Pesign upgrades/reboots

Fedora has (currently) 2 special builders. These builders are used to build a small set of packages that need to be signed for secure boot. These packages include: grub2, shim, kernel, pesign-test-app

When rebooting or upgrading pesign on these machines, you have to follow a special process to unlock the signing keys.

Contact Information

Owner

Fedora Release Engineering, Kernel/grub2/shim/pesign maintainers

Contact

#fedora-admin, #fedora-kernel

Servers

buildhw-x86-02, buildhw-a64-02

Purpose

Upgrade or restart singning keys on kernel/grub2/shim builders

Procedure

Two private datapoints are needed for the builders to be able to talk to sigul and sign executables.

  1. The passphrase for the sigul user that has access to the secure boot signing certificates. You can provide this with:

    systemd-ask-password | systemd-creds encrypt - /etc/credstore.encrypted/sigul.signing-key-passphrase

  2. The sigul private key that identifies this client with the above user. You can unlock this with:

    mkdir /tmp/somedir
chmod 700 /tmp/somedir
scp the private-key.pem from ansible-private or copy and paste it into a file.
systemd-creds encrypt /tmp/somedir/private-key.pem /etc/credstore.encrypted/sigul.pesign.bridge.client.private_key.pem

The sigul-pesign-bridge.service should be running and ready to process signing requests.

Want to help? Learn how to contribute to Fedora Docs