From 28becbfc03f626c108584b5f23a2cba5d134eac3 Mon Sep 17 00:00:00 2001
From: Anton Hvornum <torxed@archlinux.org>
Date: Wed, 6 Dec 2023 22:48:46 +0100
Subject: Ensured the correct CA key and CA certificate is used during signing
 process. It's been working based on default assumptions from the openssl
 configuration, but it's worth being explicit when doing these operations.
 Also removed a redundant -sha256

---
 .gitlab/ci/build_archiso.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh
index d11d1fc..eec8d75 100755
--- a/.gitlab/ci/build_archiso.sh
+++ b/.gitlab/ci/build_archiso.sh
@@ -241,7 +241,6 @@ create_ephemeral_codesigning_keys() {
     # Create the Certificate Authority
     openssl req \
         -newkey rsa:4096 \
-        -sha256 \
         -nodes \
         -x509 \
         -new \
@@ -280,6 +279,8 @@ EOF
         -days 2 \
         -notext \
         -md sha256 \
+        -keyfile "${ca_key}" \
+        -cert "${ca_cert}" \
         -in "${codesigning_cert}.csr" \
         -out "${codesigning_cert}"
 
-- 
cgit v1.2.3-54-g00ecf