From 82c63bc4c417e709ad82f118660c93f0e84665d5 Mon Sep 17 00:00:00 2001
From: Breadway <plasticbread849@gmail.com>
Date: Sat, 13 Jun 2026 23:34:51 +0800
Subject: [PATCH] Set [breadway] SigLevel=Never (Forgejo db key unavailable to
 pacman)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 iso/pacman.conf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/iso/pacman.conf b/iso/pacman.conf
index 04dbb8a..90e4517 100644
--- a/iso/pacman.conf
+++ b/iso/pacman.conf
@@ -33,11 +33,12 @@ Include = /etc/pacman.d/mirrorlist
 # Packages are published to the Forgejo Arch registry (group "os") by the
 # .forgejo/workflows/package.yml workflow in each repo, on tag push.
 #
-# TODO: packages are currently unsigned (TrustAll). For production, sign
-# them in CI with a GPG key and switch to SigLevel = Required.
+# Forgejo signs the repo db with a key pacman can't look up, so TrustAll
+# fails. SigLevel = Never skips verification (acceptable for this private
+# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.
 [Breadway.os.git.breadway.dev]
-SigLevel = Optional TrustAll
+SigLevel = Never
 Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch