archr-keyring: ship the production ArchR master public key

Master generated 2026-06-23 offline (ed25519 cert-only with ed25519
sign subkey expiring 2028-06-23). Private master lives on encrypted
cold storage; the signer subkey is on the build workstation only.
Revocation certificate kept offline in two physical locations.

Fingerprint: 0CB282379EBB394EF380AEB98A762D5706C602A1

archr.gpg is the binary public keyring that pacman-key --populate archr
walks; archr-trusted gives the master full ownertrust (level 4) so
packages signed by its subkey are accepted; archr-revoked stays empty
until a key is actually revoked.

archr-keyring/package.mk already auto-detects these files (instead of
the empty placeholders it shipped before) and includes them in the
image. With the keyring populated, the next gen-pacman-repo run with
SIGNER set will produce a properly signed archr.db and per-package
.sig files that ArchR clients can verify.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Douglas Teles
2026-06-23 17:35:06 -03:00
parent b6ceea9347
commit 43e464525f
3 changed files with 1 additions and 0 deletions
@@ -0,0 +1 @@
0CB282379EBB394EF380AEB98A762D5706C602A1:4: