From 5b87e64034c8c8ffcc0c136e96f7bda983454535 Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Wed, 7 Jan 2026 14:18:59 +0100 Subject: [PATCH] changelog: Mention OEM sysext signing changes Update the changelog entry to include information about OEM sysexts being signed and built during the image phase. Signed-off-by: Daniel Zatovic --- changelog/changes/2025-11-05-signed-os-dependent-sysexts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md index 196b9266b1..3de3637f9c 100644 --- a/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md +++ b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md @@ -1 +1 @@ -- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162)) +- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar, podman, zfs, nvidia) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). OEM sysexts (e.g., oem-azure, oem-gce) are now also signed and built during the image phase to ensure consistent signing with the same ephemeral key. ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))