Skip to content

krel sign blobs: Don't resign artifacts on rerunsΒ #4221

New issue
New issue
Open
Open
krel sign blobs: Don't resign artifacts on reruns#4221
Labels
area/release-engIssues or PRs related to the Release Engineering subprojectkind/featureCategorizes issue or PR as related to a new feature.needs-prioritysig/releaseCategorizes an issue or PR as relevant to SIG Release.
@puerco

Description

@puerco
puerco
opened on Dec 17, 2025

What would you like to be added:

When rerunning the release workflow, the krel sign blobs should verify if the artifacts in the staging bucket are signed. In case they are, instead of re-signing them we should just verify them to be signed by the expected identity.

Why is this needed:

Most of the release process just noops on the each step when we rereun it. krel sign blob does not follow the same pattern. By not resigning binaries, we have the same guarantees of the other steps, meaning we can safely retry but also that other steps don't need to worry about the consistency of the signing step if it finished in a previous run.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/release-engIssues or PRs related to the Release Engineering subprojectkind/featureCategorizes issue or PR as related to a new feature.needs-prioritysig/releaseCategorizes an issue or PR as relevant to SIG Release.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions