[arch-dev-public] Netboot of 2021.11.01 ISO image is broken

David Runge dave at sleepmap.de
Mon Nov 1 18:52:24 UTC 2021 

On 2021-11-01 18:49:48 (+0100), Pierre Schmitz via arch-dev-public wrote:
> On Mon, Nov 1, 2021 at 5:10 PM David Runge <dave at sleepmap.de> wrote:
> > ... use an ephemeral PGP key (which is fine, as
> > it is not relevant whether it is a specific PGP key, only that the
> > *correct* PGP key is used to validate the root image).
> 
> Thanks for your insights. I think I now found the missing peaces.
> Using an ephemeral key made it much more easy. I created it as it is
> done in https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/.gitlab/ci/build_archiso.sh#L162
> (not part of archiso itself, so I got confused) I re-uploaded the arch
> folder. Let's hope that should fix the issue.

Cool, glad you could fix it! :)

Yes, the key has to be provided during build time, which is possible,
but starts getting a bit ugly once one is switching user contexts
(nl6720 uses that type of setup from time to time, if you have
questions).
The build runs on a secure runner as root (in a VM in a container).

There are still a few things preventing us from being able to run
archiso without root [1].

> Still, doesn't this show we do not really need GPG to achieve
> verification? We currently use _verify_signature() in
> mkinicpio-archiso, but shouldn't _verify_checksum() be as secure
> without the hassle to involve GPG?

Hm, I would argue that PGP is cryptographically strong, is already
implemented for this use-case and works (TM).
Unless someone comes up with an equal or better solution that we can use
there, I guess it is the way for us to do this currently.

Additionally, this is already solved and automated within the context of
releng and I believe a good way forward would be to establish a workflow
in which we rely on the automatically built artifacts.
As pointed out by you in your initial mail, you are currently the only
person responsible for the openssl based codesigning certificate. All we
need to do is create a new one following the workflow described in the
README of the releng project and start using it (which conveniently also
raises the bus factor for this a bit).
What do you think? :)

Best,
David

[1] https://gitlab.archlinux.org/archlinux/archiso/-/issues/40

-- 
https://sleepmap.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20211101/856c8556/attachment.sig>

More information about the arch-dev-public mailing list