From 93465c94571f0f7039134c32c96e831befd68d98 Mon Sep 17 00:00:00 2001 From: braydonk Date: Thu, 11 Dec 2025 21:13:12 +0000 Subject: [PATCH 1/2] [kokoro] Add EL10 signing key to release config Starting with RHEL 10, we are expected to sign with a specific key for each major RHEL version. This PR adds the new key to our release configs and adjusts our signing script to set up the proper signing key based on the current distro. --- kokoro/config/build/aarch64_linux/release.gcl | 1 + .../config/build/presubmit/rockylinux10_aarch64.gcl | 10 ++++++++++ .../config/build/presubmit/rockylinux10_x86_64.gcl | 10 ++++++++++ kokoro/config/build/x86_64_linux/release.gcl | 1 + kokoro/scripts/build/build_package.sh | 13 ++++++++++++- 5 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 kokoro/config/build/presubmit/rockylinux10_aarch64.gcl create mode 100644 kokoro/config/build/presubmit/rockylinux10_x86_64.gcl diff --git a/kokoro/config/build/aarch64_linux/release.gcl b/kokoro/config/build/aarch64_linux/release.gcl index 300aa3b2e2..b850b7d356 100644 --- a/kokoro/config/build/aarch64_linux/release.gcl +++ b/kokoro/config/build/aarch64_linux/release.gcl @@ -9,6 +9,7 @@ config build = common.build { params { keystore_keys = super.keystore_keys + [ { keystore_config_id = 71565, keyname = 'rpm-signing-key' }, + { keystore_config_id = 78657, keyname = 'rpm-el10-signing-key' }, ] environment { SKIP_SIGNING = null diff --git a/kokoro/config/build/presubmit/rockylinux10_aarch64.gcl b/kokoro/config/build/presubmit/rockylinux10_aarch64.gcl new file mode 100644 index 0000000000..06d59ecec9 --- /dev/null +++ b/kokoro/config/build/presubmit/rockylinux10_aarch64.gcl @@ -0,0 +1,10 @@ +import '../common.gcl' as common + +config build = common.build { + params { + environment { + DISTRO = 'rockylinux10' + PKGFORMAT = 'rpm' + } + } +} diff --git a/kokoro/config/build/presubmit/rockylinux10_x86_64.gcl b/kokoro/config/build/presubmit/rockylinux10_x86_64.gcl new file mode 100644 index 0000000000..06d59ecec9 --- /dev/null +++ b/kokoro/config/build/presubmit/rockylinux10_x86_64.gcl @@ -0,0 +1,10 @@ +import '../common.gcl' as common + +config build = common.build { + params { + environment { + DISTRO = 'rockylinux10' + PKGFORMAT = 'rpm' + } + } +} diff --git a/kokoro/config/build/x86_64_linux/release.gcl b/kokoro/config/build/x86_64_linux/release.gcl index 300aa3b2e2..b850b7d356 100644 --- a/kokoro/config/build/x86_64_linux/release.gcl +++ b/kokoro/config/build/x86_64_linux/release.gcl @@ -9,6 +9,7 @@ config build = common.build { params { keystore_keys = super.keystore_keys + [ { keystore_config_id = 71565, keyname = 'rpm-signing-key' }, + { keystore_config_id = 78657, keyname = 'rpm-el10-signing-key' }, ] environment { SKIP_SIGNING = null diff --git a/kokoro/scripts/build/build_package.sh b/kokoro/scripts/build/build_package.sh index c58de42297..05873eae48 100644 --- a/kokoro/scripts/build/build_package.sh +++ b/kokoro/scripts/build/build_package.sh @@ -67,7 +67,18 @@ docker buildx build . \ SIGNING_DIR="$(pwd)/kokoro/scripts/build/signing" if [[ "${PKGFORMAT}" == "rpm" && "${SKIP_SIGNING}" != "true" ]]; then - RPM_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/71565_rpm-signing-key" + RPM_STANDARD_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/71565_rpm-signing-key" + RPM_EL10_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/78657_rpm-el10-signing-key" + + # Google packages are to be signed using a specific key per major version + # of RHEL starting with RHEL 10, we detect whether to use the EL10 signing + # key or the standard one here. All rpm packages for distros other than + # EL10 stick to the standard key. + RPM_SIGNING_KEY=${RPM_ETERNAL_SIGNING_KEY} + if [[ "${DISTRO}" == "rockylinux10" ]]; then + RPM_SIGNING_KEY=${RPM_EL10_SIGNING_KEY} + fi + cp "${RPM_SIGNING_KEY}" "${SIGNING_DIR}/signing-key" fi From 8d1f2ae66724a1add2e07710f1314dfe90ee5d3b Mon Sep 17 00:00:00 2001 From: braydonk Date: Thu, 11 Dec 2025 21:24:37 +0000 Subject: [PATCH 2/2] I'm scared the keyname has to match --- kokoro/config/build/aarch64_linux/release.gcl | 2 +- kokoro/config/build/x86_64_linux/release.gcl | 2 +- kokoro/scripts/build/build_package.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kokoro/config/build/aarch64_linux/release.gcl b/kokoro/config/build/aarch64_linux/release.gcl index b850b7d356..953f221587 100644 --- a/kokoro/config/build/aarch64_linux/release.gcl +++ b/kokoro/config/build/aarch64_linux/release.gcl @@ -9,7 +9,7 @@ config build = common.build { params { keystore_keys = super.keystore_keys + [ { keystore_config_id = 71565, keyname = 'rpm-signing-key' }, - { keystore_config_id = 78657, keyname = 'rpm-el10-signing-key' }, + { keystore_config_id = 78657, keyname = 'el10-v1-rpm-signing-key' }, ] environment { SKIP_SIGNING = null diff --git a/kokoro/config/build/x86_64_linux/release.gcl b/kokoro/config/build/x86_64_linux/release.gcl index b850b7d356..953f221587 100644 --- a/kokoro/config/build/x86_64_linux/release.gcl +++ b/kokoro/config/build/x86_64_linux/release.gcl @@ -9,7 +9,7 @@ config build = common.build { params { keystore_keys = super.keystore_keys + [ { keystore_config_id = 71565, keyname = 'rpm-signing-key' }, - { keystore_config_id = 78657, keyname = 'rpm-el10-signing-key' }, + { keystore_config_id = 78657, keyname = 'el10-v1-rpm-signing-key' }, ] environment { SKIP_SIGNING = null diff --git a/kokoro/scripts/build/build_package.sh b/kokoro/scripts/build/build_package.sh index 05873eae48..09d37936ab 100644 --- a/kokoro/scripts/build/build_package.sh +++ b/kokoro/scripts/build/build_package.sh @@ -68,7 +68,7 @@ docker buildx build . \ SIGNING_DIR="$(pwd)/kokoro/scripts/build/signing" if [[ "${PKGFORMAT}" == "rpm" && "${SKIP_SIGNING}" != "true" ]]; then RPM_STANDARD_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/71565_rpm-signing-key" - RPM_EL10_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/78657_rpm-el10-signing-key" + RPM_EL10_SIGNING_KEY="${KOKORO_KEYSTORE_DIR}/78657_el10-v1-rpm-signing-key" # Google packages are to be signed using a specific key per major version # of RHEL starting with RHEL 10, we detect whether to use the EL10 signing