changelog: Add entry for signed OS-dependent sysexts

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
2025-12-22 09:42:25 +01:00 · 2025-11-05 19:10:48 +01:00 · 2025-11-05 19:10:48 +01:00 · f7a2e240ee
commit f7a2e240ee
parent 2eb0997167
1 changed files with 1 additions and 0 deletions
--- a/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
+++ b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
@ -0,0 +1 @@
+- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))
				`@ -0,0 +1 @@`
				`- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))`