Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
docs:guide-developer:releases:buildbot-major-releases [2022/05/04 08:05] – Add new GPG key information to the release signatures page ynezzdocs:guide-developer:releases:buildbot-major-releases [2024/11/06 09:03] (current) – Remove the GPG key setup, the key is now provided via Nitrokey3 ynezz
Line 2: Line 2:
  
 These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release. These are collected notes of the steps we've done during preparation of buildbot infrastructure for 21.02 release.
- 
-===== Generate new GPG key for release ===== 
- 
-Read [[docs:guide-user:security:keygen|Key Generation]] and prepare GPG/usign keys for release signing. 
- 
-==== Generate GPG key ==== 
- 
-<code bash> 
-#!/bin/sh 
- 
-RELEASE="22.03" 
-RELEASE_DASH="$(echo "$RELEASE" | tr '.' '_')" 
-GNUPGHOME="$(mktemp -d)" 
-PASSPHRASE="$(openssl rand -base64 45)" 
- 
-cat > gpg-generate-key.txt << EOF 
-     %echo Generating a Openwrt ${RELEASE} release signing key 
-     Key-Type: RSA 
-     Key-Length: 4096 
-     SubKey-Type: RSA 
-     SubKey-Length: 4096 
-     Name-Real: OpenWrt Build System 
-     Name-Comment: GnuPGP key for ${RELEASE} release builds 
-     Name-Email: pgpsign-${RELEASE}@openwrt.org 
-     Expire-Date: 2y 
-     Passphrase: $PASSPHRASE 
-     %commit 
-     %echo done 
-EOF 
-gpg --batch --generate-key gpg-generate-key.txt 
- 
-cat > "ansible-gpg-keys-${RELEASE_DASH}.yml" <<EOF 
-vault_buildbot_gpg_pass_openwrt_$RELEASE_DASH: $PASSPHRASE 
-vault_buildbot_gpg_key_openwrt_$RELEASE_DASH: |- 
-$(gpg --pinentry-mode loopback --passphrase "$PASSPHRASE" --export-secret-keys --armor | sed 's/^/  /') 
-EOF 
- 
-gpg --list-keys 
- 
-KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1) 
-gpg --export --armor > "${KEYID}.asc" 
-gpg --keyserver keyserver.ubuntu.com --send-keys "$KEYID" && rm -fr "$GNUPGHOME" 
-</code> 
- 
-Should output something like this: 
- 
-<code bash> 
-gpg: keybox '/tmp/tmp.95eyQQXZku/pubring.kbx' created 
-gpg: Generating a Openwrt 22.03 release signing key 
-gpg: /tmp/tmp.95eyQQXZku/trustdb.gpg: trustdb created 
-gpg: key CD54E82DADB3684D marked as ultimately trusted 
-gpg: directory '/tmp/tmp.95eyQQXZku/openpgp-revocs.d' created 
-gpg: revocation certificate stored as '/tmp/tmp.95eyQQXZku/openpgp-revocs.d/BF856781A01293C8409ABE72CD54E82DADB3684D.rev' 
-gpg: done 
-gpg: checking the trustdb 
-gpg: marginals needed: 3  completes needed: 1  trust model: pgp 
-gpg: depth: 0  valid:    signed:    trust: 0-, 0q, 0n, 0m, 0f, 1u 
-gpg: next trustdb check due at 2024-03-24 
-/tmp/tmp.95eyQQXZku/pubring.kbx 
-------------------------------- 
-pub   rsa4096 2022-03-25 [SCEA] [expires: 2024-03-24] 
-      BF856781A01293C8409ABE72CD54E82DADB3684D 
-uid           [ultimate] OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org> 
-sub   rsa4096 2022-03-25 [SEA] [expires: 2024-03-24] 
- 
-gpg: sending key CD54E82DADB3684D to hkp://keyserver.ubuntu.com 
-</code> 
- 
-==== Import the GPG private key into buildbot ==== 
- 
-Put YAML content of //ansible-gpg-keys-22_03.yml// file into //inventories/openwrt-secrets.yml// 
- 
-<code yaml> 
- vault_buildbot_gpg_pass_openwrt_22_03: foo 
- vault_buildbot_gpg_key_openwrt_22_03: |- 
-   -----BEGIN PGP PRIVATE KEY BLOCK-----    
-               ...snip...   
-   -----END PGP PRIVATE KEY BLOCK----- 
-</code> 
- 
-==== Cross sign new GPG key ==== 
- 
-FIXME http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html 
  
 ===== Generate usign key ===== ===== Generate usign key =====
  • Last modified: 2022/05/04 08:05
  • by ynezz