From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id D138B8078;
	Wed, 29 Oct 2025 10:14:31 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 31F1F7FFE; Wed, 29 Oct 2025 10:14:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com
 [IPv6:2607:f8b0:4864:20::112b])
	by atuin.qyliss.net (Postfix) with ESMTPS id 1B5C08041
	for <devel@spectrum-os.org>; Wed, 29 Oct 2025 10:14:26 +0000 (UTC)
Received: by mail-yw1-x112b.google.com with SMTP id
 00721157ae682-7847f4265e3so74429567b3.3
        for <devel@spectrum-os.org>; Wed, 29 Oct 2025 03:14:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761732865; x=1762337665;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YNqvesRtHF2b/B63arlTHlRhl783H47XRyNRkLi1E/M=;
        b=RM87kBOwunFBsag8DOuUbwiAmcH5yDO/1Jh9LmKwIA9hOmxQXPTOJxOgtPun3dF4Ep
         wx45hzBx06QqdOWqQ/GLhr5e4dvLakKTGEtoAzgs25h8gVljmzp28yFG4H31DmUB3hvN
         US+9Y1WoVNkj0W4mMJOeAd49D+Q76Z7FdUm710IWw18PAZ4FmtA4O7+sDRtbylB+qFPK
         A77NJwz2lfZiN+JNq3hTdj2VCkE2CQ8H/EAgYiWNZy9VwrGd7tRnoTUE2FtJdEzp+x0C
         0e0J4uto94b6xhMLYwJFlLNWbweBZaZK8Jy0JAQgafLq5pOlVrKWGIRW+Ca2WojB+rbA
         lS3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761732865; x=1762337665;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YNqvesRtHF2b/B63arlTHlRhl783H47XRyNRkLi1E/M=;
        b=ghsWQ/rw1XlFzFxJlhScC64wBkv4lwfEIwWIcxxlNTEO0IM+Oo77FhQXZQgodclSD9
         WeDg1M9jZ6TZEtW7mK6sOtFYaqmXFKXeEjwoRP209KZMi7Px3Qh0ENdCU78c2x7K4+1/
         /IoyElCN9BawKzydj621RCiEN24iFBwiuAnniKkvtmP6zK8l9RbooDeyPncbhFYk7pU0
         WsW9rppBx1gliB2NtIu9bjlSVrszf6ZDgXRPEUzcGRiGxfQJ5rBaXfGDXvdZrghAF4QR
         UIg+Q9H0ynYL6iAKb/tEvq4YkhWI4QK5jbWOu3bftm8amjBc7aMZaxFxkPAx3eZ6/zzn
         O/bA==
X-Gm-Message-State: AOJu0YzUGVBIPppValRhwLVdcFm9EdJLbEwSxnAz7/rg5m+NXe7Uz7SB
	17E2v8Zd2HzICu9oZdSvn6+ynk0J7KToc25biSOHG6+4b4EjUmCTAzbSenJfBg==
X-Gm-Gg: ASbGncvWNkEwVGiUpD61qtAZggc1YsqOSAwNX75rS9Dle2yLTN7t+sHNE6TUWOdmWs0
	WZL7vfUd3LLssbTXawW7LvsPB9udQW0mVgyjdjqDuLPvMrWkWiLDBgmwEOxiauAjGcZsjn/Swhi
	tM6x07rrbWp2mW161JCaFzom1pPJE03dkEaHQxDDl8b05o8OvqTAE2eCzZjXU90D5Ao0rOiODpu
	bzKIJ9YlHPj5hCbQQma+BaRv23XMxJMb7SCsSnhAxPA3YHOllKtL54j6ZgN4n4itLRhR/66Fsjz
	SgvkDGY9psqnUxLnWX3FQhPcSfupidULdLcIZHzyXyYyNK0+9iG3iwrW3P2AL1XnjRbvx+2/2zq
	qzGXMYyXlHdI//2aVlZae/9d27P1bPRRDlRLmMv2PpXo/iF0SjHmcg2s4MbgKbX37LO8NGhqcHr
	KxsCvjRIKu9rOIM7XrEx/CcfL0scdU7TBscbJrxBQeVzP02xPJXWZ7sFt3PaEyP1SKmOtMNdUaM
	c/TvwD5LRuIRD2i1uNwxXbI9uuFT3vx2TY=
X-Google-Smtp-Source: 
 AGHT+IFQF+vVYw5qFt4DjvEyzm1VGTFRycsxoSZ1OOyCTF2B6fSzwoAcMVhUo6bcuzA+W7tVD6M7DA==
X-Received: by 2002:a05:690c:a087:20b0:786:2f07:4089 with SMTP id
 00721157ae682-7862f074752mr8249717b3.50.1761732864777;
        Wed, 29 Oct 2025 03:14:24 -0700 (PDT)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-7862d713675sm3561467b3.20.2025.10.29.03.14.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Oct 2025 03:14:24 -0700 (PDT)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 29 Oct 2025 06:12:44 -0400
Subject: [PATCH 5/7] release: add install step
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251029-updates-v1-5-401c1be2a11b@gmail.com>
References: <20251029-updates-v1-0-401c1be2a11b@gmail.com>
In-Reply-To: <20251029-updates-v1-0-401c1be2a11b@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1761732759; l=5969;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=mu9WZsR8WWxPBvRfbGtdeAhWwSqZ2LfAZe2VOoZ/Uv8=;
 b=507LkQvXsgPdDvbk82l5jKrGqFM8nl9tt7HFv5kCdBwJSg07Q+gMIC3nHwfY37K2Dpun05zIx
 63kGQtvkyYICg8+KCRQ0xwoCkUp8r3UuMi8C3Gd/A1n4oIDYgQwacXk
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: WW5TXKM6VD6F4NEBYKMDXU6VNNFAD3OT
X-Message-ID-Hash: WW5TXKM6VD6F4NEBYKMDXU6VNNFAD3OT
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/WW5TXKM6VD6F4NEBYKMDXU6VNNFAD3OT/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This step provides versioned release artifacts.  Writing a detached
OpenPGP signature of SHA256SUMS to SHA256SUMS.gpg is sufficient to
create a directory usable by systemd-sysupdate.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile                   |  4 ++--
 host/rootfs/default.nix                |  6 +++---
 release/checks/integration/default.nix |  2 +-
 release/combined/eosimages.nix         |  2 +-
 release/live/Makefile                  | 14 ++++++++++++++
 release/live/default.nix               |  5 +----
 6 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 84f1b385198ecfa5905b69e4901e56150ea1b424..35adb3d972c1a30705a5b123c65abf837617eb72 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -91,7 +91,7 @@ clean:
 # supports one output per rule, so we combine the two outputs then
 # define two more rules to separate them again.
 build/rootfs.verity: $(dest)
-	$(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \
+	set -euo pipefail; $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \
 	    | awk -F ':[[:blank:]]*' '$$1 == "Root hash" {print $$2; exit}' \
 	    > build/rootfs.verity.roothash.tmp
 	cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp \
@@ -100,7 +100,7 @@ build/rootfs.verity: $(dest)
 build/rootfs.verity.roothash: build/rootfs.verity
 	head -n 1 build/rootfs.verity > $@
 build/rootfs.verity.superblock: build/rootfs.verity
-	tail -n +2 build/rootfs.verity > $@
+	{ read -r && cat; } < build/rootfs.verity > $@
 
 build/live.img: $(LIVE_IMAGE_DEPS) $(dest)
 	../../scripts/make-live-image.sh live $@ $(dest)
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index bc364b930b30e00c55b17b5e4248a303392cf3a0..995b9bfd4c53edf9fa060011c128464518d15d6e 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -8,8 +8,8 @@ import ../../lib/call-package.nix (
 }:
 pkgsStatic.callPackage (
 
-{ busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils, execline
-, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos
+{ btrfs-progs, busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils
+, execline, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos
 , runCommand, s6, s6-linux-init, s6-rc, socat, spectrum-host-tools
 , stdenvNoCC, util-linux, virtiofsd, writeClosure
 , xdg-desktop-portal-spectrum-host, xorg
@@ -82,7 +82,7 @@ let
   # Packages that should be fully linked into /usr,
   # (not just their bin/* files).
   usrPackages = [
-    appvm kernel.modules firmware kmod kmod.lib
+    appvm btrfs-progs firmware kernel.modules kmod kmod.lib
     netvm mesa dejavu_fonts systemd util-linux westonLite
   ];
 
diff --git a/release/checks/integration/default.nix b/release/checks/integration/default.nix
index 340fb6e11fed5971caf879d0a8a40baf395a7589..947d9cb8f2a5e1d7e93b6814581d33e342b522fc 100644
--- a/release/checks/integration/default.nix
+++ b/release/checks/integration/default.nix
@@ -86,7 +86,7 @@ stdenv.mkDerivation (finalAttrs: {
   env = {
     QEMU_SYSTEM = "qemu-system-${stdenv.hostPlatform.qemuArch} -nographic";
     EFI_PATH = "${qemu_kvm}/share/qemu/edk2-${stdenv.hostPlatform.qemuArch}-code.fd";
-    IMG_PATH = live;
+    IMG_PATH = "${live}/live.img";
     USER_DATA_PATH = userData;
   };
 
diff --git a/release/combined/eosimages.nix b/release/combined/eosimages.nix
index ba44d9cd82d55d491293ed36cc0402db8ebd3ffe..b168dcf61a74f96fed1d52858c0c3ebfc311873c 100644
--- a/release/combined/eosimages.nix
+++ b/release/combined/eosimages.nix
@@ -7,7 +7,7 @@ import ../../lib/call-package.nix (
 runCommand "eosimages.img" {
   nativeBuildInputs = [ e2fsprogs tar2ext4 ];
   imageName = "Spectrum-0.0-x86_64-generic.0.Live.img";
-  image = callSpectrumPackage ../live {};
+  image = "${callSpectrumPackage ../live {}}/live.img";
   __structuredAttrs = true;
   unsafeDiscardReferences = { out = true; };
   dontFixup = true;
diff --git a/release/live/Makefile b/release/live/Makefile
index 3072d869f13efbf5ea196d191881aeab85726d2e..9aa2488a57ba583ff49f0d95af4f91878a0cd5dd 100644
--- a/release/live/Makefile
+++ b/release/live/Makefile
@@ -30,6 +30,20 @@ build/spectrum.efi: build/rootfs.verity.roothash $(DTBS) $(KERNEL) $(INITRAMFS)
 	    --os-release $$'NAME="Spectrum"\n' \
 	    --cmdline "ro intel_iommu=on x-spectrum-roothash=$$roothash x-spectrum-version=$$VERSION"
 
+install: build/rootfs.verity.superblock $(ROOT_FS) build/spectrum.efi $(dest)
+	set -euo pipefail; \
+	$(READ_ROOTHASH); \
+	mkdir -p -- $(DESTDIR) build; \
+	cp -- build/rootfs.verity.superblock $(DESTDIR)/"Spectrum_OS_$$VERSION.verity"; \
+	cp -- $(ROOT_FS) $(DESTDIR)/"Spectrum_OS_$$VERSION.root"; \
+	cp -- build/spectrum.efi $(DESTDIR)/"Spectrum_OS_$$VERSION.efi"; \
+	cp $(dest) $(DESTDIR)/live.img; \
+	cd $(DESTDIR); \
+	sha256sum live.img \
+	   "Spectrum_OS_$$VERSION.root" \
+	   "Spectrum_OS_$$VERSION.verity" \
+	   "Spectrum_OS_$$VERSION.efi" > SHA256SUMS
+
 build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi
 	$(TRUNCATE) -s 440401920 $@
 	$(MKFS_FAT) $@
diff --git a/release/live/default.nix b/release/live/default.nix
index b5c0c8df31d4c6cb7fdd2337e8169f36655dd1a8..c6dcabd49363e113eb0783ced2a167633a6e19c3 100644
--- a/release/live/default.nix
+++ b/release/live/default.nix
@@ -56,14 +56,11 @@ stdenv.mkDerivation {
     SYSTEMD_BOOT_EFI = "${systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
     EFINAME = "BOOT${toUpper efiArch}.EFI";
     VERSION = import ../../lib/version.nix;
+    DESTDIR = "$(out)";
   } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or false {
     DTBS = "${rootfs.kernel}/dtbs";
   };
 
-  buildFlags = [ "dest=$(out)" ];
-
-  dontInstall = true;
-
   enableParallelBuilding = true;
 
   __structuredAttrs = true;

-- 
2.51.2