diff --git a/iso/pacman.conf b/iso/pacman.conf
index 04dbb8a..90e4517 100644
--- a/iso/pacman.conf
+++ b/iso/pacman.conf
@@ -33,11 +33,12 @@ Include = /etc/pacman.d/mirrorlist
 # Packages are published to the Forgejo Arch registry (group "os") by the
 # .forgejo/workflows/package.yml workflow in each repo, on tag push.
 #
-# TODO: packages are currently unsigned (TrustAll). For production, sign
-# them in CI with a GPG key and switch to SigLevel = Required.
+# Forgejo signs the repo db with a key pacman can't look up, so TrustAll
+# fails. SigLevel = Never skips verification (acceptable for this private
+# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.
 [Breadway.os.git.breadway.dev]
-SigLevel = Optional TrustAll
+SigLevel = Never
 Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch