Correct signing key export instructions

Improve the export stage of the artifact signing key rotation steps in the following ways: make sure umask is set again since this stage is expected to happen at a later date and so in a new session, make sure to inspect the exported keychain to ensure the primary secret key is unusable, correct the path to the hiera files, remind the reader to commit their hiera edits, and test the result on the CI node at the very end. Change-Id: Ica40a0226ef8bc6b0df9e3a511f7d7b31c8d4076
2016-11-22 02:07:14 +00:00 · 2016-11-22 02:07:14 +00:00 · 14021e0112
commit 14021e0112
parent 457159ae35
1 changed files with 55 additions and 4 deletions
--- a/doc/source/signing.rst
+++ b/doc/source/signing.rst
@ -347,6 +347,7 @@ GnuPG directory:

 .. code-block:: shell-session

+    root@puppetmaster:~# umask 077
    root@puppetmaster:~# mkdir temporary.gnupg
    root@puppetmaster:~# gpg --homedir signing.gnupg --output \
    > temporary.gnupg/secret-subkeys --export-secret-subkeys 0xC0224DB5F541FB68\!
@ -362,6 +363,19 @@ GnuPG directory:
    gpg:       secret keys read: 1
    gpg:   secret keys imported: 1

+Check that the exported version does not contain a usable primary
+secret key by listing all secret keys and looking for a `sec#` in
+front of it instead of just `sec`:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
 So that our CI jobs will be able to make use of this subkey without
 interactively supplying a passphrase, the old passphrase (exported
 from the master key) must be reset to an empty string in the new
@ -410,20 +424,57 @@ configuration management:
 .. code-block:: shell-session

    root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
    > temporary.gnupg/pubring.gpg pubring
    root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
    > temporary.gnupg/secring.gpg secring

-Finally, do your best to securely remove the temporary copy of the
-unencrypted signing subkey and any associated files:
+Safely clean up, doing your best to securely remove the temporary
+copy of the unencrypted signing subkey and any associated files:

 .. code-block:: shell-session

    root@puppetmaster:~# shred temporary.gnupg/*
    root@puppetmaster:~# rm -rf temporary.gnupg

+Finally, commit the hiera alterations:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# echo -e "Updated signing key to Some cycle\n-me" | git \
+    > --git-dir /etc/puppet/hieradata/.git --work-tree /etc/puppet/hieradata \
+    > commit -F - production/group/signing.yaml
+
+Once the key updates on signing01.ci.openstack.org, as the jenkins
+user inspect the result. You should see the new cycle name and the
+`sec#` here again indicating the primary secret key is unusable, and
+if you try to sign some random data you shouldn't be prompted for a
+passphrase to use the signing subkey:
+
+.. code-block:: shell-session
+
+    jenkins@signing01:~$ gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
+    jenkins@signing01:~$ echo foo | gpg --sign --armor
+    -----BEGIN PGP MESSAGE-----
+    Version: GnuPG v1
+
+    owEBOgHF/pANAwACAbkGmxM1cAzcAcsKYgBYM654Zm9vCokBHAQAAQIABgUCWDOu
+    eAAKCRC5BpsTNXAM3CC0CAC4Lc4DkTCvQpK0EXDZvYBbktYFslYyqbUcgSLqWFIC
+    JxP5Zdz5G1gRABZ3NIfuerJczuy+Nd0ZBFrFEgw3JCzGYBydEyhlLJa1St64/JJy
+    uOJY3IAKI5i9jBlt53+0FyKyNqifpk+Grmrqi8W+74bHpoNMnnfPWL2Llb2fz4bK
+    DBlsATrCMj7IvgKpwNX2/IxFN5vqENd54v+J3jn/7Bxnf5UFLzowqOWjj1xaX3e0
+    E2m4r6PMJoGQwFLyiPW0cjZJa22wSU2u2MjFjMMukpA+axgxGqLzDLYa1tmtJ6p3
+    CMUalOq1Bxy5M4rU9VrffzNP9dSC38iYDm0BExxv3otM
+    =i1wq
+    -----END PGP MESSAGE-----
+

 Attestation
 -----------