Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
docs:guide-developer:releases:buildbot-major-releases [2022/03/25 12:46] – [Generate GPG key] ynezzdocs:guide-developer:releases:buildbot-major-releases [2024/11/06 09:03] (current) – Remove the GPG key setup, the key is now provided via Nitrokey3 ynezz
Line 2: Line 2:
  
 These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release. These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.
- 
-===== Generate new GPG key for release ===== 
- 
-Read [[docs:guide-user:security:keygen|Key Generation]] and prepare GPG/usign keys for release signing. 
- 
-==== Generate GPG key ==== 
- 
-<code bash> 
-#!/bin/sh 
- 
-RELEASE="22.03" 
-RELEASE_DASH="$(echo "$RELEASE" | tr '.' '_')" 
-GNUPGHOME="$(mktemp -d)" 
-PASSPHRASE="$(openssl rand -base64 45)" 
- 
-cat > gpg-generate-key.txt << EOF 
-     %echo Generating a Openwrt ${RELEASE} release signing key 
-     Key-Type: RSA 
-     Key-Length: 4096 
-     SubKey-Type: RSA 
-     SubKey-Length: 4096 
-     Name-Real: OpenWrt Build System 
-     Name-Comment: GnuPGP key for ${RELEASE} release builds 
-     Name-Email: pgpsign-${RELEASE}@openwrt.org 
-     Expire-Date: 2y 
-     Passphrase: $PASSPHRASE 
-     %commit 
-     %echo done 
-EOF 
-gpg --batch --generate-key gpg-generate-key.txt 
- 
-cat > "ansible-gpg-keys-${RELEASE_DASH}.yml" <<EOF 
-vault_buildbot_gpg_pass_openwrt_$RELEASE_DASH: $PASSPHRASE 
-vault_buildbot_gpg_key_openwrt_$RELEASE_DASH: 
-  $(gpg --pinentry-mode loopback --passphrase "$PASSPHRASE" --export-secret-keys --armor | sed 's/^/  /') 
-EOF 
- 
-gpg --list-keys 
- 
-KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1) 
-gpg --export --armor > "${KEYID}.asc" 
-gpg --keyserver keyserver.ubuntu.com --send-keys "$KEYID" && rm -fr "$GNUPGHOME" 
-</code> 
- 
-Should output something like this: 
- 
-<code bash> 
-gpg: keybox '/tmp/tmp.95eyQQXZku/pubring.kbx' created 
-gpg: Generating a Openwrt 22.03 release signing key 
-gpg: /tmp/tmp.95eyQQXZku/trustdb.gpg: trustdb created 
-gpg: key CD54E82DADB3684D marked as ultimately trusted 
-gpg: directory '/tmp/tmp.95eyQQXZku/openpgp-revocs.d' created 
-gpg: revocation certificate stored as '/tmp/tmp.95eyQQXZku/openpgp-revocs.d/BF856781A01293C8409ABE72CD54E82DADB3684D.rev' 
-gpg: done 
-gpg: checking the trustdb 
-gpg: marginals needed: 3  completes needed: 1  trust model: pgp 
-gpg: depth: 0  valid:    signed:    trust: 0-, 0q, 0n, 0m, 0f, 1u 
-gpg: next trustdb check due at 2024-03-24 
-/tmp/tmp.95eyQQXZku/pubring.kbx 
-------------------------------- 
-pub   rsa4096 2022-03-25 [SCEA] [expires: 2024-03-24] 
-      BF856781A01293C8409ABE72CD54E82DADB3684D 
-uid           [ultimate] OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org> 
-sub   rsa4096 2022-03-25 [SEA] [expires: 2024-03-24] 
- 
-gpg: sending key CD54E82DADB3684D to hkp://keyserver.ubuntu.com 
-</code> 
-==== Export the GPG pubkey ==== 
- 
-<code bash> 
-gpg --homedir /tmp/signing --export --armor 667205E379BAF348863A5C6688CA59E88F681580 > openwrt/keyring.git/gpg/88CA59E8.asc 
-</code> 
- 
-==== Import the GPG private key into buildbot ==== 
- 
-<code bash> 
-gpg --homedir /tmp/signing --export-secret-keys --armor 667205E379BAF348863A5C6688CA59E88F681580 
-</code> 
- 
-and put the secret keys into //inventories/openwrt-secrets.yml// into following variables: 
- 
-<code yaml> 
- vault_buildbot_gpg_pass_openwrt_21_02: 
- 
- vault_buildbot_gpg_key_openwrt_21_02: 
-</code> 
- 
-==== Cleanup ==== 
- 
-<code bash> 
-rm -fr /tmp/signing 
-reboot 
-</code> 
- 
-==== Cross sign new GPG key ==== 
- 
-FIXME http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html 
  
 ===== Generate usign key ===== ===== Generate usign key =====
  
 <code bash> <code bash>
-usign -G -c "Public usign key for 21.02 release builds" -s secret.key -p public.key+usign -G -c "Public usign key for 22.03 release builds" -s secret.key -p public.key
 </code> </code>
  
Line 118: Line 21:
  
 <code yaml> <code yaml>
-vault_buildbot_usign_key_openwrt_21_02:+vault_buildbot_usign_key_openwrt_22_03:
 </code> </code>
  
Line 129: Line 32:
  
   - [[commit>?p=openwrt/openwrt.git;a=commit;h=1bf6d70e60fdb45d81a8f10b90904cef38c73f70|openwrt-keyring: add OpenWrt 21.02 GPG/usign keys]]   - [[commit>?p=openwrt/openwrt.git;a=commit;h=1bf6d70e60fdb45d81a8f10b90904cef38c73f70|openwrt-keyring: add OpenWrt 21.02 GPG/usign keys]]
 +  - [[commit>2d03f27f0f0768e25f3b00fb5b4f2974144c66e3|openwrt-keyring: make opkg use 22.03 usign key]] (NOTE: this needs to be done only in the release branch)
 +
 +==== Add new GPG key information to the release signatures page =====
  
 +  - Add new key info to [[:docs:guide-user:security:signatures]] page
 ===== Prepare buildbot infra and assign buildworkers ===== ===== Prepare buildbot infra and assign buildworkers =====
  
  • Last modified: 2022/03/25 12:46
  • by ynezz