This repository is used to create release artifacts for Arch Linux.
Releases of this repository provide artifacts, that are in either of the following two categories: build artifacts and promotion artifacts. For archweb only releases with both artifact types are considered.
These artifacts are the output of the build script in this repository (e.g. by running make as root, locally). It gathers artifacts by:
- running
mkarchiso(archiso) using the releng profile in all available build modes (bootstrap,iso,netboot) - copying relevant binaries from the ipxe package
- creating a codesigned iPXE target script (see #9)
- creating zsync files for large artifacts
- creating checksums
The artifacts are assembled in a directory structure, that reflects the artifact type (bootstrap, ipxe, iso,
netboot) per-release (i.e. <type>/<type>-<version>).
These artifacts are added to a release by a developer, after it has been created to "promote" the release to become one that is used on the mirrors. Promotion artifacts encompass:
- detached PGP signatures for the
isoandbootstrapbuild artifacts (see #1) - base64-encoded torrent files for the
isoandbootstrapbuild artifacts (which include the detached PGP signatures) (see #5) - a JSON file with required metadata for the release (see #3)
mkarchiso (archiso) offers the export of server-side artifacts,
that allow for iPXE to use them. The artifacts can optionally be codesigned which can establish a
trust path between a client and the server-side files.
How to establish a code signing authority is explained in the iPXE upstream documentation. The server-side artifacts are signed using a codesigning certificate and key pair. The codesigning certificate is then embedded in the iPXE binary and is used during boot to validate the codesigning signature when downloading the file.
Additionally, CA certificates are embedded in the iPXE binary to validate the TLS connection over which the data is transmitted.
iPXE binary Server
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x CA cert(s) x =====> x Transport Layer Security x
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x Codesigning Certificate x =====> x Codesigning Signature x
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx- Create a new code signing key pair using
codesigning/create_codesigning_key_pair.sh. - Embed the codesigning certificate in the binaries generated by the ipxe package and release a new version of the package.
- Add the codesigning certificate and key as variables of type File to this repository
(
SECRET_CODESIGNING_CERT_FILEandSECRET_CODESIGNING_KEY_FILE, respectively), so that they can be accessed during build. - Build a new release with the respective artifacts being signed with the new codesigning key and make sure that the release contains the iPXE binaries from the updated package (embedding the new codesigning certificate)
- Once all official releases using the previous codesigning key pair have been removed, the previous codesigning certificate can be removed from the ipxe package.
Releng is licensed under the terms of the GPL-3.0-or-later (see LICENSE).