-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add more details and reorganize test plan
Signed-off-by: Allie Crevier <[email protected]>
- Loading branch information
Allie Crevier
committed
Jun 3, 2022
1 parent
015b740
commit d854445
Showing
1 changed file
with
25 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,28 @@ | ||
| ### | ||
| Name of package: | ||
| ## Description | ||
|
|
||
| Package being released: `securedrop-workstation-dom0-config x.y.z` | ||
| Package tag: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z | ||
| Build logs: https://github.com/freedomofpress/build-logs/commit/1234 | ||
| Prod signing key used to sign package and tag: https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key | ||
|
|
||
| ### Test plan | ||
| Release tracking issue: https://github.com/freedomofpress/securedrop-workstation/issues/1234 | ||
|
|
||
| - [ ] Tag in securedrop-workstation repository is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z | ||
| - [ ] Build logs are included: https://github.com/freedomofpress/build-logs/commit/1234 | ||
| - [ ] CI is passing, the rpm is properly signed with the prod key | ||
| - [ ] Manually verify that the rpm is properly signed with the prod key by running `rpm -qi <rpm>` and copy pasting the Signature KEY ID into `gpg -k <KEY ID>` | ||
| - [ ] Unsigned RPM after running `rpm --delsign` (in Debian Stable) on the signed RPM results in the checksum found in the build logs | ||
| ## Checklist for PR owner | ||
|
|
||
| - [ ] Links in this PR template have been updated as required | ||
| - [ ] https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key points to the correct prod signing key | ||
|
|
||
| ## Checklist for reviewer | ||
| - [ ] CI is passing | ||
| - [ ] The build logs show that the tag is verified and signed with the prod signing key | ||
| - [ ] The build logs show that the tag is checked out and used to build the RPM | ||
| - [ ] The tag in the build logs is the correct tag: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z | ||
| - [ ] The commits being released are what you expect (see https://github.com/freedomofpress/securedrop-workstation/compare/a.b.c...x.y.z) | ||
| - [ ] The build logs show that the RPM is signed with the prod signing key | ||
| > * Download the signed RPM from this PR | ||
| > * Run `rpm qi <signed-rpm>` to get the KEY ID | ||
| > * Run `gpg -k <KEY ID>` to verify that it matches the prod signing key (make sure you have the prod signing key referenced in the PR description in your GPG keyring) | ||
| - [ ] The Unsigned RPM checksum matches what's in the build logs | ||
| > * Download the signed RPM from this PR (if you haven't already) | ||
| > * Run `rpm --delsign <signed-rpm>` to remove the signature | ||
| > * Run `sha256sum <unsigned-rpm>` and compare |