Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pubsys: fix kms signing issue #1205

Merged
merged 2 commits into from
Nov 12, 2020
Merged

pubsys: fix kms signing issue #1205

merged 2 commits into from
Nov 12, 2020

Conversation

webern
Copy link
Contributor

@webern webern commented Nov 12, 2020
edited by etungsten
Loading

Issue number:

awslabs/tough#262

Description of changes:

In pubsys:

  • update tough-kms to v0.1.1 to fix an intermittent issue where a repo could be produced that was not loadable
  • coldsnap needed to be updated because of some conflicts with rustls in rusoto when updating tough-kms

Testing done:

  • cargo make repo works with a KMS key when creating a new repo.
  • The above repo can be loaded with tuftool download.
  • cargo make ami works with the new coldsnap version.
  • cargo make repo works with a KMS key when updating an existing repo.
  • The above repo can be loaded with tuftool download.
  • @etungsten should be able to tell us if his signing automation scripts are fixed by this branch/sha.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@webern
pubsys: resolve rustls in coldsnap and tough
82a94cf 
Update coldsnap to v0.2.0 and set it to use rustls. This is a necessary
prerequisite of any tough-related updates. When we update tough, then
coldsnap and rough will both resolve to rusoto 0.45 and their feature
selections will conflict. By bumping coldsnap and setting it to rustls,
we are now able to update tough, tough-kms, or tough-ssm.

This commit also explicitly sets the rusoto crates to use rustls. This
was also found to be necessary when newer versions of tough* are
introduced.
@webern
pubsys: update tough-kms to fix kms signing errors
9fa053a 
This commit fixes an occasional issue where a KMS-signed repo could not
be loaded. The fix is in tough-kms v0.1.1.
@webern
Copy link
Contributor Author

webern commented Nov 12, 2020

webern force-pushed the webern:tough-kms-v0.1.1 branch from 9ea4243 to 9fa053a

Remove the caret from the tough-kms version, it doesn't do anything.

zmrow
zmrow approved these changes Nov 12, 2020
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Provided we can prove that the tough-kms fix works consistently (~200+ times), I'm happy.

🧇

@etungsten
Copy link
Contributor

With the fix the automation hasn't failed since late yesterday (approximately 14 hours ago). It resigns 23 repositories every 20 minutes. So that's 966 repo resigns without fail. Each resign is resigning 3 metadata files. So that's 2898 produced signatures.

@webern webern merged commit 8280ce8 into bottlerocket-os:develop Nov 12, 2020
@webern webern deleted the tough-kms-v0.1.1 branch November 12, 2020 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@zmrow zmrow zmrow approved these changes

@etungsten etungsten etungsten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@webern @etungsten @bcressey @zmrow