Do the signing of nightly mar files on tbb-nightlies-master.torproject.org
I think to do the nightly mar files signing on
tbb-nightlies-master.torproject.org we need to do the following list of tasks:
- open a ticket to ask tpa to install some dependencies on tbb-nightlies-master.torproject.org. The list of dependencies needed can be found in
tor-browser-build/tools/ansible/roles/tbb-nightly-signing/tasks/main.yml. In addition we also need tor and torsocks to be installed (to download the mar files from the .onion of the build server).
- tpo/tpa/team#40083 (closed)
tor-browser-build/tools/signing/nightly/config.yml, we need to update
rsync_destto make it point to a local directory, and
- #40148 (closed)
tbb-nightlies-master.torproject.org as the
tbb-nightlies user (with
sudo -u tbb-nightlies -s):
tor-browser-build.gitsomewhere in the
generate a new mar signing key, using the script
tor-browser-build/tools/signing/nightly/create-nightly-mar-signing-key. We should then add this new key as a secondary key to
tor-browser.git, then wait a few days (or weeks) before doing the next steps so that most users have the new key when we do the switch. Alternatively I can upload the current key if we want to keep using it and rotate to a new key later.
torsocks tor-browser-build/tools/signing/nightly/sign-nightlyto test the signing. For this test we should change
tor-browser-build/tools/signing/nightly/config.ymlto a temporary directory to avoid conflict with the old signing VM (until it is ready to replace it).
when it is ready, add
torsocks tor-browser-build/tools/signing/nightly/sign-nightlyto a cron job, to run it every 30 minutes
remove the file
/etc/ssh/userkeys/tbb-nightliesto remove access from the old signing VM
After a few days we should also remove the old mar signing key from