We’ve updated the bootstrap repository used by the ROS build farm to sign the repository and enable signature checking for import_upstream jobs on the ROS build farm.
This change should not have any effect on currently deployed build farms and should be entirely additive. However if you notice issues please let me know.
A pull request to the ros-buildfarm cookbook is pending. Upon its first release deployments made using the new cookbook will check the bootstrap repository’s signature by default.
To add signature checking to a current buildfarm_deployment-based build farm. Two steps are required
- Import the key into the jenkins-agent user’s gpg keyring. This could be accomplished by getting a shell as that user with
sudo su -l -s /bin/bash jenkins-agentand then running
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 8EDB2EF661FC880E
It is not necessary or recommended to import this key into the apt keyring on your repo hosts or your develpment machines.
- Update your buildfarm_deployment_config to verify the bootstrap repository
Your build farm’s buildfarm_deployment_config repository has a repo.yaml text field containing the ros_bootstrap.yaml configuration. Change the value of the verify_release field from blindtrust, its previous default, to 8EDB2EF661FC880E. Then run the reconfigure.bash script to update the live configuration and trigger an import_upstream job to verify that the change was successful. You’ll see the reprepro-updater output for each distribution include the reprepro config. For example:
14:41:00 I have a lock on /var/repos/ubuntu/building/lock
14:41:00 Creating updates file /var/repos/ubuntu/building/conf/updates
14:41:00 Name: ros_bootstrap
14:41:00 Method: http://repos.ros.org/repos/ros_bootstrap
14:41:00 Suite: bionic
14:41:00 Components: main
14:41:00 Architectures: amd64
14:41:00 VerifyRelease: 8EDB2EF661FC880E
If you get an error message like the one below it indicates that the key was not successfully imported into the appropriate keyring:
14:40:14 Error: unknown key '8EDB2EF661FC880E'!
14:40:14 There have been errors!