Verified Commit b3919744 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Sign the images

It is unlikely a "signing enclave"[1] will be implemented in the short
term, and rather than wait forever, we can sign with a GPG key until a
better solution present itself. The GPG master-key is stored in the
infrastructure repository[2].

[1] infrastructure#280
[2] infrastructure!579

Fix #132
parent d04c8274
......@@ -62,6 +62,13 @@ build:secure:
only:
- master@archlinux/arch-boxes
- schedules@archlinux/arch-boxes
script:
- !reference [.build, script]
- gpg --import < <(echo "${GPG_PRIVATE_KEY}")
- |
for file in output/*; do
gpg --detach-sign "${file}"
done
test-vagrant-boxes-format:
stage: test
......
......@@ -31,3 +31,25 @@ You'll need the following dependencies:
The official builds are done in our Arch Linux GitLab CI and can be built locally by running:
./build-host.sh
# Releases
Every release is signed by our CI with the following key:
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYpOJrBYJKwYBBAHaRw8BAQdAcSZilBvR58s6aD2qgsDE7WpvHQR2R5exQhNQ
yuILsTq0JWFyY2gtYm94ZXMgPGFyY2gtYm94ZXNAYXJjaGxpbnV4Lm9yZz6IkAQT
FggAOBYhBBuaFphKToy0SHEtKuC3i/QybG+PBQJik4msAhsBBQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEOC3i/QybG+P81YA/A7HUftMGpzlJrPYBFPqW0nFIh7m
sIZ5yXxh7cTgqtJ7AQDFKSrulrsDa6hsqmEC11PWhv1VN6i9wfRvb1FwQPF6D7gz
BGKTiecWCSsGAQQB2kcPAQEHQBzLxT2+CwumKUtfi9UEXMMx/oGgpjsgp2ehYPBM
N8ejiPUEGBYIACYWIQQbmhaYSk6MtEhxLSrgt4v0MmxvjwUCYpOJ5wIbAgUJCWYB
gACBCRDgt4v0Mmxvj3YgBBkWCAAdFiEEZW5MWsHMO4blOdl+NDY1poWakXQFAmKT
iecACgkQNDY1poWakXTwaQEAwymt4PgXltHUH8GVUB6Xu7Gb5o6LwV9fNQJc1CMl
7CABAJw0We0w1q78cJ8uWiomE1MHdRxsuqbuqtsCn2Dn6/0Cj+4A/Apcqm7uzFam
pA5u9yvz1VJBWZY1PRBICBFSkuRtacUCAQC7YNurPPoWDyjiJPrf0Vzaz8UtKp0q
BSF/a3EoocLnCA==
=APeC
-----END PGP PUBLIC KEY BLOCK-----
```
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment