How to prepare buildbot for major release

These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.

Read Key Generation and prepare GPG/usign keys for release signing.

#!/bin/sh
 
RELEASE="22.03"
RELEASE_DASH="$(echo "$RELEASE" | tr '.' '_')"
GNUPGHOME="$(mktemp -d)"
PASSPHRASE="$(openssl rand -base64 45)"
 
cat > gpg-generate-key.txt << EOF
     %echo Generating a Openwrt ${RELEASE} release signing key
     Key-Type: RSA
     Key-Length: 4096
     SubKey-Type: RSA
     SubKey-Length: 4096
     Name-Real: OpenWrt Build System
     Name-Comment: GnuPGP key for ${RELEASE} release builds
     Name-Email: pgpsign-${RELEASE}@openwrt.org
     Expire-Date: 2y
     Passphrase: $PASSPHRASE
     %commit
     %echo done
EOF
gpg --batch --generate-key gpg-generate-key.txt
 
cat > "ansible-gpg-keys-${RELEASE_DASH}.yml" <<EOF
vault_buildbot_gpg_pass_openwrt_$RELEASE_DASH: $PASSPHRASE
vault_buildbot_gpg_key_openwrt_$RELEASE_DASH: |-
$(gpg --pinentry-mode loopback --passphrase "$PASSPHRASE" --export-secret-keys --armor | sed 's/^/  /')
EOF
 
gpg --list-keys
 
KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1)
gpg --export --armor > "${KEYID}.asc"
gpg --keyserver keyserver.ubuntu.com --send-keys "$KEYID" && rm -fr "$GNUPGHOME"

Should output something like this:

gpg: keybox '/tmp/tmp.95eyQQXZku/pubring.kbx' created
gpg: Generating a Openwrt 22.03 release signing key
gpg: /tmp/tmp.95eyQQXZku/trustdb.gpg: trustdb created
gpg: key CD54E82DADB3684D marked as ultimately trusted
gpg: directory '/tmp/tmp.95eyQQXZku/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.95eyQQXZku/openpgp-revocs.d/BF856781A01293C8409ABE72CD54E82DADB3684D.rev'
gpg: done
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-03-24
/tmp/tmp.95eyQQXZku/pubring.kbx
-------------------------------
pub   rsa4096 2022-03-25 [SCEA] [expires: 2024-03-24]
      BF856781A01293C8409ABE72CD54E82DADB3684D
uid           [ultimate] OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org>
sub   rsa4096 2022-03-25 [SEA] [expires: 2024-03-24]
 
gpg: sending key CD54E82DADB3684D to hkp://keyserver.ubuntu.com

Put YAML content of ansible-gpg-keys-22_03.yml file into inventories/openwrt-secrets.yml

 vault_buildbot_gpg_pass_openwrt_22_03: foo
 vault_buildbot_gpg_key_openwrt_22_03: |-
   -----BEGIN PGP PRIVATE KEY BLOCK-----   
               ...snip...  
   -----END PGP PRIVATE KEY BLOCK-----

http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html

usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key

usign -F -p public.key
2f8b0b98e08306bf
 
mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf

Add usign secret.key to ansible/inventories/openwrt-secrets.yml:

vault_buildbot_usign_key_openwrt_22_03:

1. gpg: add OpenWrt 21.02 signing key
2. usign: add 21.02 release build pubkey

1. openwrt-keyring: add OpenWrt 21.02 GPG/usign keys
2. openwrt-keyring: make opkg use 22.03 usign key (NOTE: this needs to be done only in the release branch)

1. Add new key info to signatures page

1. inventory: add setup for 21.02 release

ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster