Skip to content

Improve CI codesigning certificate

.gitlab/ci/build_archiso.sh uses the following subjects:

  • /C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org for the CA,
  • /C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org for the codesigning cert.

The CA cert also does not set specific expiry days, while the codesigning cert sets 3650, which is too long for just a temporary cert used in a CI.

To more closely match what's used in create_ephemeral_pgp_key, I suggest changing them to:

  • ca_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/emailAddress=arch-releng@lists.archlinux.org/CN=Arch Linux Release Engineering (Ephemeral Certificate Authority)"
  • codesigning_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/emailAddress=arch-releng@lists.archlinux.org/CN=Arch Linux Release Engineering (Ephemeral Signing Key)"

Codesigning certs don't really need a domain name, but an email is useful to have there.

Additionally both commands should specify -days 2.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information