Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove old apt key from Ansible logic #6138

Merged
merged 1 commit into from
Oct 12, 2021
Merged

Remove old apt key from Ansible logic #6138

merged 1 commit into from
Oct 12, 2021

Conversation

conorsch
Copy link
Contributor

Status

Ready for review

Description of Changes

Fixes #6133

Follow-up to #5979. Removes the old, i.e. 22245C81E3BAEB4138B36061310F561200F4AD77, apt key from the Ansible install-time logic. The key has been expired since 2021-06-30. Also updates the staging vars to use only the new key, never the old key, alongside the apt-test key.

Testing

Here's what I did while working on the change:

  1. Clean install in prod VMs, observe that 2224 key is unexpectedly present (as reported in old signing key 22245C81E3BAEB4138B36061310F561200F4AD77 is not removed during upgrade #6133)
  2. Manually remove 2224 key via sudo apt-key del '22245C81E3BAEB4138B36061310F561200F4AD77'
  3. Re-run ./securedrop-admin install and observe after that 2224 was re-added.
  4. Manually remove 2224 key again
  5. Check out this branch, rerun ./securedrop-admin install
  6. Observe 2224 key was not re-added

Because we're about to publish rc2, I think running through all those steps as part of PR review is overkill, and I encourage visual review. cc @zenmonkeykstop for thoughts on that.

I'm also submitting this PR from a stg-* branch to ensure that the staging changes don't break anything.

Deployment

No special considerations. The old key is expired, and can't be used anymore, and we want it gone everywhere.

Remove old apt key from Ansible logic
8780cae 
Follow-up to #5979. Removes the old, i.e.
22245C81E3BAEB4138B36061310F561200F4AD77, apt key from the Ansible
install-time logic. The key has been expired since 2021-06-30.
@conorsch conorsch requested a review from a team as a code owner October 12, 2021 20:35
@conorsch
Copy link
Contributor Author

I'm also submitting this PR from a stg-* branch to ensure that the staging changes don't break anything.

N.B. #6137 shows staging CI is currently broken. @zenmonkeykstop up to you on either visual review sufficient for approval, or we can wait and rebase this.

zenmonkeykstop
zenmonkeykstop approved these changes Oct 12, 2021
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM based on visual review - I don't think we need to wait on staging for this one.

@zenmonkeykstop zenmonkeykstop merged commit 7fb8c43 into develop Oct 12, 2021
@zenmonkeykstop zenmonkeykstop mentioned this pull request Oct 12, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

old signing key 22245C81E3BAEB4138B36061310F561200F4AD77 is not removed during upgrade
2 participants
@conorsch @zenmonkeykstop