Hi,
Attached here is a macro level overview on how the sign services is getting setup. I've been working on this recently, and its the process being adopted for SIG's moving to release ( eg. RDO folks rely on this for the openstack release work into the Cloud SIG repos ).
Couple of highlights :
Each box indicates a physical entity; the Sign Box is a HA pair of 2 nodes, dedicated for this purpose. The main sign service is a dedicated machine hosted near the CBS infra for performance reasons.
Read this alongside http://www.karan.org/CBS_ContentPromotion.png which lays out what tag's go where and how this maps to buildlogs and the mirror / CDN side of things.
The PreFlight testing and Validation steps only do some basic work at the moment, including validating that rpms are not already signed, they come from and are going into the right path maps ( eg. virt sig content going into the /virt/ subdirs etc ), and the rpm headers are valid. Lots of potential to expand on this steps. I will aim to extract these scripts out and into git.centos.org for more eyes and contribution options.
The push to buildlogs runs every 2 hrs at this point, and does not include a sign step. buildlogs content is pushed as is, from the right tags, for projects and SIGs that have opted in ( ideally, everyone should! if you are not doing this already please get in touch ). Content for the sign and push to mirror.centos.org runs a report every 48 hrs, and needs a manual ack. In the coming weeks, we will move to perhaps a 12 hr cycle with better round the clock cover.
Regards