From 14021e0112984c2a17cec5507cce0834f638d3e5 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Tue, 22 Nov 2016 02:07:14 +0000
Subject: [PATCH] Correct signing key export instructions

Improve the export stage of the artifact signing key rotation steps
in the following ways: make sure umask is set again since this stage
is expected to happen at a later date and so in a new session, make
sure to inspect the exported keychain to ensure the primary secret
key is unusable, correct the path to the hiera files, remind the
reader to commit their hiera edits, and test the result on the CI
node at the very end.

Change-Id: Ica40a0226ef8bc6b0df9e3a511f7d7b31c8d4076
---
 doc/source/signing.rst | 59 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 55 insertions(+), 4 deletions(-)

diff --git a/doc/source/signing.rst b/doc/source/signing.rst
index e9d210e769..9f6daef75a 100644
--- a/doc/source/signing.rst
+++ b/doc/source/signing.rst
@@ -347,6 +347,7 @@ GnuPG directory:
 
 .. code-block:: shell-session
 
+    root@puppetmaster:~# umask 077
     root@puppetmaster:~# mkdir temporary.gnupg
     root@puppetmaster:~# gpg --homedir signing.gnupg --output \
     > temporary.gnupg/secret-subkeys --export-secret-subkeys 0xC0224DB5F541FB68\!
@@ -362,6 +363,19 @@ GnuPG directory:
     gpg:       secret keys read: 1
     gpg:   secret keys imported: 1
 
+Check that the exported version does not contain a usable primary
+secret key by listing all secret keys and looking for a `sec#` in
+front of it instead of just `sec`:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
 So that our CI jobs will be able to make use of this subkey without
 interactively supplying a passphrase, the old passphrase (exported
 from the master key) must be reset to an empty string in the new
@@ -410,20 +424,57 @@ configuration management:
 .. code-block:: shell-session
 
     root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
     > temporary.gnupg/pubring.gpg pubring
     root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
     > temporary.gnupg/secring.gpg secring
 
-Finally, do your best to securely remove the temporary copy of the
-unencrypted signing subkey and any associated files:
+Safely clean up, doing your best to securely remove the temporary
+copy of the unencrypted signing subkey and any associated files:
 
 .. code-block:: shell-session
 
     root@puppetmaster:~# shred temporary.gnupg/*
     root@puppetmaster:~# rm -rf temporary.gnupg
 
+Finally, commit the hiera alterations:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# echo -e "Updated signing key to Some cycle\n-me" | git \
+    > --git-dir /etc/puppet/hieradata/.git --work-tree /etc/puppet/hieradata \
+    > commit -F - production/group/signing.yaml
+
+Once the key updates on signing01.ci.openstack.org, as the jenkins
+user inspect the result. You should see the new cycle name and the
+`sec#` here again indicating the primary secret key is unusable, and
+if you try to sign some random data you shouldn't be prompted for a
+passphrase to use the signing subkey:
+
+.. code-block:: shell-session
+
+    jenkins@signing01:~$ gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
+    jenkins@signing01:~$ echo foo | gpg --sign --armor
+    -----BEGIN PGP MESSAGE-----
+    Version: GnuPG v1
+
+    owEBOgHF/pANAwACAbkGmxM1cAzcAcsKYgBYM654Zm9vCokBHAQAAQIABgUCWDOu
+    eAAKCRC5BpsTNXAM3CC0CAC4Lc4DkTCvQpK0EXDZvYBbktYFslYyqbUcgSLqWFIC
+    JxP5Zdz5G1gRABZ3NIfuerJczuy+Nd0ZBFrFEgw3JCzGYBydEyhlLJa1St64/JJy
+    uOJY3IAKI5i9jBlt53+0FyKyNqifpk+Grmrqi8W+74bHpoNMnnfPWL2Llb2fz4bK
+    DBlsATrCMj7IvgKpwNX2/IxFN5vqENd54v+J3jn/7Bxnf5UFLzowqOWjj1xaX3e0
+    E2m4r6PMJoGQwFLyiPW0cjZJa22wSU2u2MjFjMMukpA+axgxGqLzDLYa1tmtJ6p3
+    CMUalOq1Bxy5M4rU9VrffzNP9dSC38iYDm0BExxv3otM
+    =i1wq
+    -----END PGP MESSAGE-----
+
 
 Attestation
 -----------