Shyft Arch Linux Repository

Stable (recommended)

https://archlinux.helset.gotdns.org/stable/x86_64/

Production releases.

Staging

https://archlinux.helset.gotdns.org/staging/x86_64/

Pre-release builds for validation.

Trust model

All packages and repository metadata are cryptographically signed. Trust must be established by verifying the signing key fingerprint through a trusted channel.

Expected fingerprint:

CFFE BAE1 B25B AD34 C72A 2565 4A12 4000 37DA B695

User ID:

Sigbjørn Helset <sigbjorn.helset@gmail.com>

Never establish trust based solely on data downloaded from this endpoint. Verify the fingerprint via independent, trusted sources.

Quick setup (Arch Linux)

Commands shown with $ can normally be run as a regular user. Commands prefixed with sudo require administrative privileges. In minimal containers, you may instead be running directly as root.

1. Fetch key

curl -O https://archlinux.helset.gotdns.org/stable/x86_64/shyft-release-key.asc

2. Verify fingerprint

See expected output example below if unsure what to look for.

gpg --import shyft-release-key.asc

gpg --show-keys --with-fingerprint shyft-release-key.asc

3. Add key to pacman keyring

sudo pacman-key --add shyft-release-key.asc
sudo pacman-key --lsign-key 4A12400037DAB695

Local signing marks the verified key as trusted on this system. Only do this after you have verified the fingerprint through a trusted channel.

4. Add repository

Stable (recommended)

sudo tee -a /etc/pacman.conf <<'EOF'

[shyft-stable]
SigLevel = Required DatabaseOptional
Server = https://archlinux.helset.gotdns.org/stable/x86_64
EOF

Staging (optional)

sudo tee -a /etc/pacman.conf <<'EOF'

[shyft-staging]
SigLevel = Required DatabaseOptional
Server = https://archlinux.helset.gotdns.org/staging/x86_64
EOF

5. Refresh package databases

sudo pacman -Sy

6. Install common components

sudo pacman -S shyft-runtime shyft-python shyft-development

This provides a practical starting point with the most common Shyft components.

7. Optional: verify provenance

Stable

curl -O https://archlinux.helset.gotdns.org/stable/x86_64/PROVENANCE.txt
curl -O https://archlinux.helset.gotdns.org/stable/x86_64/PROVENANCE.txt.asc
gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Staging

curl -O https://archlinux.helset.gotdns.org/staging/x86_64/PROVENANCE.txt
curl -O https://archlinux.helset.gotdns.org/staging/x86_64/PROVENANCE.txt.asc
gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Review the signed provenance file together with package signatures and repository metadata as part of your supply-chain validation.

When verifying signatures with gpg --verify, you may see warnings such as:

WARNING: This key is not certified with a trusted signature
There is no indication that the signature belongs to the owner

This is expected when the key is not part of your personal Web-of-Trust.

In personal or small deployments, it is acceptable to rely on fingerprint verification alone.
In corporate environments, the signing key is typically pre-distributed and trusted, so these warnings do not appear.
If desired, you may locally sign the key using gpg --lsign-key after verifying the fingerprint.

The critical requirement is that the fingerprint matches a trusted source.

Expected output examples

After importing the key and checking the fingerprint, output similar to this is expected:

$ gpg --show-keys --with-fingerprint shyft-release-key.asc
pub   ed25519 2026-04-03 [C] [expires: 2031-04-02]
      CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
uid                      Sigbjørn Helset <sigbjorn.helset@gmail.com>
sub   ed25519 2026-04-03 [S] [expires: 2031-04-02]

When verifying the signed provenance file, output similar to this is expected:

$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt
gpg: Signature made Mon Apr 6 20:32:23 2026 UTC
gpg:                using EDDSA key A0AF2BD11681F281CED2324CBD8CB4F65431F486
gpg: Good signature from "Sigbjørn Helset <sigbjorn.helset@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
     Subkey fingerprint: A0AF 2BD1 1681 F281 CED2  324C BD8C B4F6 5431 F486

The important parts are:

Good signature
the expected primary key fingerprint
the expected user ID

8. Optional: install debug packages

sudo pacman -S shyft-runtime-debug shyft-python-debug

These packages are useful in professional support environments for coredump analysis, debugging, and improved error reporting.

High-assurance setup (recommended for controlled environments)

Verify fingerprint on a separate trusted system
Transfer key via secure channel (USB / offline media)
Download and verify the signed PROVENANCE.txt file
Add and locally sign the key only after verification
Enable repository

For regulated or audited environments, treat repository bootstrap as a controlled trust-establishment process.

Repository contents

Signed package archives
Repository database files
shyft-release-key.asc
PROVENANCE.txt
PROVENANCE.txt.asc

Verify package signatures, repository metadata, and the signed provenance document as part of your supply-chain validation.

Notes

Use stable for normal operation
Use staging for validation and pre-release testing
Keys may rotate — always verify against official documentation