There are several contexts in which signatures are created manually or using unsecured private key material. These include signatures for installation media and virtual machines. Signing these artifacts is considered a low impact action, because the current workflow is either manual or unsecured, happens on a low cadence and adding a drop-in signature by an individual of the Arch Linux team would be possible. Further, end-user systems can not be broken or compromised by addressing these artifacts and delegated authentication for the signatures is currently only partly advertised.

For these artifacts, the signing should take place on dedicated hosts, which guard their SSH keys using the host’s integrated or discrete TPM 2.0. Such a host is then used specifically in the CI pipeline of the projects building the installation media and virtual machines. Each of these hosts rely on Signstar client software to issue signing requests and receive signatures.