This is an old revision of the document!

How to prepare buildbot for major release

These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.

Generate new GPG key for release

Read Key Generation and prepare GPG/usign keys for release signing.

Generate GPG key

mkdir -p /tmp/signing
chmod 0700 /tmp/signing
gpg --homedir /tmp/signing --full-gen-key
 
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
		 0 = key does not expire
	  <n>  = key expires in n days
	  <n>w = key expires in n weeks
	  <n>m = key expires in n months
	  <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon 20 Feb 2023 02:19:16 PM CET
Is this correct? (y/N) y
 
GnuPG needs to construct a user ID to identify your key.
 
Real name: OpenWrt Build System
Email address: pgpsign-21.02@openwrt.org
Comment: PGP key for 21.02 release builds
You selected this USER-ID:
	"OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>"
 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
 
pub   rsa4096 2021-02-20 [SC] [expires: 2023-02-20]
	  667205E379BAF348863A5C6688CA59E88F681580
uid                      OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>
sub   rsa4096 2021-02-20 [E] [expires: 2023-02-20]

Export the GPG pubkey

gpg --homedir /tmp/signing --export --armor 667205E379BAF348863A5C6688CA59E88F681580 > openwrt/keyring.git/gpg/88CA59E8.asc

Import the GPG private key into buildbot

gpg --homedir /tmp/signing --export-secret-keys --armor 667205E379BAF348863A5C6688CA59E88F681580

and put the secret keys into ansible/inventory/group_vars/all/openwrt-secrets.yml into following variables: 

 vault_buildbot_gpg_pass_openwrt_21_02:

 vault_buildbot_gpg_key_openwrt_21_02:

Cross sign new GPG key

FIXME http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html

Generate usign key

usign -G -c "Public usign key for 21.02 release builds" -s secret.key -p public.key

Add usign public key to keyring

usign -F -p public.key
2f8b0b98e08306bf
 
mv public.key openwrt/keyring.git/usign/2f8b0b98e08306bf

Add usign secret.key to ansible/inventories/openwrt-secrets.yml: 

vault_buildbot_usign_key_openwrt_21_02:

Add GPG/usign keys to keyring.git repo

  1. gpg: add OpenWrt 21.02 signing key
  2. usign: add 21.02 release build pubkey

Update package/system/openwrt-keyring/Makefile package

  1. openwrt-keyring: add OpenWrt 21.02 GPG/usign keys

Prepare buildbot infra and assign buildworkers

  1. inventory: add setup for 21.02 release

Apply new build infra 21.02

ansible-playbook --diff -i inventories/prod buildworker.yml --tags cfg,recreate-slave --limit fsf-02,fsf-04,osuosl-vm-03,osuosl-vm-04,truecz-01,truecz-02,buildmaster
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/03/20 09:15
  • by ynezz