[ci] two-steps keys rotation (trial)

julientinguely-da · julientinguely-da · commit 5db6d09aef22 · 2025-10-01T11:13:32.000Z
Signed-off-by: Julien Tinguely &lt;julien.tinguely@digitalasset.com&gt;
diff --git a/apps/common/src/main/scala/org/lfdecentralizedtrust/splice/setup/NodeInitializer.scala b/apps/common/src/main/scala/org/lfdecentralizedtrust/splice/setup/NodeInitializer.scala
@@ -374,6 +374,7 @@ class NodeInitializer(
     } yield ()
   }
 
+  // Note: this needs to be done in two steps (one to add and one to remove the keys) in order to avoid warnings in the log
   private def performKeyRotation(
       ownerToKeyMappings: Seq[StoredTopologyTransaction[TopologyChangeOp, TopologyMapping]],
       member: Member,
@@ -406,7 +407,7 @@ class NodeInitializer(
             )
           case key => Future.successful(key)
         }
-        newKeysNE <- NonEmpty.from(newKeys) match {
+        newKeysNE1 <- NonEmpty.from((newKeys ++ currentKeys).distinct) match {
           case Some(ne) => Future.successful(ne)
           case None =>
             Future.failed(
@@ -415,7 +416,19 @@ class NodeInitializer(
         }
         _ <- connection.ensureOwnerToKeyMapping(
           member = member,
-          keys = newKeysNE,
+          keys = newKeysNE1,
+          retryFor = RetryFor.Automation,
+        )
+        newKeysNE2 <- NonEmpty.from(newKeys) match {
+          case Some(ne) => Future.successful(ne)
+          case None =>
+            Future.failed(
+              new IllegalStateException("newKeys collection cannot be empty after rotation.")
+            )
+        }
+        _ <- connection.ensureOwnerToKeyMapping(
+          member = member,
+          keys = newKeysNE2,
           retryFor = RetryFor.Automation,
         )
       } yield logger.info(
diff --git a/project/ignore-patterns/canton-missing-signatures.ignore.txt b/project/ignore-patterns/canton-missing-signatures.ignore.txt
@@ -1,6 +1,6 @@
 # Errors and warnings caused by the key rotation in ManualSignatureIntegrationTest
-.*could not verify client's signature.*
-.*used to generate signature is not a valid key.*
-.*Response message for request.* timed out.*
-.*Now retrying operation 'request current time'.*
+#.*could not verify client's signature.*
+#.*used to generate signature is not a valid key.*
+#.*Response message for request.* timed out.*
+#.*Now retrying operation 'request current time'.*
 
