mirror of
https://github.com/archr-linux/Arch-R.git
synced 2026-07-12 18:19:42 -07:00
43e464525f
Master generated 2026-06-23 offline (ed25519 cert-only with ed25519 sign subkey expiring 2028-06-23). Private master lives on encrypted cold storage; the signer subkey is on the build workstation only. Revocation certificate kept offline in two physical locations. Fingerprint: 0CB282379EBB394EF380AEB98A762D5706C602A1 archr.gpg is the binary public keyring that pacman-key --populate archr walks; archr-trusted gives the master full ownertrust (level 4) so packages signed by its subkey are accepted; archr-revoked stays empty until a key is actually revoked. archr-keyring/package.mk already auto-detects these files (instead of the empty placeholders it shipped before) and includes them in the image. With the keyring populated, the next gen-pacman-repo run with SIGNER set will produce a properly signed archr.db and per-package .sig files that ArchR clients can verify. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>