GnuPG changed their default from RSA to ECC, so Key-Length not
a thing it supports. Instead it asks for the Key-Curve.
Avoid using the default and hardcode ed25519 (which is the current
GnuPG default).
Even if GRUB is not used as a boot loader for the ISO, create a
`/boot/grub/grubenv` file in the ISO 9660 file system. If a
`loopback.cfg` file exists in the profile's `grub` directory, copy it
to `/boot/grub/loopback.cfg` on the ISO.
This ensures the funtionality will not be lost if the used boot loaders
are changed.
Construct a human readable platform identifier from GRUB's built-in
variables and use it in menu item descriptions.
Only add the menu entries for the additional tools (UEFI shell,
Memtest86+) if the files exist.
Modify baseline's `grub.cfg` to closer match releng.
* Do not manually load modules that will get loaded by invoking a command.
* Explicitly load serial modules.
* Move `insmod all_video` after the font is loaded.
The systemd 254.2-1 package ships with IA32 systemd-boot, so it is
possible to use for booting on IA32 UEFI.
Perhaps they will be useful in the future.
At least for now, the baseline and releng profiles are not changed to
use them. When the issues and headaches caused with GRUB reach a
critical point, then we will switch.
bolt can be used to list and authorize Thunderbolt and USB4 devices.
Inspired by https://bbs.archlinux.org/viewtopic.php?id=288731 where a
user needed to install the package in the live environment.
The only changes we make to the default are to enable root login via a
password.
While `PasswordAuthentication yes` is the default, let's set it
explicitly to avoid potential issues in the future.
openssh 9.4p1-2 changed /etc/ssh/sshd_config to add support for
drop-in files in /etc/ssh/sshd_config.d/.
Using drop-in files avoids needing to keep up with changes to the
default /etc/ssh/sshd_config.
Since systemd 245, IPv6PrivacyExtensions can be set not just per
connection, but also globally for all connection with a configuration
file in /etc/systemd/network.conf.d/.
Since tmpfs has a `noswap` option, use it instead of ramfs. Unlike
ramfs, tmpfs has a limit to its size.
This reverts commit 09b0428128 ("configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount: use ramfs").
Adjust subject name to more closely match what's used in create_ephemeral_pgp_key.
Reduce the certificate validity to two days. These are just temporary
certificates, they will not be used anywhere.
Fixes#196
Options set in xorriso startup files (~/.xorrisorc) could interfere with the xorriso command run by mkarchiso.
For example, if ~root/.xorrisorc contains -dummy on, then the ISO file will be empty.
Pass -no_rc as the first option to xorriso to prevent interference and unintended behavior.
Fixes#153.
Since `_build_buildmode_netboot` runs `_build_iso_base` which runs
`_prepare_airootfs_image`, the call to `_cms_sign_artifact` in
`_build_buildmode_netboot` can be removed.
Fixes#197
`-r` will instruct to delete the working directory at the end of a
`mkarchiso` run.
If the specified directory already exists, then it will not be deleted
and instead produce a warning.
Implements #211
When restarting an interrupted build, SOURCE_DATE_EPOCH needs to be
available before `profiledef.sh` is read, since it may reference it.
Fixes 7c6f266ec9
It will be replaced with the ISO's modification date in UTC, i.e.
its "UUID".
This allows to replace `archisolabel=%ARCHISO_LABEL%` with
`archisodevice=UUID=%ARCHISO_UUID%` in boot loader configurations.
Related to #202
