From e2722d17b38a59cf0367cbf63525d45e21a6f410 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 3 Dec 2022 17:11:00 +0200 Subject: [PATCH] archlinux.ipxe: do not perform GPG signature verification for the root file system image Now that there have been three ISO releases with OpenSSL signed root file system image, the GPG-based verification option `verify=y` can be removed. Doing this will allow releasing official ISOs without a GPG signed root file system image. The past few ISOs have been signed with an "Ephemeral Signing Key", so nothing of value will be lost. This was done because it is complicated to run `mkarchiso` as root while passing it the user's GPG keys. The envisioned future automated release process would also benefit by not tangling itself with GPG and only rely on code signing certificates. Follow-up to commit 248908d4223b9ccf274fe19175b91d365a8501f8 --- templates/releng/archlinux.ipxe | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/releng/archlinux.ipxe b/templates/releng/archlinux.ipxe index 7af2a993..3938e0f9 100644 --- a/templates/releng/archlinux.ipxe +++ b/templates/releng/archlinux.ipxe @@ -132,7 +132,7 @@ initrd ${mirrorurl}iso/${release}/arch/boot/intel-ucode.img || goto failed_downl imgverify intel-ucode.img ${mirrorurl}iso/${release}/arch/boot/intel-ucode.img.ipxe.sig || goto failed_verify initrd ${mirrorurl}iso/${release}/arch/boot/x86_64/initramfs-linux.img || goto failed_download imgverify initramfs-linux.img ${mirrorurl}iso/${release}/arch/boot/x86_64/initramfs-linux.img.ipxe.sig || goto failed_verify -imgargs vmlinuz-linux initrd=amd-ucode.img initrd=intel-ucode.img initrd=initramfs-linux.img archiso_http_srv=${mirrorurl}iso/${release}/ archisobasedir=arch verify=y cms_verify=y ${extrabootoptions} +imgargs vmlinuz-linux initrd=amd-ucode.img initrd=intel-ucode.img initrd=initramfs-linux.img archiso_http_srv=${mirrorurl}iso/${release}/ archisobasedir=arch cms_verify=y ${extrabootoptions} boot || goto failed_boot :failed_download