GnuPG changed their default from RSA to ECC, so Key-Length not
a thing it supports. Instead it asks for the Key-Curve.
Avoid using the default and hardcode ed25519 (which is the current
GnuPG default).
Adjust subject name to more closely match what's used in create_ephemeral_pgp_key.
Reduce the certificate validity to two days. These are just temporary
certificates, they will not be used anywhere.
Fixes#196
(gitlab ci)
Added a CA structure to the codesigning certificates.
This to test the functionality of optional CA being in the signing message.
(mkarchiso)
Removed the ``sign_netboot_artifacts`` variable and instead
we'll now rely on ``if [[ -v cert_list ]]; then``.
Added ``ARCHISO_TLS_FD`` and ``ARCHISO_TLSCA_FD`` environment variables
to override the certificates used. This is so that third party CA's can
be used during building in a meaningful way without distrupting the
CA trust that is shipped by default.
_cms_sign_artifact() was added which signs the rootfs using OpenSSL CMS.
The files will be saved as "${artifact}.cms.sig". That would be for instance
"${isofs_dir}/${install_dir}/${arch}/airootfs.sfs.cms.sig".
.gitlab/ci/build-inside-vm.sh:
Change the build script to provide the build artifacts and metrics in the top-level output directory.
This goes in line with the soon to be used ci-scripts, allowing code sharing amongst several projects.
.gitlab/ci/build_archiso.sh:
Rename .gitlab/ci/build-inside-vm.sh to .gitlab/ci/build_archiso.sh.
.gitlab-ci.yml:
Rename BUILD_SCRIPT to build_archiso.sh.
