{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let signing_key = import ./signing_key.nix {inherit pkgs;}; checked_iso = pkgs.stdenv.mkDerivation { pname = "archlinux-iso"; version = "2024.05.01"; srcs = [ (pkgs.fetchurl { url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; }) (pkgs.fetchurl { url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; }) (pkgs.fetchurl { url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; }) ]; dontUnpack = true; nativeBuildInputs = with pkgs; [ sequoia-sq ]; buildPhase = /* bash */ '' cp -r "${signing_key}" ./release-key.pgp for src in $srcs; do cp -r "$src" "$(stripHash "$src")" done sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt # As per the directions from: https://archlinux.org/download/ # blake hash check b2sum -c ./b2sums_clean.txt # pgp signature check sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso ''; installPhase = '' cp archlinux-2024.05.01-x86_64.iso "$out"; ''; }; in pkgs.stdenv.mkDerivation { name = "live_iso_boot_entry"; src = checked_iso; dontUnpack = true; nativeBuildInputs = with pkgs; [ libarchive # for bsdtar ]; buildPhase = '' mkdir iso bsdtar -xf "$src" -C iso ''; installPhase = '' install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" install -D "$src" "$out/archlinux.iso" ''; }