[arch-dev-public] Netboot of 2021.11.01 ISO image is broken
Pierre Schmitz
pierre at archlinux.de
Mon Nov 1 14:32:51 UTC 2021
Hi all,
I did have some trouble build the current ISO image. As archiso
requires to be run as root I had to work around some issues with GPG.
As those did no longer work I thought I manually sign the artifacts.
This did work fine, but later on I noticed that when using Netboot
(PXE), mkinicpio-archiso is no longer able to verify the FS due to
lack of any public key for GPG to use. In the meantime I moved the
arch folder from the release directory. Note: just using Netboot is
broken; the regular ISO image is fine.
The whole PXE boot setup is weird though. It starts with a openssl
signature for which I am the only one to sign it. We then verify the
airootfs using gpg for which we provide the public key (the part which
is currently broken). Wouldn't it be enough to instead verify the
integrity using the sha checksums we already have, if it was already
contain in the ssl signed image?
Before diving deeper into the issue in oder to solve it, I was
wondering if it wouldn't be better to ditch the whole netboot setup.
It is quite complex and hard to test. What do you think? I have to
admit that I do not know of any use case where you could not use a
regular ISO image and had to use PXE boot.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
More information about the arch-dev-public
mailing list