Differences

This shows you the differences between two versions of the page.

--- docs:guide-developer:releases:buildbot-major-releases [2022/03/20 07:43] – created ynezz
+++ docs:guide-developer:releases:buildbot-major-releases [2024/11/06 09:03] (current) – Remove the GPG key setup, the key is now provided via Nitrokey3 ynezz
@@ Line 1: / Line 1: @@
 ====== How to prepare buildbot for major release ======
-These are collected notes of the steps done during 21.02 release.
+These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.
-===== Generate new GPG key for release =====
+===== Generate usign key =====
-===== Cross sign new GPG key =====
+<code bash>
+usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key
+</code>
-TODO: check http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html
+==== Add usign public key to keyring ====
-Read https://openwrt.org/docs/guide-user/security/keygen and prepare gpg/usign
+<code bash>
-keys for release signing.
+usign -F -p public.key
+f8b0b98e08306bf
-Generate gpg key:
+mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf
+</code>
-	mkdir -p /tmp/signing
+Add usign secret.key to //ansible/inventories/openwrt-secrets.yml//:
-	chmod 0700 /tmp/signing
-	gpg --homedir /tmp/signing --full-gen-key
-	Please select what kind of key you want:
+<code yaml>
-	   (1) RSA and RSA (default)
+vault_buildbot_usign_key_openwrt_22_03:
-	   (2) DSA and Elgamal
+</code>
-	   (3) DSA (sign only)
-	   (4) RSA (sign only)
-	Your selection?
-	RSA keys may be between 1024 and 4096 bits long.
-	What keysize do you want? (3072) 4096
-	Requested keysize is 4096 bits
-	Please specify how long the key should be valid.
-= key does not expire
-		  <n>  = key expires in n days
-		  <n>w = key expires in n weeks
-		  <n>m = key expires in n months
-		  <n>y = key expires in n years
-	Key is valid for? (0) 2y
-	Key expires at Mon 20 Feb 2023 02:19:16 PM CET
-	Is this correct? (y/N) y
-	GnuPG needs to construct a user ID to identify your key.
+===== Add GPG/usign keys to keyring.git repo =====
-	Real name: OpenWrt Build System
+  - [[commit>?p=keyring.git;a=commit;h=bc4d80f064f2af385a78705d5de0fc8e882c3991|gpg: add OpenWrt 21.02 signing key]]
-	Email address: pgpsign-21.02@openwrt.org
+  - [[commit>?p=keyring.git;a=commit;h=49283916005d7868923d34ab34f14188cf74812d|usign: add 21.02 release build pubkey]]
-	Comment: PGP key for 21.02 release builds
-	You selected this USER-ID:
-		"OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>"
-	Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
+==== Update package/system/openwrt-keyring/Makefile package ====
-	pub   rsa4096 2021-02-20 [SC] [expires: 2023-02-20]
+  - [[commit>?p=openwrt/openwrt.git;a=commit;h=1bf6d70e60fdb45d81a8f10b90904cef38c73f70|openwrt-keyring: add OpenWrt 21.02 GPG/usign keys]]
-E379BAF348863A5C6688CA59E88F681580
+  - [[commit>2d03f27f0f0768e25f3b00fb5b4f2974144c66e3|openwrt-keyring: make opkg use 22.03 usign key]] (NOTE: this needs to be done only in the release branch)
-	uid                      OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>
-	sub   rsa4096 2021-02-20 [E] [expires: 2023-02-20]
-Export the gpg pubkey:
+==== Add new GPG key information to the release signatures page =====
- gpg --homedir /tmp/signing --export --armor 667205E379BAF348863A5C6688CA59E88F681580 > openwrt/keyring.git/gpg/88CA59E8.asc
+  - Add new key info to [[:docs:guide-user:security:signatures]] page
+===== Prepare buildbot infra and assign buildworkers =====
-run:
+  - [[commit>?p=admin/ansible.git;a=commit;h=ec7b5803e269911aa45e86ad694f72eec57e68fd|inventory: add setup for 21.02 release]]
-  gpg --homedir /tmp/signing --export-secret-keys --armor 667205E379BAF348863A5C6688CA59E88F681580
+==== Apply new build infra 21.02 ====
-and put the secret keys into ansible/inventory/group_vars/all/openwrt-secrets.yml into following variables:
+<code bash>
+ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster
- vault_buildbot_gpg_pass_openwrt_21_02:
+</code>
- vault_buildbot_gpg_key_openwrt_21_02:
-Generate usign key:
- usign -G -c "Public usign key for 21.02 release builds" -s secret.key -p public.key
-Add usign public key to keyring:
- usign -F -p public.key
-f8b0b98e08306bf
- mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf
-Add usign secret.key to ansible/inventory/group_vars/all/openwrt-secrets.yml:
- vault_buildbot_usign_key_openwrt_21_02:
-add both keys to keyring.git repo:
-    usign: add 21.02 release build pubkey
-    	usign/2f8b0b98e08306bf | 2 ++
-file changed, 2 insertions(+)
-    gpg: add OpenWrt 21.02 signing key
-		gpg/88CA59E8.asc | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-file changed, 53 insertions(+)
-Cleanup:
- rm -fr /tmp/signing
- reboot
-Update package/system/openwrt-keyring/Makefile package:
-	commit 9be7a4f679da58b5a97ee608e6470a513ece65c4
-	Author:     Petr Štetiar <ynezz@true.cz>
-	AuthorDate: Sat Feb 20 15:56:19 2021 +0100
-	Commit:     Petr Štetiar <ynezz@true.cz>
-	CommitDate: Sat Feb 20 15:58:40 2021 +0100
-		openwrt-keyring: add OpenWrt 21.02 GPG/usign keys
-		49283916005d usign: add 21.02 release build pubkey
-		bc4d80f064f2 gpg: add OpenWrt 21.02 signing key
-		Signed-off-by: Petr Štetiar <ynezz@true.cz>
-	diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile
-	index 7779e0c5a483..6f3aa65622d5 100644
-	--- a/package/system/openwrt-keyring/Makefile
-	+++ b/package/system/openwrt-keyring/Makefile
-	@@ -7,9 +7,9 @@ PKG_RELEASE:=1
-	 PKG_SOURCE_PROTO:=git
-	 PKG_SOURCE_URL=$(PROJECT_GIT)/keyring.git
-	-PKG_SOURCE_DATE:=2019-07-25
-	-PKG_SOURCE_VERSION:=8080ef341b4180e40c4ae8ab63511ac6496f0ad1
-	-PKG_MIRROR_HASH:=000882364b953691bf02f7ac41462badb68f452f0317cdfd51cfd617c9b1e364
-	+PKG_SOURCE_DATE:=2021-02-20
-	+PKG_SOURCE_VERSION:=49283916005d7868923d34ab34f14188cf74812d
-	+PKG_MIRROR_HASH:=7b58592bb49e4b37c8e80904c8f457ce3f0f2e6b1d2c473ccfe9204a8b7be831
-	 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
-	 PKG_LICENSE:=GPL-2.0
-Prepare buildbot infra and assign buildworkers:
-	commit ec7b5803e269911aa45e86ad694f72eec57e68fd
-	Author:     Petr Štetiar <ynezz@true.cz>
-	AuthorDate: Tue Feb 16 08:15:45 2021 +0100
-	Commit:     Petr Štetiar <ynezz@true.cz>
-	CommitDate: Tue Feb 16 09:14:02 2021 +0100
-		inventory: add setup for 21.02 release
-		Signed-off-by: Petr Štetiar <ynezz@true.cz>
-	diff --git a/inventory/group_vars/all/openwrt.yml b/inventory/group_vars/all/openwrt.yml
-	index 38964a4dd725..757039d7a88f 100644
-	--- a/inventory/group_vars/all/openwrt.yml
-	+++ b/inventory/group_vars/all/openwrt.yml
-	@@ -113,6 +113,20 @@ buildmaster:
-		   CONFIG_KERNEL_KALLSYMS=y
-		   CONFIG_AUTOREMOVE=y
-	+  - name: OpenWrt 21.02
-	+    branch: openwrt-21.02
-	+    seedconfig: |-
-	+      CONFIG_BUILDBOT=y
-	+      CONFIG_DEVEL=y
-	+      CONFIG_IMAGEOPT=y
-	+      CONFIG_VERSIONOPT=y
-	+      CONFIG_CCACHE=n
-	+      CONFIG_KERNEL_KALLSYMS=n
-	+      CONFIG_AUTOREMOVE=y
-	+      CONFIG_PACKAGE_luci=y
-	+      CONFIG_IB=y
-	+      CONFIG_SDK=y
-	+
-	   - name: OpenWrt 19.07
-		 branch: openwrt-19.07
-		 extra_slaves:
-	diff --git a/inventory/host_vars/fsf-02.yml b/inventory/host_vars/fsf-02.yml
-	index c71fc30f02b0..613f0982268f 100644
-	--- a/inventory/host_vars/fsf-02.yml
-	+++ b/inventory/host_vars/fsf-02.yml
-	@@ -10,20 +10,20 @@ additional_admins:
-	 buildslaves:
-	   fsf-dock-05:
-		 master: Snapshot
-	-    phase: 2
-	+    phase: 1
-		 cpuset: 0-7
-	   fsf-dock-06:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 2
-		 cpuset: 8-15
-	   fsf-dock-07:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 2
-		 cpuset: 16-23
-	   fsf-dock-08:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 2
-		 cpuset: 24-31
-	diff --git a/inventory/host_vars/fsf-04.yml b/inventory/host_vars/fsf-04.yml
-	index 76cb874c747e..5c6ec61bbb7a 100644
-	--- a/inventory/host_vars/fsf-04.yml
-	+++ b/inventory/host_vars/fsf-04.yml
-	@@ -9,12 +9,12 @@ additional_admins:
-	 buildslaves:
-	   fsf-dock-13:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 1
-		 cpuset: 0-7
-	   fsf-dock-14:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 1
-		 cpuset: 8-15
-	diff --git a/inventory/host_vars/osuosl-vm-03.yml b/inventory/host_vars/osuosl-vm-03.yml
-	index 7f9cef5d9718..acd3c6037d44 100644
-	--- a/inventory/host_vars/osuosl-vm-03.yml
-	+++ b/inventory/host_vars/osuosl-vm-03.yml
-	@@ -7,5 +7,5 @@ additional_admins:
-	 buildslaves:
-	   osuosl-dock-03:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 1
-	diff --git a/inventory/host_vars/osuosl-vm-04.yml b/inventory/host_vars/osuosl-vm-04.yml
-	index 63db875c3709..e9b7d2ae7567 100644
-	--- a/inventory/host_vars/osuosl-vm-04.yml
-	+++ b/inventory/host_vars/osuosl-vm-04.yml
-	@@ -7,5 +7,5 @@ additional_admins:
-	 buildslaves:
-	   osuosl-dock-04:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 2
-	diff --git a/inventory/host_vars/truecz-01.yml b/inventory/host_vars/truecz-01.yml
-	index 50bc7ca0a655..bd86d1c69360 100644
-	--- a/inventory/host_vars/truecz-01.yml
-	+++ b/inventory/host_vars/truecz-01.yml
-	@@ -4,6 +4,6 @@ contact: Petr Štetiar <ynezz@true.cz>
-	 buildslaves:
-	   truecz-dock-01:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 1
-		 cpuset: 0-7
-	diff --git a/inventory/host_vars/truecz-02.yml b/inventory/host_vars/truecz-02.yml
-	index 7199c053a6f3..3263a633acf1 100644
-	--- a/inventory/host_vars/truecz-02.yml
-	+++ b/inventory/host_vars/truecz-02.yml
-	@@ -4,6 +4,6 @@ contact: Petr Štetiar <ynezz@true.cz>
-	 buildslaves:
-	   truecz-dock-02:
-	-    master: Snapshot
-	+    master: OpenWrt 21.02
-		 phase: 1
-		 cpuset: 0-7
-===== Apply new build infra 21.02 =====
- ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster