robosignatory

Clone
Source Code
GIT

#28 CI Gating: Robosignatory should sign Koji builds from side-tags
Closed: Fixed 4 years ago by abompard. Opened 4 years ago by nphilipp.

Closed: Fixed
Reopen Issue

For CI gating of multi-build updates in Bodhi, Robosignatory should be able to sign builds tagged into the corresponding *-pending-signing tag of a side-tag and tag these builds into the corresponding *-testing tag (both of which are created by Bodhi when update containg the builds in the side-tag is created).

I wonder how you intend to implement this, since signing anything ending with *-pending-signing would be unacceptable.
I think that we should have Bodhi send a message to request signing on everything in a side tag as soon as it's submitted or something of that sort.

Here's the rough idea (what I plan to implement in robosignatory in italics):

  • Builds are built into the side-tag (e.g. f32-build-side-1234) by the maintainer.
  • Maintainer creates an update "from the tag", i.e. doesn't specify the list of builds to Bodhi individually but "take what's in that tag right now".
  • Bodhi creates the auxiliary tags, f32-build-side-1234-pending-signing and f32-build-side-1234-testing, and moves the builds from f32-build-side-1234 to f32-build-side-1234-pending-signing.
  • Robosignatory receives the message about the build being tagged this way, and because it knows from its configuration that side-tags for f32 are of the form f32-build-side-<number> and from Koji that f32-build-side-1234 actually is a side-tag and that the auxiliary tags are f32-build-side-1234-pending-signing and f32-build-side-1234-testing accordingly, proceeds to sign the build artifacts and moves them into the f32-build-side-1234-testing tag.

Starting with the example in README.rst, here's how I'd extend its configuration:

  {
    "from": "f26-pending",
    "to": "f26",
    "key": "fedora-26",
    "keyid": "64dab85d",
    "sidetags": {
        "pattern": "<to>-build-side-<seq_id>",
        "from": "<sidetag>-pending-signing",
        "to:" "<sidetag>-testing"
    }
  }

The placeholders in angle brackets allow us simply copying and pasting from one release to the next without having to worry about making mistakes there.

Okay. So in that case, should we maybe also add a configuration for trusted_tagger for the tag messages, and only sign if the tag operation was performed by Bodhi?
So as to avoid someone randomly creating a mytag-pending-signing and getting it signed by robosignatory by just tagging things in that would not be tracked anywhere.

That's a good idea! Another idea to improve safety would be to check that the build actually was built in the matching side tag (by querying its tag history from Koji).

@abompard do you know if this ticket is fixed?

It is my understand that this feature is in the release that we're trying to deploy currently. If so I guess the ticket can be closed.
If it is not in the code, then I'll need to track this :)

Yes, this should have been fixed by PR#29.
Edited 4 years ago by abompard

Metadata Update from @abompard:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
Related Pull Requests
  • #29 Merged 4 years ago
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.