In between series I like to do things that will improve the project and user experience before the next series. The 21.1 series is done.
Thinking about the 21.1 series one of the later improvements was providing signed iso’s. Sadly when looking into providing them I learned the way I created the gpg key produced a key that is good for signing emails, not software. I like to be proactive with security, so far, to my knowledge we have had no security problems. I would like to keep it that way.
It was my first key, and it looks like I had a lot to learn. After reading a lot on gpg keys I learned a lot more. I ended up with an Ed25519 key. Some friends I have known 20+ years and who occasionally help with the project created Ed25519 keys and we all signed each key during a zoom meeting. The next step was to repackage 155 packages with the new signing key.
The repository would be a problem. I only have 1gb of hosting space. So I couldnt duplicate a little over 600mb of packages easily. I came to the conclusion that the newer signed packages are the future. But I had a user base that was using the old key. To prevent the user base from getting pamac errors I cut down the old repository to a handful of packages that are part of the desktop of some spins. The themes have been moved to the new repository.
SbK users now have to make a choice.
- Do Nothing. You will lose access to the themes, wallpapers, and icons. The old repository will exist for at least a few years to prevent errors.
- Enable the new repository and add the new key. While you are adding the new section to pacman.conf delete the old one.
- Remove the old SbK repository from pacman.conf and only use the Manjaro repository.
The path forward for the project is that all future releases will have the new repository enabled and all future iso’s will be signed with the new key. Work on spinsbykilz.com has already started to document the changes.
Thanks for reading. As always questions and comments are welcome.