diff --git a/README.md b/README.md index 7a56afe9af..c93b82a7b2 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ Updating this repo: Update server changes: 1. Set a new update barrier for N-2 on all streams. + In the barrier entry set a link to [the docs](https://docs.fedoraproject.org/en-US/fedora-coreos/update-barrier-signing-keys/). See [discussion](https://github.com/coreos/fedora-coreos-tracker/issues/480#issuecomment-631724629). CoreOS Installer changes: @@ -111,12 +112,40 @@ CoreOS Installer changes: Release engineering changes: -1. verify that the `f${releasever}-coreos-signing-pending` Koji tag has - been created (this should have already been done by releng scripts on - branching) -2. `koji untag` N-2 packages from the pool (at some point we'll have GC +1. Verify that a few tags have been created. These should have been created + by releng scripts on branching: + +- `f${releasever}-coreos-signing-pending` +- `f${releasever}-coreos-continuous` + +2. The tag info for the coreos-pool tag has the new release (N) and + next release (N+1) signing keys (just to stay ahead of the curve) + and removes the old release (N-2) signing key. The following commands + view the current settings and then update the list to 32/33/34 keys. + You'll most likely have to get someone from releng to run the second + command (`edit-tag`). + +- `koji taginfo coreos-pool` +- `koji edit-tag coreos-pool -x tag2distrepo.keys="12c944d0 9570ff31 45719a39"` + + +3. `koji untag` N-2 packages from the pool (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are - GC'ed). For example: - - `koji list-tagged coreos-pool --quiet | grep fc30 | cut -f1 -d' ' | sort | uniq` - - Sanity-check the output, then pipe it to `xargs koji untag-build coreos-pool` + GC'ed). For example the following snippet finds all RPMs signed by the + Fedora 31 key and untags them. + +``` +f31key=3c3359c4 +key=$f31key +untaglist='' +for build in $(koji list-tagged --quiet coreos-pool | cut -f1 -d' '); do + if koji buildinfo $build | grep $key 1>/dev/null; then + untaglist+="${build} " + echo "Adding $build to untag list" + fi +done + +# After verifying the list looks good: +# - koji untag-build coreos-pool $untaglist +```