Skip to content

Draft: mkarchiso: sign the ISO and bootstrap tarball with the codesigning certificate

Use openssl cms to sign the ISO and bootstrap tarball after they are built. Unlike the signature of the root file system image (airootfs.*.cms.sig), the signature file will contain the signing certificate. This allows verifing the signature without needing to provide the certificate unless it is a self-signed certificate. Only the ISO or tarball, its signature and CA certificate are needed. For example:

$ openssl cms -verify -binary -noattr -purpose any -in archlinux-2023.11.21-x86_64.iso.cms.sig -content archlinux-2023.11.21-x86_64.iso -inform DER -out /dev/null -CAfile cacert.pem
Edited by nl6720

Merge request reports