[ART-1618] [ART-2800] New signing mechanism

jobs/build/promote-assembly/Jenkinsfile

@@ -155,6 +155,9 @@ node {
         if (params.SKIP_MIRROR_BINARIES) {
             cmd << "--skip-mirror-binaries"
         }
+        if (params.SKIP_SIGNING) {
+            cmd << "--skip-signing"
+        }
         if (params.NO_MULTI) {
             cmd << "--no-multi"
         }
@@ -167,15 +170,24 @@ node {
             // because 4.11 heterogeneous is tech preview.
             cmd << "--use-multi-hack"
         }
+        def signing_env = params.DRY_RUN? "stage": "prod"
+        cmd << "--signing-env=${signing_env}"
         echo "Will run ${cmd}"
+        def siging_cert_id = signing_env == "prod" ? "0xffe138e-openshift-art-bot" : "0xffe138d-nonprod-openshift-art-bot"
         buildlib.withAppCiAsArtPublish() {
             withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'creds_dev_registry.quay.io', usernameVariable: 'QUAY_USERNAME', passwordVariable: 'QUAY_PASSWORD'],
                              aws(credentialsId: 's3-art-srv-enterprise', accessKeyVariable: 'AWS_ACCESS_KEY_ID', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY'),
                              string(credentialsId: 'art-bot-slack-token', variable: 'SLACK_BOT_TOKEN'),
                              string(credentialsId: 'jboss-jira-token', variable: 'JIRA_TOKEN'),
                              string(credentialsId: 'jenkins-service-account', variable: 'JENKINS_SERVICE_ACCOUNT'),
                              string(credentialsId: 'jenkins-service-account-token', variable: 'JENKINS_SERVICE_ACCOUNT_TOKEN'),
-                             string(credentialsId: 'openshift-bot-token', variable: 'GITHUB_TOKEN')]) {
+                             string(credentialsId: 'openshift-bot-token', variable: 'GITHUB_TOKEN'),
+                             file(credentialsId: "${siging_cert_id}.crt", variable: 'SIGNING_CERT'),
+                             file(credentialsId: "${siging_cert_id}.key", variable: 'SIGNING_KEY'),
+                             string(credentialsId: 'redis-server-password', variable: 'REDIS_SERVER_PASSWORD'),
+                             string(credentialsId: 'redis-host', variable: 'REDIS_HOST'),
+                             string(credentialsId: 'redis-port', variable: 'REDIS_PORT'),
+                            ]) {
                 def out = sh(script: cmd.join(' '), returnStdout: true).trim()
                 echo "artcd returns:\n$out"
                 release_info = readJSON(text: out)
@@ -233,31 +245,6 @@ node {
         */
     }
 
-    stage("sign artifacts") {
-        if (params.SKIP_SIGNING) {
-            echo "Signing artifacts is skipped."
-            return
-        }
-        release_info.content.each { arch, info ->
-            def payloadDigest = release_info.content[arch].digest
-            // Currently a multi/heterogeneous release payload has a modified release name to workaround a Cincinnati issue.
-            // Using the real per-arch release name in $info instead of the one defined by release artists.
-            def release_name = info.metadata.version
-            echo "Signing $arch"
-            release.signArtifacts(
-                name: release_name,
-                signature_name: "signature-1",
-                dry_run: params.DRY_RUN,
-                env: "prod",
-                key_name: release_info.client_type=='ocp'?"redhatrelease2":"beta2",
-                arch: arch,
-                digest: payloadDigest,
-                client_type: release_info.client_type,
-                product: "openshift",
-            )
-        }
-    }
-
     stage("send release message") {
         if (release_info.type == "custom") {
             echo "Don't send release messages for a custom release."

pipeline-scripts/buildlib.groovy

@@ -61,7 +61,8 @@ def proxy_setup() {
         'cdn.quay.io',
         'cdn01.quay.io',
         'cdn02.quay.io',
-        'cdn03.quay.io'
+        'cdn03.quay.io',
+        "api.redhat.com",
     ]
 
     env.https_proxy = proxy

pyartcd/pyartcd/constants.py

@@ -27,7 +27,6 @@
 }
 
 OCP_BUILD_DATA_URL = 'https://github.com/openshift-eng/ocp-build-data'
-QUAY_RELEASE_REPO_URL = "quay.io/openshift-release-dev/ocp-release"
 
 # This is the URL that buildvm itself uses to resolve Jenkins
 # It shall be used by jenkinsapi to start new builds
@@ -38,3 +37,10 @@
 JENKINS_UI_URL = 'https://saml.buildvm.hosts.prod.psi.bos.redhat.com:8888'
 
 MIRROR_BASE_URL = 'https://mirror.openshift.com'
+
+UMB_BROKERS = {
+    "prod": "stomp+ssl://umb.api.redhat.com:61612",
+    "stage": "stomp+ssl://umb.stage.api.redhat.com:61612",
+    "qa": "stomp+ssl://umb.qa.api.redhat.com:61612",
+    "dev": "stomp+ssl://umb.dev.api.redhat.com:61612",
+}

pyartcd/pyartcd/exceptions.py

@@ -1,2 +1,8 @@
 class VerificationError(ValueError):
     pass
+
+
+class SignatoryServerError(IOError):
+    """ Represents an error generated by remote Signatory server
+    """
+    pass

pyartcd/pyartcd/locks.py

@@ -9,6 +9,12 @@
 # - the sleep interval between two consecutive retries, in seconds
 # - a timeout, after which the lock will expire and clear itself
 LOCK_POLICY = {
+    # default policy: give up after 1 hour
+    'default': {
+        'retry_count': 36000,
+        'retry_delay_min': 0.1,
+        'lock_timeout': 60 * 60 * 1,  # 1 hours
+    },
     # olm-bundle: give up after 1 hour
     'olm_bundle': {
         'retry_count': 36000,