Metadata Update from @abompard: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.