From f7a2e240ee63e3735cf9ce5b154a94d6be93aa9d Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Wed, 5 Nov 2025 19:10:48 +0100
Subject: [PATCH] changelog: Add entry for signed OS-dependent sysexts

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 changelog/changes/2025-11-05-signed-os-dependent-sysexts.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/changes/2025-11-05-signed-os-dependent-sysexts.md

diff --git a/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
new file mode 100644
index 0000000000..196b9266b1
--- /dev/null
+++ b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
@@ -0,0 +1 @@
+- OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))