Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resign and promote qubes-template-securedrop-workstation (build tag:… #36

Merged
merged 1 commit into from
Jul 4, 2022
Merged

Resign and promote qubes-template-securedrop-workstation (build tag:… #36

merged 1 commit into from
Jul 4, 2022

Conversation

sssoleileraaa
Copy link
Contributor

@sssoleileraaa sssoleileraaa commented Jul 1, 2022
edited by rocodes
Loading

Description

Promoting package on yum-test to prod (see freedomofpress/securedrop-yum-test#37).

Package being released: qubes-template-securedrop-workstation
Package tag: https://github.com/freedomofpress/qubes-template-securedrop-workstation/releases/tag/0.3.0
Build logs: freedomofpress/build-logs@ed07a59
Prod signing key used to sign package and tag: https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key

Release tracking issue: #33

Checklist for PR owner

Checklist for reviewer

  • CI is passing
  • The RPM is signed with the prod signing key
    • Download the signed RPM from this PR
    • Run rpm -qi <signed-rpm> to get the KEY ID
    • Run gpg -k <KEY ID> to verify that it matches the prod signing key (make sure you have the prod signing key referenced in the PR description in your GPG keyring)
  • The Unsigned RPM checksum matches what's in the build logs
    • Download the signed RPM from this PR (if you haven't already)
    • Run rpm --delsign <signed-rpm> to remove the signature (do this on fedora 33 or 34, see last line in build logs for rpm version)
    • Run sha256sum <unsigned-rpm> and compare

@sssoleileraaa sssoleileraaa force-pushed the release-template branch 2 times, most recently from 9e921c9 to 636458c Compare July 1, 2022 22:28
@rocodes rocodes self-requested a review July 1, 2022 23:24
@rocodes
Copy link
Contributor

rocodes commented Jul 4, 2022

Checklist for reviewer

  • CI is passing
  • The RPM is signed with the prod signing key
    • Download the signed RPM from this PR
    • Run rpm -qi <signed-rpm> to get the KEY ID (Note: Actually used rpm -Kv since I hadn't installed yet)
    • Run gpg -k <KEY ID> to verify that it matches the prod signing key (make sure you have the prod signing key referenced in the PR description in your GPG keyring)
  • The Unsigned RPM checksum matches what's in the build logs
    • Download the signed RPM from this PR (if you haven't already)
    • Run rpm --delsign <signed-rpm> to remove the signature (do this on fedora 33 or 34, see last line in build logs for rpm version)
    • Run sha256sum <unsigned-rpm> and compare

rocodes
rocodes approved these changes Jul 4, 2022
View reviewed changes
Copy link
Contributor

@rocodes rocodes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment regarding rpm signature verification

  • Template installs successfully after adding prod key to a 4.1.1-rc1 workstation (dev setup due to current lack of prod artifacts)
  • Artifact has been tested (with signing key) & promoted

@rocodes rocodes merged commit 2c9d25c into main Jul 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rocodes rocodes rocodes approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sssoleileraaa @rocodes