Draft: mkarchiso: sign the ISO and bootstrap tarball with the codesigning certificate (!349) · Merge requests · Arch Linux / archiso

nl6720 requested to merge nl6720/archiso:sign-iso-and-tarball-with-openssl into master Nov 21, 2023

Use openssl cms to sign the ISO and bootstrap tarball after they are built. Unlike the signature of the root file system image (airootfs.*.cms.sig), the signature file will contain the signing certificate. This allows verifing the signature without needing to provide the certificate unless it is a self-signed certificate. Only the ISO or tarball, its signature and CA certificate are needed. For example:

$ openssl cms -verify -binary -noattr -purpose any -in archlinux-2023.11.21-x86_64.iso.cms.sig -content archlinux-2023.11.21-x86_64.iso -inform DER -out /dev/null -CAfile cacert.pem

Edited Nov 30, 2023 by nl6720

Admin message

Draft: mkarchiso: sign the ISO and bootstrap tarball with the codesigning certificate

Merge request reports