On Mon, Nov 1, 2021 at 5:10 PM David Runge <dave@sleepmap.de> wrote:
... use an ephemeral PGP key (which is fine, as it is not relevant whether it is a specific PGP key, only that the *correct* PGP key is used to validate the root image).
Thanks for your insights. I think I now found the missing peaces. Using an ephemeral key made it much more easy. I created it as it is done in https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/.gitlab/ci/buil... (not part of archiso itself, so I got confused) I re-uploaded the arch folder. Let's hope that should fix the issue. Still, doesn't this show we do not really need GPG to achieve verification? We currently use _verify_signature() in mkinicpio-archiso, but shouldn't _verify_checksum() be as secure without the hassle to involve GPG? Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com