- build-iso.yml: on tag push (v*.*.*), split ISO into 1.9G parts, GPG-sign
the sha256 with GPG_PRIVATE_KEY secret, and auto-create release with
softprops/action-gh-release@v2 attaching part files + sig + reassembly
instructions. Falls back to legacy release.published path.
- build-iso.yml: optional EFI Secure Boot signing step. If MOK_PRIVATE_KEY
+ MOK_CERT secrets are present, sbsign each .efi inside the ISO and
repack with xorriso; otherwise warn and ship unsigned. Refresh sha256.
- release-checksums.yml: new PR-time gate. Validates source + generated
CI kickstart, shellchecks scripts, parses every workflow YAML, and
asserts the split size stays under GitHub'''s 2 GiB asset cap.
- scripts/gen-mok-key.sh: idempotent MOK keypair generator (RSA-4096,
10y), outputs to gitignored build/keys/. Header documents mokutil
enrollment and gh secret upload. exec bit set in index.
- .gitignore: add build/keys/, *.priv, *.der.
User must add GitHub secrets before the next tagged release:
GPG_PRIVATE_KEY — armored private key for sha256 signing
MOK_PRIVATE_KEY — sbsign EFI signing key (PEM)
MOK_CERT — public cert (DER) for sbsign + mokutil enrollment
- kde-theme-apply.sh: search /etc/os-release.d/veilor (where overlay
put it) before falling back to $REPO/overlay path. Rewire symlinks
cleanly: /etc/os-release → ../usr/lib/os-release.
- Kickstart: useradd admin in chroot %post since livecd-creator skips
the `user` directive (no installer phase). Blank pw + expired = forced
reset at first login same as before.
