Skip to content
GitLab
This project is mirrored from https://gitlab.archlinux.org/archlinux/archiso.git. Pull mirroring updated .
  1. 24 Dec, 2022 3 commits
  3. 22 Dec, 2022 2 commits
  5. 17 Dec, 2022 1 commit
    • nl6720's avatar
      configs/baseline/profiledef.sh: use LZMA compression for the EROFS image · 55a1b132
      nl6720 authored 
      Now that xz 5.4 is out and erofs-utils is built with LZMA support, it is
possible to compress the EROFS image with LZMA for higher compression.
`mkfs.erofs` trows a few warnings about using experimental features, but
they should not be an issue.

Nothing changes for the releng profile, for now at least.
      55a1b132
  7. 10 Dec, 2022 2 commits
  9. 06 Dec, 2022 4 commits
    • nl6720's avatar
      mkarchiso: open the ARCHISO_GNUPG_FD, ARCHISO_TLS_FD and ARCHISO_TLSCA_FD file... · 2c342020
      nl6720 authored 
      mkarchiso: open the ARCHISO_GNUPG_FD, ARCHISO_TLS_FD and ARCHISO_TLSCA_FD file descriptors only for reading

Nothing should ever be written to these files, so let's make sure it cannot happen.
      2c342020
    • nl6720's avatar
      mkarchiso: do not try to use an non existent GPG public key file · d31f3884
      nl6720 authored 
      The `bootstrap` build mode never calls `_export_gpg_publickey`, so even if
the GPG key is passed with the `-g` option and thus the `gpg_key` variable
is set, the `${work_dir}/pubkey.gpg` file will not exist.
This has not caused any issue so far because the `ARCHISO_GNUPG_FD` file
descriptor opens the file for both reading and writing, which means the
file gets created if it does not exist.

Assign the exported public key file name to a `gpg_publickey` variable in
`_export_gpg_publickey` and check for it when the file is used.

Since the exist status of the gpg command cannot be checked, look for the
exported public key file instead.
      d31f3884
    • nl6720's avatar
      mkarchiso: disable shellcheck warning when searching an array · 4ee6fdc1
      nl6720 authored 
      The warning about SC2076 does not apply here.
      4ee6fdc1
    • nl6720's avatar
      Merge remote-tracking branch 'origin/merge-requests/298' · 76815b12
      nl6720 authored 
      By Jonathan Liu
* origin/merge-requests/298:
  Add Memtest86+ to x86_64 UEFI GRUB boot menu

See merge request !298
      76815b12
  11. 03 Dec, 2022 1 commit
  13. 12 Nov, 2022 1 commit
  15. 30 Oct, 2022 1 commit
  17. 25 Oct, 2022 1 commit
  19. 22 Oct, 2022 1 commit
  21. 13 Oct, 2022 1 commit
    • nl6720's avatar
      mkarchiso: do not sign .sig files · 11971619
      nl6720 authored 
      Make sure existing sig files are deleted before creating new ones and make sure to not sign any sig files.

This allows retrying failed mkarchiso runs without ending up with files such as vmlinuz.ipxe.sig.ipxe.sig.

Fixes #198
      11971619
  23. 06 Oct, 2022 1 commit
  25. 25 Sep, 2022 6 commits
    • David Runge's avatar
      Add changelog for version 67 · fbc72247
      David Runge authored 
      CHANGELOG.rst:
Add changelog for version 67.
      fbc72247
    • David Runge's avatar
      Update PGP key ID for David Runge · 3e962dbe
      David Runge authored 
      README.rst:
Change referenced PGP key ID from `C7E7849466FE2358343588377258734B41C31549` to
`991F6E3F0765CF6295888586139B09DA5BF0D338`, as the latter is now in used. The keys are cross-signed and both available
via Arch Linux's WKD.
      3e962dbe
    • Anton Hvornum's avatar
      Add the ability to generate rootfs signatures using openssl CMS module if ``-c`` is given. · 326cfed7
      Anton Hvornum authored and David Runge's avatar David Runge committed 
      (gitlab ci)

Added a CA structure to the codesigning certificates.
This to test the functionality of optional CA being in the signing message.

(mkarchiso)
Removed the ``sign_netboot_artifacts`` variable and instead
we'll now rely on ``if [[ -v cert_list ]]; then``.

Added ``ARCHISO_TLS_FD`` and ``ARCHISO_TLSCA_FD`` environment variables
to override the certificates used. This is so that third party CA's can
be used during building in a meaningful way without distrupting the
CA trust that is shipped by default.

_cms_sign_artifact() was added which signs the rootfs using OpenSSL CMS.
The files will be saved as "${artifact}.cms.sig". That would be for instance
"${isofs_dir}/${install_dir}/${arch}/airootfs.sfs.cms.sig".
      326cfed7
    • David Runge's avatar
      Add changelog entry for ordering pacman-init after time-sync.target · 5f135b43
      David Runge authored 
      CHANGELOG.rst:
Add changelog entry for ordering pacman-init after time-sync.target
      5f135b43
    • David Runge's avatar
      Order pacman-init.service after time-sync.target · 3f55c956
      David Runge authored 
      configs/releng/airootfs/etc/systemd/system/pacman-init.service:
Order pacman-init.service after time-sync.target, so that time on the host is synchronized before initializing pacman.
      3f55c956
    • David Runge's avatar
      Enable systemd-timesyncd and systemd-time-wait-sync · 69b22dc4
      David Runge authored 
      configs/releng/airootfs/etc/systemd/system/{dbus-org.freedesktop.timesync1},sysinit.target.wants/systemd-timesyncd}.service:
Enable systemd-timesyncd which aliases to dbus-org.freedesktop.timesync1 to ensure time gets synced on the host.

configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service:
Enable systemd-time-wait-sync to ensure time is finished syncing when time-sync.target is finished.
      69b22dc4
  27. 22 Sep, 2022 2 commits
  29. 01 Sep, 2022 1 commit
  31. 28 Aug, 2022 2 commits
  33. 26 Aug, 2022 1 commit
  35. 22 Aug, 2022 1 commit
  37. 21 Aug, 2022 1 commit
    • Kristian Klausen's avatar
      Use VM runners[1] for building · a2e886b4
      Kristian Klausen authored 
      Building inside a TCG accelerated qemu VM is slow and painful, but it is
the only option when running in a non-privileged container.

arch-boxes has been built inside a KVM accelerated VMs ("VM runner") for
over 11 months[2] and recently the MR[1] was merged into the
infrastructure repo. With it now being a official part of arch's
infrastructure we should switch to it and get much faster builds.

Doing some quick testing, the whole pipeline is now roughly ~29-84
minutes faster (taking between 7-9 minutes, instead of 36-93 minutes).

[1] infrastructure!385
[2] arch-boxes@3bda5b26

Fix #161
      a2e886b4
  39. 19 Aug, 2022 1 commit
    • nl6720's avatar
      mkarchiso: preload more GRUB modules and disable shim_lock verifier · 7bc4c542
      nl6720 authored 
      --disable-shim-lock is required to support Secure Boot with custom signatures without using shim.
Otherwise GRUB will trow an error when trying to boot a kernel:

    error: shim_lock protocol not found.
    error: you need to load the kernel first.

The modules GRUB will use need to be preloaded otherwise the EFI binaries cannot be signed and used for Secure Boot.
See https://bugs.archlinux.org/task/71382.
GRUB will trow en error:

    error: verification requested but nobody cares

These changes are done to support Secure Boot using custom keys (not shim) by simply extracting the boot loader
(BOOTx64.EFI and BOOTIA32.EFI), kernel, UEFI shell, signing them and then repacking the ISO.

For example.
Extract the files:

    $ osirrox -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -extract_boot_images ./ \
        -extract /EFI/BOOT/BOOTx64.EFI BOOTx64.EFI \
        -extract /EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI \
        -extract /shellx64.efi shellx64.efi \
        -extract /shellia32.efi shellia32.efi \
        -extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux

Make the files writable:

    $ chmod +w BOOTx64.EFI BOOTIA32.EFI shellx64.efi shellia32.efi vmlinuz-linux

Sign the files:

    $ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI
    $ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI
    $ sbsign --key db.key --cert db.crt --output shellx64.efi shellx64.efi
    $ sbsign --key db.key --cert db.crt --output shellia32.efi shellia32.efi
    $ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux

Copy the boot loader and UEFI shell to the EFI system partition image:

    $ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/
    $ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/

Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files, UEFI shell and
kernel to ISO9660:

    $ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
        -boot_image any replay \
        -append_partition 2 0xef eltorito_img2_uefi.img \
        -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI \
        -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI \
        -map shellx64.efi /shellx64.efi \
        -map shellia32.efi /shellia32.efi \
        -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

Boot the resulting archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso.
      7bc4c542
  41. 17 Aug, 2022 1 commit
    • nl6720's avatar
      mkarchiso: copy all GRUB files to the ISO · b13e5e33
      nl6720 authored 
      Do not limit file copying to only grub.cfg and instead copy all GRUB configuration files and assets to both the ISO9660 and FAT image.
This will allow for including custom images, fonts, etc.

To easily match all non-configuration files (i.e. files without the .cfg extension), bash's extended glob feature will be enabled.
Actions common to multiple _make_bootmode_uefi-*.grub are split off into dedicated functions:

* _make_common_bootmode_grub_copy_to_efibootimg,
* _make_common_bootmode_grub_copy_to_isofs,
* _make_common_bootmode_grub_cfg.

Use the same du command in all efiboot_imgsize variable assignments.

Fixes #185.
      b13e5e33
  43. 07 Aug, 2022 1 commit
  45. 17 Jul, 2022 1 commit
  47. 16 Jul, 2022 1 commit
  49. 30 Jun, 2022 1 commit
  51. 26 Jun, 2022 1 commit