Correct signing key export instructions

Improve the export stage of the artifact signing key rotation steps
in the following ways: make sure umask is set again since this stage
is expected to happen at a later date and so in a new session, make
sure to inspect the exported keychain to ensure the primary secret
key is unusable, correct the path to the hiera files, remind the
reader to commit their hiera edits, and test the result on the CI
node at the very end.

Change-Id: Ica40a0226ef8bc6b0df9e3a511f7d7b31c8d4076

doc/source/signing.rst

@@ -347,6 +347,7 @@ GnuPG directory:
 
 .. code-block:: shell-session
 
+    root@puppetmaster:~# umask 077
     root@puppetmaster:~# mkdir temporary.gnupg
     root@puppetmaster:~# gpg --homedir signing.gnupg --output \
     > temporary.gnupg/secret-subkeys --export-secret-subkeys 0xC0224DB5F541FB68\!
@@ -362,6 +363,19 @@ GnuPG directory:
     gpg:       secret keys read: 1
     gpg:   secret keys imported: 1
 
+Check that the exported version does not contain a usable primary
+secret key by listing all secret keys and looking for a `sec#` in
+front of it instead of just `sec`:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
 So that our CI jobs will be able to make use of this subkey without
 interactively supplying a passphrase, the old passphrase (exported
 from the master key) must be reset to an empty string in the new
@@ -410,20 +424,57 @@ configuration management:
 .. code-block:: shell-session
 
     root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
     > temporary.gnupg/pubring.gpg pubring
     root@puppetmaster:~# /opt/system-config/production/tools/hieraedit.py --yaml \
-    > /opt/system-config/hieradata/production/group/signing.yaml -f \
+    > /etc/puppet/hieradata/production/group/signing.yaml -f \
     > temporary.gnupg/secring.gpg secring
 
-Finally, do your best to securely remove the temporary copy of the
-unencrypted signing subkey and any associated files:
+Safely clean up, doing your best to securely remove the temporary
+copy of the unencrypted signing subkey and any associated files:
 
 .. code-block:: shell-session
 
     root@puppetmaster:~# shred temporary.gnupg/*
     root@puppetmaster:~# rm -rf temporary.gnupg
 
+Finally, commit the hiera alterations:
+
+.. code-block:: shell-session
+
+    root@puppetmaster:~# echo -e "Updated signing key to Some cycle\n-me" | git \
+    > --git-dir /etc/puppet/hieradata/.git --work-tree /etc/puppet/hieradata \
+    > commit -F - production/group/signing.yaml
+
+Once the key updates on signing01.ci.openstack.org, as the jenkins
+user inspect the result. You should see the new cycle name and the
+`sec#` here again indicating the primary secret key is unusable, and
+if you try to sign some random data you shouldn't be prompted for a
+passphrase to use the signing subkey:
+
+.. code-block:: shell-session
+
+    jenkins@signing01:~$ gpg --homedir temporary.gnupg --list-secret-keys
+    temporary.gnupg/secring.gpg
+    ---------------------------
+    sec#  2048R/C6D5584D 2016-07-07 [expires: 2017-02-02]
+    uid                  OpenStack Infra (Some Cycle) <infra-root@openstack.org>
+    ssb   2048R/F541FB68 2016-07-07
+
+    jenkins@signing01:~$ echo foo | gpg --sign --armor
+    -----BEGIN PGP MESSAGE-----
+    Version: GnuPG v1
+
+    owEBOgHF/pANAwACAbkGmxM1cAzcAcsKYgBYM654Zm9vCokBHAQAAQIABgUCWDOu
+    eAAKCRC5BpsTNXAM3CC0CAC4Lc4DkTCvQpK0EXDZvYBbktYFslYyqbUcgSLqWFIC
+    JxP5Zdz5G1gRABZ3NIfuerJczuy+Nd0ZBFrFEgw3JCzGYBydEyhlLJa1St64/JJy
+    uOJY3IAKI5i9jBlt53+0FyKyNqifpk+Grmrqi8W+74bHpoNMnnfPWL2Llb2fz4bK
+    DBlsATrCMj7IvgKpwNX2/IxFN5vqENd54v+J3jn/7Bxnf5UFLzowqOWjj1xaX3e0
+    E2m4r6PMJoGQwFLyiPW0cjZJa22wSU2u2MjFjMMukpA+axgxGqLzDLYa1tmtJ6p3
+    CMUalOq1Bxy5M4rU9VrffzNP9dSC38iYDm0BExxv3otM
+    =i1wq
+    -----END PGP MESSAGE-----
+
 
 Attestation
 -----------