Show pagesourceOld revisionsBacklinksBack to top × Table of Contents How to prepare buildbot for major release Generate new GPG key for release Generate GPG key Import the GPG private key into buildbot Cross sign new GPG key Generate usign key Add usign public key to keyring Add GPG/usign keys to keyring.git repo Update package/system/openwrt-keyring/Makefile package Add new GPG key information to the release signatures page Prepare buildbot infra and assign buildworkers Apply new build infra 21.02 How to prepare buildbot for major release These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release. Generate new GPG key for release Read Key Generation and prepare GPG/usign keys for release signing. Generate GPG key #!/bin/sh RELEASE="22.03" RELEASE_DASH="$(echo "$RELEASE" | tr '.' '_')" GNUPGHOME="$(mktemp -d)" PASSPHRASE="$(openssl rand -base64 45)" cat > gpg-generate-key.txt << EOF %echo Generating a Openwrt ${RELEASE} release signing key Key-Type: RSA Key-Length: 4096 SubKey-Type: RSA SubKey-Length: 4096 Name-Real: OpenWrt Build System Name-Comment: GnuPGP key for ${RELEASE} release builds Name-Email: pgpsign-${RELEASE}@openwrt.org Expire-Date: 2y Passphrase: $PASSPHRASE %commit %echo done EOF gpg --batch --generate-key gpg-generate-key.txt cat > "ansible-gpg-keys-${RELEASE_DASH}.yml" <<EOF vault_buildbot_gpg_pass_openwrt_$RELEASE_DASH: $PASSPHRASE vault_buildbot_gpg_key_openwrt_$RELEASE_DASH: |- $(gpg --pinentry-mode loopback --passphrase "$PASSPHRASE" --export-secret-keys --armor | sed 's/^/ /') EOF gpg --list-keys KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1) gpg --export --armor > "${KEYID}.asc" gpg --keyserver keyserver.ubuntu.com --send-keys "$KEYID" && rm -fr "$GNUPGHOME" Should output something like this: gpg: keybox '/tmp/tmp.95eyQQXZku/pubring.kbx' created gpg: Generating a Openwrt 22.03 release signing key gpg: /tmp/tmp.95eyQQXZku/trustdb.gpg: trustdb created gpg: key CD54E82DADB3684D marked as ultimately trusted gpg: directory '/tmp/tmp.95eyQQXZku/openpgp-revocs.d' created gpg: revocation certificate stored as '/tmp/tmp.95eyQQXZku/openpgp-revocs.d/BF856781A01293C8409ABE72CD54E82DADB3684D.rev' gpg: done gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2024-03-24 /tmp/tmp.95eyQQXZku/pubring.kbx ------------------------------- pub rsa4096 2022-03-25 [SCEA] [expires: 2024-03-24] BF856781A01293C8409ABE72CD54E82DADB3684D uid [ultimate] OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org> sub rsa4096 2022-03-25 [SEA] [expires: 2024-03-24] gpg: sending key CD54E82DADB3684D to hkp://keyserver.ubuntu.com Import the GPG private key into buildbot Put YAML content of ansible-gpg-keys-22_03.yml file into inventories/openwrt-secrets.yml vault_buildbot_gpg_pass_openwrt_22_03: foo vault_buildbot_gpg_key_openwrt_22_03: |- -----BEGIN PGP PRIVATE KEY BLOCK----- ...snip... -----END PGP PRIVATE KEY BLOCK----- Cross sign new GPG key http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html Generate usign key usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key Add usign public key to keyring usign -F -p public.key 2f8b0b98e08306bf mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf Add usign secret.key to ansible/inventories/openwrt-secrets.yml: vault_buildbot_usign_key_openwrt_22_03: Add GPG/usign keys to keyring.git repo gpg: add OpenWrt 21.02 signing key usign: add 21.02 release build pubkey Update package/system/openwrt-keyring/Makefile package openwrt-keyring: add OpenWrt 21.02 GPG/usign keys openwrt-keyring: make opkg use 22.03 usign key (NOTE: this needs to be done only in the release branch) Add new GPG key information to the release signatures page Add new key info to signatures page Prepare buildbot infra and assign buildworkers inventory: add setup for 21.02 release Apply new build infra 21.02 ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2022/05/04 04:05by ynezz