mkarchiso: sign the ISO and bootstrap tarball with the codesigning certificate
Use `openssl cms` to sign the ISO and bootstrap tarball after they are built. Unlike the signature of the root file system image (airootfs.*.cms.sig), the signature file will contain the signing certificate. This allows verifing the signature without needing to provide the certificate unless it is a self-signed certificate. Only the ISO or tarball, its signature and CA certificate are needed. For example: $ openssl cms -verify -binary -noattr -purpose any -in archlinux-2023.11.21-x86_64.iso.cms.sig -content archlinux-2023.11.21-x86_64.iso -inform DER -out /dev/null -CAfile cacert.pem
Loading
Please register or sign in to comment