reachableceo
efc497efd6
M-09: SOURCE_DATE_EPOCH set at build start, BUILD-INFO.txt written with build metadata for reproducibility verification. M-10: GPG signing of ISO and SHA256 checksum. Uses persistent key at config/gpg-keys/signing.key if available, otherwise generates ephemeral key per build and exports pubkey alongside artifacts. M-11: Docker base image digest-pinned to sha256:1d3c8111... preventing supply chain tampering with the build environment. H-09: Build cache integrity verification via SHA256 manifest. On cache save, records checksums of all cached files. On restore, verifies each file. Corrupted cache triggers fresh download instead of silent use. Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg with version pins for Secure Boot and signing support in build container. Reference: DeepReport-2026-05-08.md findings M-09, M-10, M-11, H-09 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2.8 KiB
2.8 KiB