Do the signing of nightly mar files on tbb-nightlies-master.torproject.org
I think to do the nightly mar files signing on tbb-nightlies-master.torproject.org we need to do the following list of tasks:
- open a ticket to ask tpa to install some dependencies on tbb-nightlies-master.torproject.org. The list of dependencies needed can be found in
tor-browser-build/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml. In addition we also need tor and torsocks to be installed (to download the mar files from the .onion of the build server). -
tpo/tpa/team#40083 (closed) - in
tor-browser-build/tools/signing/nightly/config.yml, we need to updatersync_destto make it point to a local directory, andpost_rsync_cmdto runstatic-update-component nightlies.tbb.torproject.org. -
#40148 (closed)
Then on tbb-nightlies-master.torproject.org as the tbb-nightlies user (with sudo -u tbb-nightlies -s):
-
clone
tor-browser-build.gitsomewhere in thetbb-nightlieshome directory -
generate a new mar signing key, using the script
tor-browser-build/tools/signing/nightly/create-nightly-mar-signing-key. We should then add this new key as a secondary key totor-browser.git, then wait a few days (or weeks) before doing the next steps so that most users have the new key when we do the switch. Alternatively I can upload the current key if we want to keep using it and rotate to a new key later. -
manually run
torsocks tor-browser-build/tools/signing/nightly/sign-nightlyto test the signing. For this test we should changersync_destintor-browser-build/tools/signing/nightly/config.ymlto a temporary directory to avoid conflict with the old signing VM (until it is ready to replace it). -
when it is ready, add
torsocks tor-browser-build/tools/signing/nightly/sign-nightlyto a cron job, to run it every 30 minutes -
remove the file
/etc/ssh/userkeys/tbb-nightliesto remove access from the old signing VM
After a few days we should also remove the old mar signing key from tor-browser.git.