If you change files in this directory, you will need to re-sign the pipeline.
For this, we are using cryptic-buildkite-plugin.
Install it locally by cloning the repo outside of the Yggdrasil tree:
git clone https://github.com/staticfloat/cryptic-buildkite-pluginOptionally, you can also add /path/to/cryptic-buildkite-plugin/bin to the PATH environment variable:
PATH="/path/to/cryptic-buildkite-plugin/bin:${PATH}"where /path/to/cryptic-buildkite-plugin is the path where you cloned the repository.
To sign the keys, you will need the repo keys, stored in the cryptic_repo_keys subdirectory.
You will also need the script shyaml.
You can install it by cloning the upstream repo, or also with pip, which also pulls the needed dependencies:
python -m venv env # Optional, to create a Python virtual environment
source env/bin/activate # Optional, to activate the environment just created
pip install shyamlOnce you are all set, you can sign the modified pipeline with the command
sign_treehashesif you had added the dir to the PATH, otherwise with the explicit absolute path
/path/to/cryptic-buildkite-plugin/bin/sign_treehashesRemember that you will always need to have the shyaml script in PATH, which happens automatically if you activate the Python virtual environment created above.