GitLab

* virtualbox-guest-utils-nox package and vboxservice.service for VirtualBox.
* qemu-guest-agent package and qemu-guest-agent.service for QEMU & libvirt.

Implements #118.

.gitlab-ci.yml:
Expand the parallel matrix with build modes per profile.
Do not run netboot with the baseline profile, as codesigning is not supported yet (#132).
Remove tagging secure, as archiso builds will only ever be used for testing the project.
Build ISOs using fast-single-thread (they take very long otherwise and hit the job time limit) and use any available
runner for anything else.

.gitlab/ci/build-inside-vm.sh:
Expand the script to allow building based on mkarchiso's buildmodes.
Accept two parameters now: profile and buildmode.

Add gitlab collapsable sections by adding specific printfs for it to all functions.
Add extglob to be able to more specifically target files.
Change `create_checksums()` to also generate the legacy md5 and sha1 checksums.
Change `create_checksums()` and `create_zsync_delta()` to accept and process an unspecified amount of files as
parameters.
Change `create_zsync_delta()` to lower the blocksize when creating a file for the bootstrap image.
Change `create_metrics()` to create metrics depending on build mode.
Rename `create_temp_pgp_key()` to `create_ephemeral_pgp_key()`.
Add `create_ephemeral_codesigning_key()` to create a codesigning key, that is used to sign the netboot artifacts.
Change `run_mkarchiso()` to also create an ephemeral codesigning key before running mkarchiso and to run
`create_checksums()` and `create_zsync_delta()` with files depending on build mode.

.gitlab/ci/build-host.sh:
Call `build-inside-vm.sh` using the PROFILE and BUILDMODE environment variables as parameters.

archiso/mkarchiso:
Change `_make_pkglist()` to also generate the package list when using the netboot build mode.

README.rst:
Add openssl as another dependency.
Mention the export of netboot artifacts in the project introduction.
Mention that archiso may be used on other operating systems as well.

docs/README.profile.rst:
Add documentation for the netboot buildmode.

archiso/mkarchiso:
Implement a buildmode to export artifacts required for netboot with IPXE.
When providing the buildmode 'netboot' via profiledef.sh or the `-m` option, all targets necessary to create an ISO
medium are built, but the components required for netboot are exported to the output dir.
Optionally, it is possible to provide a set of certificates for codsigning using the `-c` option, where the first file
is considered as the signer certificate and the second as the key.

Add `_export_netboot_artifacts()` to copy build artifacts to the output directory.
Add `_sign_netboot_artifacts()` to codesign the netboot artifacts in the work directory.
Add `_validate_requirements_buildmode_netboot()` to check for openssl.
Add `_build_iso_base()` to implement common function calls between the 'iso' and the 'netboot' buildmodes.
Add `_build_buildmode_netboot()` to make use of `_build_iso_base()`, (optionally) `_sign_netboot_artifacts()` and
`_export_netboot_artifacts()`.
Change `_build_buildmode_iso()` to make use of `_build_iso_base()`.
Add `-c` as an option to mkarchiso to read in a list of file names.
Unify the output of `_usage()` by using the same definition style for lists of strings provided to options that accept
them (e.g. `-c`, `-m`, `-p`).

Closes #128

README.rst:
Mention bootstrap images in the opening words of the project documentation.
Add awk, erofs-utils, findutils, gzip, libarchive, pacman and sed to dependencies.

docs/README.profile.rst:
Add documentation for the optional `buildmodes` array in profiledef.sh, the understood build modes `bootstrap` and
`iso` and the implicit default build mode 'iso'.
Add basic documentation for the bootstrap_packages.arch file.
Add missing backticks.
Fix indent.

archiso/mkarchiso:
Introduce a buildmodes array, that can be used to build towards more than one output artifact type.
Add a buildmode for building a bootstrap image (a compressed file containing a very minimal Arch installation).
The buildmodes can be set either using a `buildmodes` array in a `profiledef.sh` or by using the `-m` option flag to
mkarchiso and providing a space delimited, quoted list.
The 'iso' buildmode is always the default if no buildmodes are setup.
Implement building a bootstrap image, when using the 'bootstrap' `buildmode`, which uses a profile's
'bootstrap_packages.$arch' file to install packages using pacstrap and compressing it to a bootstrap image.
The name of the output file is currently constructed from the `iso_name` value by appending `-bootstrap`.

Replace the uses of `airootfs_dir` with the more generic `pacstrap_dir`, as the location denotes where pacstrap is
being used.
Replace uses of `img_name` with `image_name` and removing it from the global scope, so that it can be overridden per
each buildmode.
Rename `_cleanup_airootfs_dir()` to `_cleanup_pacstrap_dir()`.
Make `_run_once()` more generic by prepending the state files with a string defined by `run_once_mode`.
Add `_validate_requirements_buildmode_all()`, `_validate_requirements_buildmode_bootstrap()` and
`_validate_requirements_buildmode_iso()` to validate the general requirements of the different buildmodes.
Add `_build_bootstrap_image()` to generate the bootstrap image using bsdtar.
Rename `_build_iso()` to `_build_iso_image()` to fit the naming of the respective bootstrap function.
Extend `_read_profile()` to include the reading of bootstrap image specific packages from a file.
Extend `_validate_options()` to include testing of the bootstrap packages and running of validation functions for all
buildmodes.
Change `_set_overrides()` to override the buildmodes if they are specified via the `-m` option flag.
Change `_make_version()` to be used generically in all buildmodes.
Change `_make_pkglist()` to be used generically in all buildmodes.
Rename `_build_profile()` to `_build_buildmode_iso()` and set local variables that are specific to the buildmode, such
as `image_name`, `pacstrap_dir`, `run_once_mode` , `buildmode_packages` and `buildmode_pkg_list`.
Add `_build_buildmode_bootstrap()` and set local variables that are specific to the buildmode, such as `image_name`,
`pacstrap_dir`, `run_once_mode` , `buildmode_packages` and `buildmode_pkg_list`.
Add the `-m` option flag to the list of flags.

Closes #127

configs/baseline/bootstrap_packages.x86_64:
Add a packages file for bootstrap images using the baseline profile and add arch-install-scripts and base to it.

configs/baseline/profiledef.sh:
Add `buildmodes` array with default entry for the 'iso' buildmode.

configs/releng/profiledef.sh:
Add a `buildmodes` array to releng's profiledef.sh with the up-to-now default buildmode 'iso'.

configs/releng/bootstrap_packages.x86_64:
Add packages file for bootstrap images and add arch-install-scripts and base.

.gitlab/ci/build-host.sh:
Increase the allowed timeout for reaching the initial prompt in the build VM from 30 to 60 seconds.

Fixes #129

scripts/run_archiso:
Change parameters to qemu's `-drive` option to make use of the explicit `read-only=on`, as the implicit `read-only` is
now obsolete.

Closes #126

.gitlab/ci/build-host.sh:
Change parameters to qemu's `-drive` option to make use of the explicit `read-only=on`, as the implicit `read-only` is
now obsolete.

archiso/mkarchiso:
Change the help output to reflect that the `-g` option is generically signing a rootfs (which may be e.g. squashfs or
erofs).
Change the output of `_mksignature()` to be more generic, as it signs any type of understood rootfs image (which may be
e.g. squashfs or erofs).

archiso/mkarchiso:
Force the file extension in use for the PGP signatures of the rootfs to always be .sig.
When gnupg's 'armor' configuration option is used, the output otherwise defaults to using .asc.
As the verification hook in mkinitcpio-archiso expects the .sig file extension, verifying the rootfs will fail in that
scenario.

.gitlab/ci/build-inside-vm.sh:
Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles.

Implements #125

CHANGELOG.rst:
Add changelog for v53

configs/releng/packages.x86_64:
Add libfido2 for unlocking LUKS2 volumes with FIDO2 tokens.
Add tpm2-tss for unlocking LUKS2 volumes with TPM2.

configs/releng/packages.x86_64:
Add libusb-compat and pcsclite as optional dependencies for gnupg to be able to interact with smartcards out-of-the-box.

Closes #122

Keep all documentation except the main README in the docs directory.

* Don't nest code blocks inside quote blocks.
* Use monospace for paths, options, values, etc.

* Don't nest code blocks inside quote blocks.
* Replace bash with sh, as there's nothing bash-specific in the examples.
* There is no syntax highlighting for grub, use sh.
* Use sentence case for headings.
* Use monospace for paths.

Additionally enable serial in baseline profile.

Related to #75.

Use the gzip option -n/--no-name to prevent saving the original file name and timestamp.

Fixes #104.

mkarchiso: make sure to remove potentially preexisting files from $airootfs_dir before creating them with output redirection

mkarchiso creates "${airootfs_dir}/etc/machine-id" by using output redirection. If this file is an existing symlink, then the printf output would be written to the symlink target. It can be a big issue in case the symlink resolves to a path outside ${airootfs_dir}.

Fixes #121.

This provides the ISO version information in the os-release file.

* IMAGE_ID is set to the value of $iso_name.
* IMAGE_VERSION is set to the value of $iso_version.

Implements #116.

Metrics are now collected in build-inside-vm.sh since the files in question are in the work directory.

Implements #101 and #111.

archiso/initcpio/hooks/archiso_pxe_common:
Disable shellcheck's SC3060, as ash is able to do bash-like string replacements.

.gitlab/ci/build-host.sh:
Change the readonly TMPDIR variable to a global tmpdir variable and set it in the `init()` function.

.gitlab/ci/build-inside-vm.sh:
Change assigning the readonly tmpdir variable directly to assigning it after declaring it.
Change `cleanup()` and `create_zsync_delta()` to use bash-style statements and also check whether SUDO_GID is set before
using it.

mkarchiso: use -isohybrid-gpt-basdat instead of -appended_part_as_gpt for ISOs that will support BIOS booting

Some hardware, like Lenovo Thinkpad T420, will not BIOS boot if the disk has a valid GPT.
See https://bbs.archlinux.org/viewtopic.php?id=264096 .

Instead of a valid GPT, change to a valid MBR and invalid GPT similar to what was used before 729d16b4. That layout, despite having crazy partition tables, boots everywhere.
The difference is that -append_partition is still kept and specified before -isohybrid-gpt-basdat. Thus the appended partition will be listed as EFI system partition in MBR and as Microsoft basic partition in the invalid GPT.

Fixes #102.

This reverts commit 8b6f3545.

CHANGELOG.rst:
Add changelog entry for v52

Implements #90