From 2faf2b088e67bb79d61b5e051a805aed60b85206 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Mon, 23 Feb 2026 05:48:45 -0600
Subject: fix: change archzfs SigLevel from Optional TrustAll to Never
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Optional TrustAll is misleading — it implies signature checking when
none is actually happening. Use Never to match the installer and be
explicit. Repo is served over HTTPS; GPG adds no value in build env.
---
 build.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index a169cae..8bb7893 100755
--- a/build.sh
+++ b/build.sh
@@ -140,12 +140,14 @@ if [[ -f "$PROFILE_DIR/airootfs/etc/mkinitcpio.d/linux.preset" ]]; then
 fi
 
 # Add archzfs repository to pacman.conf
+# SigLevel=Never: archzfs GPG key import is unreliable in clean build environments;
+# repo is explicitly added and served over HTTPS, GPG adds no real value here
 info "Adding archzfs repository..."
 cat >> "$PROFILE_DIR/pacman.conf" << 'EOF'
 
 [archzfs]
 Server = https://archzfs.com/$repo/$arch
-SigLevel = Optional TrustAll
+SigLevel = Never
 EOF
 
 # Add ZFS and our custom packages
-- 
cgit v1.2.3