.gitlab-ci.yml:
Install the latest archlinux-keyring before installing anything else.
This is to make sure to not run into outdated keys upon updating, which
is a problem because we can currently not even ensure a keyring that is
valid longer than one month...
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/4
By weltio weltio
move $arch override to before it is used
closes https://gitlab.archlinux.org/archlinux/archiso/-/issues/163
* initial: arch=""
* _read_profile: packages="${profile}/packages.${arch}"
* _set_overrides: [[ -n "$arch" ]] || arch="$(uname -m)"
$arch is not defined in _read_profile if arch is not defined in profiledef.sh and packages is not updated after _set_overrides
[[ -n "$arch" ]] || arch="$(uname -m)" should be moved from _set_overrides to _read_profile.
* 151-mkarchiso-should-show-code-signing-certificates-none-if-no-keys-cerfificates-are-specified:
mkarchiso: show "Code signing certificates: None" if no keys/certificates are specified
The curl --retry-connrefused option is used with not instead of the --retry <num> option to add an extra type of failure to retry on, without --retry <num> it does not retry at all even on a connection refused.
https://man.archlinux.org/man/curl.1.en
"rescue/installation actions for {grub,refind} should be run from
within a chroot" is a false statement. See --boot-directory of
grub-install and --root of refind-install. (In the case of grub,
there are people that do not use the ugly grub-mkconfig at all.)
* nl6720/more-quiet:
mkarchiso: use mkfs.erofs --quiet in quiet mode
mkarchiso: use mksquashfs -quiet instead of redirecting its stdout to /dev/null
mkarchiso: do not show subdirectory sizes in netboot mode
mkarchiso: redirect command -v output to /dev/null
mkarchiso: silence xorriso's note about SOURCE_DATE_EPOCH
mkarchiso: silence mkfs.fat in quiet mode
mksquashfs supports a -quiet option since squashfs-tools 4.4.
Use this option in non-verbose mode instead of redirecting stdout of the whole command to /dev/null.
This allows to have only one instance of mksquashfs in _run_mksquashfs instead of multiple ones in if-then-else.
Related to #148.
The `xorriso -as mkisofs` option `-quiet` is interpreted too late. Use native xorriso option `-report_about SORRY` instead and ensure it is the first option.
Related to #148.
printf is a bash builtin, so by using it an external command can be avoided.
Due to the differences between date(1) and strftime(3), the time zone output will not contain a colon anymore. Fortunately, that is still a supported format according to https://en.wikipedia.org/wiki/ISO_8601#Time_offsets_from_UTC .
* nl6720/fix-unbound-variables-in-_validate_options:
mkarchiso: error out of iso and netboot build modes if no boot modes are specified
mkarchiso: split out build mode specific checks from _validate_options to _validate_requirements_buildmode_*
mkarchiso: fix unbound variable errors in _validate_options
The bootstrap build mode does not use packages.${arch}, ${bootmodes[@]} or $airootfs_image_type so there's no need to validate them.
Requirements common to iso and netboot are checked with the _validate_common_requirements_buildmode_iso_netboot function.
Fixes#149.
* Rename _validate_requirements_buildmode_all to _validate_common_requirements_buildmode_all to prevent potential conflicts since we are using _validate_requirements_buildmode_${_buildmode} to run the functions.
* Improve searching in an array. See https://stackoverflow.com/a/15394738.
$pkg_list_from_file and $bootstrap_pkg_list_from_file are arrays, they must be referenced as such. Fixes https://bugs.archlinux.org/task/71852.
Remove quotes from arithmetic expressions.
* nl6720/gpg-sender:
.gitlab/ci/build_archiso.sh: use mkarchiso's -G option
mkarchiso: support setting gpg sender
mkarchiso: add some sane gpg options to override those set in user's gpg.conf
Add new -G option to set gpg's --sender. This allows to see who signed the rootfs image without needing to import the gpg key from the keyring in initramfs.
* Add --batch, since gpg is run in a script.
* Add --no-armor (this is the default). Armored output provides no benifit here.
* Add --no-include-key-block (this is the default). There is no need to have the gpg key in the signature. The mkinitcpio hook will verify the signature against the included keyring.
Remove the output files before running gpg. Otherwise gpg --batch will fail if they exist.