From f7c5314b5e8c867d4ff1f9ac8b71cbf1e78d0f63 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Sat, 4 Jul 2026 17:16:24 +0000 Subject: [PATCH] =?UTF-8?q?fix(packaging/arch):=20correct=20pacman=20setup?= =?UTF-8?q?=20=E2=80=94=20import=20the=20registry=20key,=20cache=20cargo?= =?UTF-8?q?=20git?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Gitea Arch registry signs its DB + packages, so 'SigLevel = Optional TrustAll' fails non-interactively (pacman still needs the key to verify). Document the one-time pacman-key import instead; install is then signature-validated under pacman's default SigLevel (verified end-to-end: clean archlinux container -> repo sync -> install, 'Validated By: Signature'). Also cache /usr/local/cargo/git in arch.yml: the workspace pulls clients/windows' git-pinned windows-reactor/windows deps to resolve, cloning windows-rs (huge) every run otherwise — same registry+git cache deb.yml uses. Co-Authored-By: Claude Fable 5 --- .gitea/workflows/arch.yml | 8 +++++++- packaging/arch/README.md | 19 ++++++++++++++----- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/arch.yml b/.gitea/workflows/arch.yml index ea496ee..f82b01b 100644 --- a/.gitea/workflows/arch.yml +++ b/.gitea/workflows/arch.yml @@ -52,9 +52,15 @@ jobs: - uses: actions/checkout@v4 + # Cache cargo's git dir too, not just the registry: the workspace includes + # clients/windows, whose windows-reactor/windows deps are git-pinned — cargo must CLONE + # them (windows-rs is huge) merely to resolve the workspace, even though nothing Windows + # is ever compiled here. Cached, that cost is paid once per runner. - uses: actions/cache@v4 with: - path: /usr/local/cargo/registry + path: | + /usr/local/cargo/registry + /usr/local/cargo/git key: cargo-home-arch-${{ hashFiles('Cargo.lock') }} restore-keys: cargo-home-arch- diff --git a/packaging/arch/README.md b/packaging/arch/README.md index 02f0d86..e3880b8 100644 --- a/packaging/arch/README.md +++ b/packaging/arch/README.md @@ -30,24 +30,33 @@ every push and publishes the packages to the **Gitea Arch package registry** — repo, so an Arch box installs and updates punktfunk with `pacman -Syu` like everything else. Two repos mirror the deb/rpm channels: `punktfunk` (release tags) and `punktfunk-canary` (rolling main-branch builds, versioned `X.Y.Z-0.` so a later release always outranks -them). Enable exactly one: +them). Enable exactly one. + +The registry **signs the repo database and every package**, so first import its key into +pacman's keyring (a one-time step — after this, packages install signature-verified): ```sh +# 1. Trust the registry signing key. +curl -fsS https://git.unom.io/api/packages/unom/arch/repository.key \ + | sudo pacman-key --add - +sudo pacman-key --lsign-key E0CA04465C99C936E0B0C6510A317015A34DDD69 + +# 2. Add the repo (pick ONE channel — punktfunk for releases, punktfunk-canary for main builds). sudo tee -a /etc/pacman.conf >/dev/null <<'EOF' [punktfunk] -SigLevel = Optional TrustAll Server = https://git.unom.io/api/packages/unom/arch/$repo/$arch EOF +# 3. Sync + install. sudo pacman -Sy punktfunk-host # gaming rig sudo pacman -Sy punktfunk-client # couch/Deck side sudo pacman -Sy punktfunk-web # optional browser management console ``` -(`SigLevel = Optional TrustAll`: the packages are unsigned; transport security comes from HTTPS -to the registry. Arch is rolling — the packages are built against current Arch sonames, so keep -the box itself updated too.) +(No `SigLevel` line needed — pacman's default `Required DatabaseOptional` verifies the signed +packages against the key you just trusted. Arch is rolling, so the packages are built against +current Arch sonames — keep the box itself updated too.) Then the same first-run steps as a source build (printed by the install scriptlet): `input` group, `host.env`, `systemctl --user enable --now punktfunk-host` — see the next section.