From 2e6b822fd6d9df17fe77d862f5dfb5a40c6036b0 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Sat, 4 Jul 2026 17:19:28 +0000 Subject: [PATCH] docs(ci/arch): correct the header's pacman setup (key import, not TrustAll) + note the trust root Co-Authored-By: Claude Fable 5 --- .gitea/workflows/arch.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/arch.yml b/.gitea/workflows/arch.yml index f82b01b..6cff795 100644 --- a/.gitea/workflows/arch.yml +++ b/.gitea/workflows/arch.yml @@ -4,12 +4,15 @@ # Arch is rolling, so the packages build against whatever the archlinux:base-devel container # resolves today — the same sonames an up-to-date Arch box runs. # -# Registry (public, unom org) — box setup (once), see packaging/arch/README.md: +# Registry (public, unom org) — box setup (once), see packaging/arch/README.md. The registry +# SIGNS the DB + packages, so the box imports the registry key first (pacman-key --add + +# --lsign-key), then no SigLevel line is needed (pacman's default Required verifies): # [punktfunk] # or [punktfunk-canary] for main-push builds -# SigLevel = Optional TrustAll # Server = https://git.unom.io/api/packages/unom/arch/$repo/$arch # # REGISTRY_TOKEN: repo Actions secret, a PAT with write:package scope (shared with docker.yml). +# NOTE: this token + the registry-held private key are the trust root — a token holder can +# publish a validly-signed package (the signature attests "via the registry", not "built by CI"). name: arch on: