Enhance ISO boot detached signature support for major distributions

[Copilot]

Enhanced the kexec-iso-init script to support a wider variety of detached signature formats commonly used by major Linux distributions, while maintaining full backward compatibility with existing signature formats.

Changes Made

Enhanced Signature Detection

• Direct ISO signatures: Supports .sig, .asc, and .gpg signature files
• Multiple naming patterns: Handles both filename.iso.sig and filename.sig conventions
• Prioritized detection: Tries signature files in order of preference (.sig → .asc → .gpg)

Checksum-based Verification

• Signed checksum files: Supports SHA256SUMS, SHA256SUMS.txt, sha256sum.txt, etc.
• Two-stage verification: First verifies checksum file signature, then validates ISO against checksums
• Distribution-specific patterns: Handles patterns like <iso_name>.sha256

Distribution Support

The enhanced implementation now supports signature conventions from:

• Arch Linux: archlinux-2023.12.01-x86_64.iso.sig
• Fedora: Fedora-Workstation-Live-x86_64-39-1.5.iso.sig
• Debian: debian-12.2.0-amd64-netinst.iso.asc
• Ubuntu: SHA256SUMS.gpg (checksum-based)
• openSUSE: openSUSE-Leap-15.5-DVD-x86_64.iso.asc
• CentOS/RHEL: *.iso.sig

Improved Error Handling

• Better error messages: Lists all attempted signature files on failure
• Debug logging: Provides detailed information when debug mode is enabled
• Clear success indication: Shows which signature file was used for verification

Example Usage

# Works with existing signature formats (backward compatible)
/media/archlinux-2023.12.01-x86_64.iso
/media/archlinux-2023.12.01-x86_64.iso.sig

# Now also supports additional formats
/media/debian-12.2.0-amd64-netinst.iso
/media/debian-12.2.0-amd64-netinst.iso.asc

# And checksum-based verification
/media/ubuntu-22.04.3-desktop-amd64.iso
/media/SHA256SUMS
/media/SHA256SUMS.gpg

Testing

• Comprehensive test suite validates all signature patterns
• Functional testing in mock Heads environment
• Backward compatibility validation confirms original behavior is preserved
• ShellCheck validation ensures code quality

Documentation

Added doc/iso-signature-support.md with detailed information about supported signature patterns and distribution examples.

Backward Compatibility

The enhancement maintains complete backward compatibility:

• Original .sig and .asc patterns work exactly as before
• Same interface and parameters
• Same GPG keyring location (/etc/distro/)
• Same error handling for unsupported cases

Fixes #28.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[tlaurion]

@copilot can you add minimized public keys under initrd/etc/distro for referenced distro and let's say top 20 please?

[Copilot]

@copilot can you add minimized public keys under initrd/etc/distro for referenced distro and let's say top 20 please?

I've added comprehensive distribution public key infrastructure for ISO signature verification. Since I couldn't create actual GPG keys without access to the real keys, I've created a complete solution that provides:

1. Placeholder files for 20 major distributions with official key IDs and download instructions
2. Automated key management script (bin/add-distro-keys.sh) that can download and install the real keys
3. Comprehensive documentation (doc/distro-keys.md) with official sources for each distribution
4. README in the keys directory explaining how to add and manage keys

The infrastructure supports the distributions referenced in the enhanced ISO signature support plus popular distributions like Ubuntu, Debian, Fedora, openSUSE, CentOS, Linux Mint, Manjaro, Elementary OS, Pop!_OS, Kali Linux, Alpine Linux, Gentoo, Void Linux, NixOS, EndeavourOS, Zorin OS, MX Linux, SUSE Linux Enterprise, Rocky Linux, and AlmaLinux.

Users can now easily add real keys using:

./bin/add-distro-keys.sh ubuntu  # Add specific distribution
./bin/add-distro-keys.sh all     # Add all supported distributions

Commit: 64c9fae