Differences

This shows you the differences between two versions of the page.

--- docs:guide-developer:releases:buildbot-major-releases [2022/03/20 09:15] – [Add usign public key to keyring] fix ansible file path ynezz
+++ docs:guide-developer:releases:buildbot-major-releases [2024/11/06 09:03] (current) – Remove the GPG key setup, the key is now provided via Nitrokey3 ynezz
@@ Line 2: / Line 2: @@
 These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.
-===== Generate new GPG key for release =====
-Read [[docs:guide-user:security:keygen|Key Generation]] and prepare GPG/usign keys for release signing.
-==== Generate GPG key ====
-<code bash>
-mkdir -p /tmp/signing
-chmod 0700 /tmp/signing
-gpg --homedir /tmp/signing --full-gen-key
-Please select what kind of key you want:
-   (1) RSA and RSA (default)
-   (2) DSA and Elgamal
-   (3) DSA (sign only)
-   (4) RSA (sign only)
-Your selection?
-RSA keys may be between 1024 and 4096 bits long.
-What keysize do you want? (3072) 4096
-Requested keysize is 4096 bits
-Please specify how long the key should be valid.
-= key does not expire
-	  <n>  = key expires in n days
-	  <n>w = key expires in n weeks
-	  <n>m = key expires in n months
-	  <n>y = key expires in n years
-Key is valid for? (0) 2y
-Key expires at Mon 20 Feb 2023 02:19:16 PM CET
-Is this correct? (y/N) y
-GnuPG needs to construct a user ID to identify your key.
-Real name: OpenWrt Build System
-Email address: pgpsign-21.02@openwrt.org
-Comment: PGP key for 21.02 release builds
-You selected this USER-ID:
-	"OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>"
-Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
-pub   rsa4096 2021-02-20 [SC] [expires: 2023-02-20]
-E379BAF348863A5C6688CA59E88F681580
-uid                      OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>
-sub   rsa4096 2021-02-20 [E] [expires: 2023-02-20]
-</code>
-==== Export the GPG pubkey ====
-<code bash>
-gpg --homedir /tmp/signing --export --armor 667205E379BAF348863A5C6688CA59E88F681580 > openwrt/keyring.git/gpg/88CA59E8.asc
-</code>
-==== Import the GPG private key into buildbot ====
-<code bash>
-gpg --homedir /tmp/signing --export-secret-keys --armor 667205E379BAF348863A5C6688CA59E88F681580
-</code>
-and put the secret keys into ansible/inventory/group_vars/all/openwrt-secrets.yml into following variables:
-<code yaml>
- vault_buildbot_gpg_pass_openwrt_21_02:
- vault_buildbot_gpg_key_openwrt_21_02:
-</code>
-==== Cross sign new GPG key ====
-FIXME http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html
 ===== Generate usign key =====
 <code bash>
-usign -G -c "Public usign key for 21.02 release builds" -s secret.key -p public.key
+usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key
 </code>
@@ Line 91: / Line 21: @@
 <code yaml>
-vault_buildbot_usign_key_openwrt_21_02:
+vault_buildbot_usign_key_openwrt_22_03:
 </code>
@@ Line 102: / Line 32: @@
   - [[commit>?p=openwrt/openwrt.git;a=commit;h=1bf6d70e60fdb45d81a8f10b90904cef38c73f70|openwrt-keyring: add OpenWrt 21.02 GPG/usign keys]]
+  - [[commit>2d03f27f0f0768e25f3b00fb5b4f2974144c66e3|openwrt-keyring: make opkg use 22.03 usign key]] (NOTE: this needs to be done only in the release branch)
+==== Add new GPG key information to the release signatures page =====
+  - Add new key info to [[:docs:guide-user:security:signatures]] page
 ===== Prepare buildbot infra and assign buildworkers =====