Instructions on how to build and update with separate build server

[PhysicsIsAwesome]

Hi,

thank you for this amazing project :). I am excited to see better boot security and other security features being made usable on Linux.

There are instructions to build and apply an update on the same machine it is running on, with mkosi -B -ff sysupdate -- update --reboot. I would like to do building and signing on a different device, for example my own build server or a different VM, to keep keys safe, in case the machine running ParticleOS gets compromised. Which commands do I have to use on the build device and which on the device, where the update shall be applied?

[jcgl17]

As described in the mkosi manpage, the sysupdate function mentioned here is basically just a thin wrapper over systemd-sysupdate (see also sysupdate.d).

As you can see from that documentation, there is a lot of flexibility and power available. While I don't think you're likely to get a step-by-step guide ("which commands do I have to use?") on this stuff that's tailored to ParticleOS, this documentation should be a good start, I believe.