How to prepare buildbot for major release

These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.

Read Key Generation and prepare GPG/usign keys for release signing.

RELEASE_DASH="$(echo "$RELEASE" | tr '.' '_')"
GNUPGHOME="$(mktemp -d)"
PASSPHRASE="$(openssl rand -base64 45)"
cat > gpg-generate-key.txt << EOF
     %echo Generating a Openwrt ${RELEASE} release signing key
     Key-Type: RSA
     Key-Length: 4096
     SubKey-Type: RSA
     SubKey-Length: 4096
     Name-Real: OpenWrt Build System
     Name-Comment: GnuPGP key for ${RELEASE} release builds
     Name-Email: pgpsign-${RELEASE}
     Expire-Date: 2y
     Passphrase: $PASSPHRASE
     %echo done
gpg --batch --generate-key gpg-generate-key.txt
cat > "ansible-gpg-keys-${RELEASE_DASH}.yml" <<EOF
vault_buildbot_gpg_pass_openwrt_$RELEASE_DASH: $PASSPHRASE
vault_buildbot_gpg_key_openwrt_$RELEASE_DASH: |-
$(gpg --pinentry-mode loopback --passphrase "$PASSPHRASE" --export-secret-keys --armor | sed 's/^/  /')
gpg --list-keys
KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1)
gpg --export --armor > "${KEYID}.asc"
gpg --keyserver --send-keys "$KEYID" && rm -fr "$GNUPGHOME"

Should output something like this:

gpg: keybox '/tmp/tmp.95eyQQXZku/pubring.kbx' created
gpg: Generating a Openwrt 22.03 release signing key
gpg: /tmp/tmp.95eyQQXZku/trustdb.gpg: trustdb created
gpg: key CD54E82DADB3684D marked as ultimately trusted
gpg: directory '/tmp/tmp.95eyQQXZku/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.95eyQQXZku/openpgp-revocs.d/BF856781A01293C8409ABE72CD54E82DADB3684D.rev'
gpg: done
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-03-24
pub   rsa4096 2022-03-25 [SCEA] [expires: 2024-03-24]
uid           [ultimate] OpenWrt Build System (GnuPGP key for 22.03 release builds) <>
sub   rsa4096 2022-03-25 [SEA] [expires: 2024-03-24]
gpg: sending key CD54E82DADB3684D to hkp://

Put YAML content of ansible-gpg-keys-22_03.yml file into inventories/openwrt-secrets.yml

 vault_buildbot_gpg_pass_openwrt_22_03: foo
 vault_buildbot_gpg_key_openwrt_22_03: |-
usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key
usign -F -p public.key
mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf

Add usign secret.key to ansible/inventories/openwrt-secrets.yml:

  1. Add new key info to signatures page
ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/05/04 08:05
  • by ynezz