Adding a devel certificate that is deployed (but not enabled) on all LXA TAC images makes it easier for newcomers to build and install their first custom bundle.
The install-time detection of which certificates to trust is required for our planned release channels for official bundles:
First the bundles are built and signed with the rauc-devel.key.pem key and tested on hardware.
If the tests are passed the existing bundle will be automatically re-signed with the nightly release key.
If a new stable release is to be released an existing nightly bundle that has been manually tested is manually re-signed with the stable release key.
All of these bundles are deployed with the same /etc/rauc/certificates-* but a stable bundle should only be able to install other stable bundles, so we need to detect the release channel the bundle belongs to at install-time.
Adding a devel certificate that is deployed (but not enabled) on all LXA TAC images makes it easier for newcomers to build and install their first custom bundle.
The install-time detection of which certificates to trust is required for our planned release channels for official bundles:
First the bundles are built and signed with the
rauc-devel.key.pem
key and tested on hardware. If the tests are passed the existing bundle will be automatically re-signed with the nightly release key. If a new stable release is to be released an existing nightly bundle that has been manually tested is manually re-signed with the stable release key.All of these bundles are deployed with the same
/etc/rauc/certificates-*
but a stable bundle should only be able to install other stable bundles, so we need to detect the release channel the bundle belongs to at install-time.