Project

General

Profile

Bug #16585

release_process: add intermediary “update misc files” commit?

Added by CyrilBrulebois 4 months ago. Updated 7 days ago.

Status:
Needs Validation
Priority:
Normal
Category:
-
Target version:
Start date:
03/21/2019
Due date:
% Done:

0%

Feature Branch:
Type of work:
Contributors documentation
Blueprint:
Starter:
Affected tool:

Description

Currently there are a lot of things getting done post release, under “Rename, copy, garbage collect and update various files”.

The first git commit instructions is very much below, after having collected things for the news about security bugfixes, etc.

I'd be happy to have two additions here:

  • mentioning cleaning up GPG's output, which can (and at least locally always do) contain warnings about key trust.
  • a call to git add and git commit with e.g. “Update misc files for ${VERSION?:}”

so that it can be recorded properly in git before new files get added with changelog excerpts/security fixes, etc.

Associated revisions

Revision d9cc68c5 (diff)
Added by intrigeri 4 months ago

Release process: add intermediary commit (refs: #16585).

Revision 40aa8198 (diff)
Added by intrigeri 3 months ago

Release process: generate the expected OpenPGP signature verification output in a more deterministic way (refs: #16585)

Using --trusted-key avoids this warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

… and makes our signing key trusted at the "ultimate" level.

So let's also s/ultimate/full/ to stick closer to what users should
get once they verify our key via the WoT and certify it locally.

History

#1 Updated by intrigeri 4 months ago

  • Assignee set to CyrilBrulebois

I'd be happy to have two additions here:

  • mentioning cleaning up GPG's output, which can (and at least locally always do) contain warnings about key trust.
  • a call to git add and git commit with e.g. “Update misc files for ${VERSION?:}”

so that it can be recorded properly in git before new files get added with changelog excerpts/security fixes, etc.

I'm not 100% sure I get what you mean and I bet it'll be cheaper to do it yourself than to try to explain me what I should do and how we should clean up GPG output I've never seen :)

#2 Updated by intrigeri 4 months ago

  • Status changed from Confirmed to In Progress

#3 Updated by intrigeri 4 months ago

I'm not 100% sure I get what you mean and I bet it'll be cheaper to do it yourself than to try to explain me what I should do and how we should clean up GPG output I've never seen :)

While preparing 3.13.1, I've understood what you meant wrt. the intermediary commit so I added the step you've requested.

The status of the GnuPG part of this ticket remains unchanged.

#4 Updated by CyrilBrulebois 4 months ago

Since the first release I've been removing the warning there, following out-of-band instructions; either that's a good idea, and we should document it; or it's a bad idea, and I should stop doing that…

kibi@armor:~/work/clients/tails/release/isos.git/tails-amd64-3.13$ TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-3.13.iso.sig tails-amd64-3.13.iso
gpg: Signature made Tue 19 Mar 2019 00:08:29 UTC
gpg:                using RSA key FE029CB4AAD4788E1D7828E8A8B0F4E45B1B50E2
gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [unknown]
gpg:                 aka "Tails developers <tails@boum.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Subkey fingerprint: FE02 9CB4 AAD4 788E 1D78  28E8 A8B0 F4E4 5B1B 50E2

The two lines being:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

#5 Updated by CyrilBrulebois 4 months ago

  • Assignee changed from CyrilBrulebois to intrigeri

#6 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to CyrilBrulebois
  • Target version set to Tails_3.14
  • QA Check set to Ready for QA

Since the first release I've been removing the warning there, following out-of-band instructions; either that's a good idea, and we should document it; or it's a bad idea, and I should stop doing that…

Thanks, I got it now! I've pushed a commit, referencing this ticket, that should fix this problem without need for manual intervention anymore.

So I think we're done with the 2 issues this ticket is about. Please review & close if happy (then, if the 3.14 release process shows that one of these problems is not fully fixed, we'll reopen).

#7 Updated by CyrilBrulebois about 2 months ago

  • Target version changed from Tails_3.14 to Tails_3.15

#8 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Needs Validation

#9 Updated by CyrilBrulebois 7 days ago

  • Target version changed from Tails_3.15 to Tails_3.16

Also available in: Atom PDF