1
0
mirror of https://github.com/home-assistant/operating-system.git synced 2026-07-06 22:45:05 +01:00

3076 Commits

Author SHA1 Message Date
dependabot[bot] 6c4435b780 Bump docker/setup-buildx-action from 4.1.0 to 4.2.0 (#4873)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 15:29:14 +02:00
dependabot[bot] 0996c348ce Bump docker/login-action from 4.2.0 to 4.4.0 (#4872)
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.2.0 to 4.4.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...af1e73f918a031802d376d3c8bbc3fe56130a9b0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 15:23:51 +02:00
dependabot[bot] c0f3d98341 Bump docker/build-push-action from 7.2.0 to 7.3.0 (#4871)
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.2.0 to 7.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 15:23:36 +02:00
Mark Hansen 7393a256df Enable CONFIG_FEATURE_VERBOSE_USAGE in busybox (#4853)
Following on from enabling CONFIG_SHOW_USAGE=y.

Rationale: make it easier to debug the host OS.

Size increase of libbusybox.so: +32 KB over CONFIG_SHOW_USAGE=y
baseline.

We could enable COMPRESS_USAGE to bring it down to +8KB over
CONFIG_SHOW_USAGE=y baseline, but I'm not sure it's worth optimizing?
If we want to compress, it's probably fine: just a slight CPU hit when
asking for CPU usage, which is probably fine for interactive use.
2026-07-06 12:19:32 +02:00
Mark Hansen 9fee5296e4 Enable CONFIG_WHICH in busybox (#4855)
This lets us run `which`

I've found myself wanting this a bunch while trying to figure out, well,
which binary I'm running. I can walk $PATH myself, but it's no fun.

libbusybox.so size impact: +0 bytes (that is, it's less than the
4KB-padded text section we already have).
2026-07-02 14:11:01 +02:00
Mark Hansen 04c8ba556b Enable CONFIG_FEATURE_FANCY_PING in busybox (#4854)
Ping is a foundational tool for network debugging, and with so many
network integrations in Home Assistant, we deserve a fancy ping.

This enables flags like `-c` count ping and packet loss statistics.
Nothing totally groundbreaking, but it enables more detailed debugging.

Without fancy ping, you get very limited flags, that just do one ping
per invocation.

```
# ping 127.0.0.1
127.0.0.1 is alive!
# ping --help
BusyBox v1.37.0 (2026-07-01 07:04:23 UTC) multi-call binary.

Usage: ping HOST
```
2026-07-02 14:10:39 +02:00
Stefan Agner 46849300e9 Bump OS to development version 18.2.dev0 2026-07-01 08:34:37 +02:00
Stefan Agner 8f4b826614 Merge branch 'main' into dev 2026-07-01 08:33:36 +02:00
Stefan Agner 0d5c9af4d8 Bump OS to release version 18.1 18.1 2026-06-30 19:45:49 +02:00
Stefan Agner eb0488b72e Bump OS to pre-release version 18.1.rc1 18.1.rc1 2026-06-29 21:23:24 +02:00
dependabot[bot] 534eb46744 Bump actions/cache/save from 5.0.5 to 6.1.0 (#4841)
Bumps [actions/cache/save](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/27d5ce7f107fe9357f9df03efb73ab90386fccae...55cc8345863c7cc4c66a329aec7e433d2d1c52a9)

---
updated-dependencies:
- dependency-name: actions/cache/save
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 15:41:57 +02:00
dependabot[bot] 3473f2c6f1 Bump actions/setup-python from 6.2.0 to 6.3.0 (#4840)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/a309ff8b426b58ec0e2a45f0f869d46889d02405...ece7cb06caefa5fff74198d8649806c4678c61a1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 15:41:49 +02:00
dependabot[bot] b7311d34d2 Bump release-drafter/release-drafter from 7.4.0 to 7.5.1 (#4839)
Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 7.4.0 to 7.5.1.
- [Release notes](https://github.com/release-drafter/release-drafter/releases)
- [Commits](https://github.com/release-drafter/release-drafter/compare/ed4bc48ec97379be2258e7b7ac2624a3e26ab809...4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e)

---
updated-dependencies:
- dependency-name: release-drafter/release-drafter
  dependency-version: 7.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 15:41:27 +02:00
dependabot[bot] 3e3df3968f Bump actions/cache/restore from 5.0.5 to 6.1.0 (#4838)
Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/27d5ce7f107fe9357f9df03efb73ab90386fccae...55cc8345863c7cc4c66a329aec7e433d2d1c52a9)

---
updated-dependencies:
- dependency-name: actions/cache/restore
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 15:41:16 +02:00
Stefan Agner c6d58ef6f2 Add Intel BZ and SC WiFi firmware (#4837)
Add firmware for the Intel Wi-Fi 7 BZ family (e.g. BE201, used in Arrow
Lake systems) and the Intel SC chip (Panther Lake). Both detect but fail
to probe without their respective iwlwifi-bz-*/iwlwifi-sc-* firmware.

* buildroot fe7b14c878...c1438cf214 (2):
  > package/linux-firmware: add Intel BZ WiFi firmware
  > package/linux-firmware: add Intel SC WiFi firmware

Closes #4829
Closes #4826
2026-06-29 15:40:02 +02:00
Stefan Agner 881ef6df26 Enable CONFIG_BT_INTEL_PCIE for Intel PCIe Bluetooth (#4834)
* Enable CONFIG_BT_INTEL_PCIE for Intel PCIe Bluetooth

Starting with Meteor Lake and continuing through Lunar Lake and Panther
Lake, Intel integrates the Bluetooth controller as a native PCIe endpoint
rather than behind the internal USB hub. These chips (e.g. Scorpius Peak
on Panther Lake, PCI 8086:e476) require the btintel_pcie transport driver,
which was not built so far.

The Kconfig dependencies (PCI, ACPI, BT_INTEL, FW_LOADER) and the
linux-firmware ibt-* files are already present, so enabling the module is
sufficient to bind these controllers.

Closes #4827

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Rewording of comment

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-29 14:28:37 +02:00
Stefan Agner 2365e3aa2b Linux: Update kernel to 6.18.37 (#4833)
* https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.18.37
2026-06-29 14:24:21 +02:00
Stefan Agner b704298aa6 ODROID-N2: Fall back to other slot when a kernel fails to load (#4832)
The boot script only persisted the decremented boot-attempt counter
(storebootstate) when a kernel was successfully loaded. When *neither*
slot's kernel could be loaded, it instead reset both counters back to 3
and rebooted - pinning them and looping forever without ever counting
down or falling back. A failed kernel load therefore never consumed an
attempt, defeating the A/B rollback safety net (#4788).

Persist the (decremented) counters on a failed load too, and only re-arm
them once both slots are actually exhausted instead of on every failure.
Repeated load failures now count down and we fall back to the other slot.

Note: this does not address the underlying eMMC read unreliability seen
on some N2 units (kernel/boot.scr loads failing in U-Boot); it makes the
slot-fallback logic behave correctly when a load does fail.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 14:20:01 +02:00
Stefan Agner 02402bdc5f busybox: Disable seedrng applet (#4836)
The seedrng applet got pulled in by an oldconfig default when busybox was
bumped to 1.37.0; it was never a deliberate choice. RNG seeding on HAOS is
already handled by systemd's systemd-random-seed.service, which runs the
native systemd-random-seed binary directly (it does not invoke the seedrng
command). The applet is therefore redundant and orphaned - nothing in the
image references it - so disable it.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 14:19:48 +02:00
Stefan Agner 24d5ab89db busybox: Drop unused netstat applet (#4835)
The netstat applet is not used anywhere within HAOS and is superseded by
ss from iproute2, which is shipped on all boards and is the modern,
preferred equivalent (e.g. ss -tulpn replaces netstat -tulpn).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 14:09:28 +02:00
Mark Hansen ad21f91653 Add usage to busybox utils (#4831)
This costs a few KB, but is invaluable when debugging host problems,
otherwise busybox just exits failure on any argument it doesn't
understand.

Fixes #4830
2026-06-29 14:06:28 +02:00
Stefan Agner b080fea947 Remove timeout from data partition resize service (#4821)
The haos-expand.service ("HAOS data resizing") is a Type=oneshot unit
without an explicit timeout, so it inherited systemd's
DefaultTimeoutStartSec (90s). On slow or previously used disks the data
partition resize can take longer than that, causing the service to be
killed and mnt-data.mount to fail with "Dependency failed for HAOS data
resizing", leaving the system unusable.

Aborting the resize serves no purpose: if it fails the installation is
broken anyway. Set TimeoutStartSec=infinity so the resize runs for as
long as it needs instead of failing the boot.

Fixes #3365

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 16:45:13 +02:00
Stefan Agner eb03e31cfc Enable Intel NPU driver (ivpu) for x86-64 boards (#4816)
Enable CONFIG_DRM_ACCEL_IVPU on the generic-x86-64 and OVA boards so the
Intel NPU (Neural Processing Unit) found on Core Ultra CPUs (Meteor Lake
and later, including Panther Lake) is exposed as /dev/accel/accel0. This
lets add-ons such as Frigate use OpenVINO with hardware-accelerated
inference on the NPU.

Also select the Intel NPU firmware (intel/vpu/vpu_*.bin), which already
ships in linux-firmware 20260410 including the Panther Lake (vpu_50xx)
blob.

The driver is x86_64-only, so it is added to the per-board configs rather
than the shared device-support-pci.config which is also used by aarch64
boards.

Fixes #4783

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 16:45:05 +02:00
Stefan Agner 5d42a5a487 RaspberryPi: Update kernel to 6.18.34 stable_20260609 (#4814)
* RaspberryPi: Update kernel to 6.18.34 - c8c7494100e99ee05b11aaa4f0588a223a63d1af

* Update rpi-firmware for stable_20260609

* buildroot 78450fa882...fe7b14c878 (1):
  > package/rpi-firmware: update to 89752d4 (for stable_20260609)
2026-06-23 17:55:58 +02:00
Stefan Agner b42f240540 Linux: Update kernel to 6.18.36 (#4810)
* https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.18.36
2026-06-23 14:30:52 +02:00
Stefan Agner c860328725 Enable iwlmld driver for Wi-Fi 7 Intel devices (#4809)
The kernel bump to 6.18 means newer Intel Wi-Fi 7 devices (BZ/GL/SC/DR
families, e.g. the BE200) are no longer handled by the iwlmvm op-mode.
Their firmware now requires the new iwlmld driver, and without it the
iwlwifi core aborts the probe with:

  IWLMLD needs to be compiled to support this firmware
  probe with driver iwlwifi failed with error -22

Enable CONFIG_IWLMLD so these devices bind again. The matching firmware
(iwlwifi-gl-*) already ships via linux-firmware.

Fixes #4784

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-23 14:30:39 +02:00
dependabot[bot] 7682d25ee3 Bump shogo82148/actions-upload-release-asset from 1.10.1 to 1.10.2 (#4797)
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-22 15:51:12 +02:00
dependabot[bot] ec1e180b3b Bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#4798)
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-22 15:50:17 +02:00
dependabot[bot] 4046980bce Bump actions/checkout from 6.0.3 to 7.0.0 (#4799)
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-22 15:49:44 +02:00
dependabot[bot] 6669be5f72 Bump mikepenz/action-junit-report from 6.4.1 to 6.4.2 (#4800)
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-22 15:49:03 +02:00
Jan Čermák 879325a098 Merge branch 'main' into dev 2026-06-18 16:04:30 +02:00
Jan Čermák a4e8ce25d0 Bump OS to release version 18.0 18.0 2026-06-18 10:08:00 +02:00
Pascal Vizeli 14ea34aaff Enable usbip on all targets (#4776)
* Enable usbip on all targets

Enable the usbip userland tools (BR2_PACKAGE_USBIP), already provided by
the pinned Buildroot (package/usbip), to attach remote USB devices over
the network. The USBIP kernel modules are already enabled via
device-support.config.

This is the OS-side prerequisite for driving USB/IP from os-agent
(home-assistant/os-agent#265).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix configs ordering using savedefconfig

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jan Čermák <sairon@sairon.cz>
(cherry picked from commit c8b9d5919b)
2026-06-18 10:07:40 +02:00
Jan Čermák 88d9e6055e Build NFS as built-in module consistently on all targets (#4773)
After #4762, NFS_V4 was set as module in ODROIDs, Green and VIM3
kernels. This is because their defconfigs set the upper NFS_FS symbol to
module. Set it to built-in in these defconfigs as well (for other
targets this is handled by defconfigs from the kernel) and remove
redundant options we set in the haos fragment.

(cherry picked from commit e2a0c9bb3b)
2026-06-18 10:07:34 +02:00
Jan Čermák f09ab0b207 Add sanity checks for correct release channel to the build workflow (#4771)
* Add sanity checks for correct release channel to the build workflow

There's currently nothing preventing us from publishing RC build to the
stable channel if the GH release is configured incorrectly. Since we
have the meta file which dictates where the deployment should go, use
this as a sanity check and reject the workflow if the expected
configuration doesn't match.

* Improve the check to validate version string as well

(cherry picked from commit b4977ed0a9)
2026-06-18 10:07:26 +02:00
Jan Čermák 8f3567aa0e Fix generic_raw_uart compilation after Buildroot 2025.02.15 bump (#4778)
In [1] Buildroot enabled -Werror for kernel modules. Since
generic_raw_uart had several occurrences of -Wmissing-prototypes, this
change lead to the package not building anymore. Make the function
static to fix the build.

[1] https://github.com/home-assistant/buildroot/commit/260f7ec2a9b461b0382c0d982ccbb07005fcf216
2026-06-18 09:37:53 +02:00
Jan Čermák fc57b55cc0 Bump Buildroot to 2025.02.15 (#4777)
* buildroot 89ddb15854...78450fa882 (3):
  > package/runc: fix regression with kernel without user namespace
  > Revert "package/runc: fix regression with kernel without user namespace"
  > Merge tag '2025.02.15' into 2025.02.x-haos
2026-06-17 16:09:18 +02:00
Pascal Vizeli c8b9d5919b Enable usbip on all targets (#4776)
* Enable usbip on all targets

Enable the usbip userland tools (BR2_PACKAGE_USBIP), already provided by
the pinned Buildroot (package/usbip), to attach remote USB devices over
the network. The USBIP kernel modules are already enabled via
device-support.config.

This is the OS-side prerequisite for driving USB/IP from os-agent
(home-assistant/os-agent#265).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix configs ordering using savedefconfig

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jan Čermák <sairon@sairon.cz>
2026-06-17 12:56:03 +02:00
Jan Čermák e2a0c9bb3b Build NFS as built-in module consistently on all targets (#4773)
After #4762, NFS_V4 was set as module in ODROIDs, Green and VIM3
kernels. This is because their defconfigs set the upper NFS_FS symbol to
module. Set it to built-in in these defconfigs as well (for other
targets this is handled by defconfigs from the kernel) and remove
redundant options we set in the haos fragment.
2026-06-17 12:55:26 +02:00
Jan Čermák b4977ed0a9 Add sanity checks for correct release channel to the build workflow (#4771)
* Add sanity checks for correct release channel to the build workflow

There's currently nothing preventing us from publishing RC build to the
stable channel if the GH release is configured incorrectly. Since we
have the meta file which dictates where the deployment should go, use
this as a sanity check and reject the workflow if the expected
configuration doesn't match.

* Improve the check to validate version string as well
2026-06-15 15:28:18 +02:00
Jan Čermák 4e8633c7a9 Bump OS to development version 18.1.dev0 2026-06-12 17:06:47 +02:00
Jan Čermák f08ba0e99e Bump OS to pre-release version 18.0.rc1 18.0.rc1 2026-06-12 13:34:03 +02:00
Jan Čermák 2cd8cf450d Shrink data partition for leaner disk images and faster flashing (#4764)
Borrow shrinking used in home-assistant/operating-system-full-images for
reducing the data partition size to only fit its contents. Currently the
data partition is intentionally overprovisioned to comfortably fit all
docker images in the hassio build. This results in unnecessarily large
image which takes longer to flash, as all the zeroes at the end of the
filesystem need to be written to the SD card.

For OVA and aarch64 VM formats, the image is resized before creating the
VM images - this also makes all generic-aarch64 images sized to 32GB,
unlike 6GB which inherently needed resizing before use. Some juggling
extra juggling is needed in the aarch64 post-image step, as we want to
preserve the raw image (e.g. for generic aarch64 boards) but it's
desirable to keep it minimal as well, as it's meant to be flashed to
real hardware storage.
2026-06-11 16:33:30 +02:00
Jan Čermák 6dd5770b2d Enable NFS v4.1/v4.2 for all targets (#4762)
Not all defconfigs enable NFS v4.1/v4.2 by default, most importantly
it's not enabled for x86_64 (on the other hand, it is enabled on RPi,
Rockchip and Amlogic). Explicitly enable NFS_V4 and its minor versions
in the common config fragment to ensure it's available everywhere.

It can now be removed from the Rochckip fragment, while removing the
migration option there for good (as Kconfig says it's very
experimental).

Fixes #4742
2026-06-11 11:47:36 +02:00
Jan Čermák f561b241af Add CAs for new signing certificates to RAUC keyring (#4757)
Add certificates with new PKI chain to replace the old one. Until May
14th 2028, bundles signed with the old certs will be accepted as well.
The transition to the new authority using bundles signed by the new
certs is ensured by the intermediate certificate signed by the old CA.
This, and the old CA certificates can be removed from the keyring after
their expiry.

The keyrings no longer contain CRLs, but the validity of the
certificates will be shortened to 4 years, as discussed in the linked
issue.

Closes #4743
2026-06-09 18:09:46 +02:00
Jan Čermák c5122371e4 Clamp default swap size between 1-4 GB (#4758)
The rule using 33% of RAM for default swapfile size had flaws both for
low and high RAM systems - for the former the swap was too small to
provide any buffer for OOM situations, for the latter it created
unnecessarily big swapfile.

Clamp the swapfile size to 1-4 GB. This means the file will somewhat
grow on systems with 1 or 2 GB of RAM, but this should be within bounds
of what's reported by HA as low storage. For systems with >12 GB of RAM,
the swap file wouldn't be created larger than 4 GB (in fact, will be
recreated if bigger). The configured size is still respected.

Closes #4481
2026-06-09 17:49:16 +02:00
Jan Čermák 9f979400f3 Linux: Update kernel to 6.18.35 (#4759)
* https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.18.35
2026-06-09 17:49:00 +02:00
MaxPowerFood 48ede8ab42 Enable JMicron PCIe NIC driver (#4756)
Enable the JMicron JMC25x Gigabit Ethernet driver (CONFIG_JME) in the
kernel configuration.

This controller (specifically the JMC251) is very common on various
budget mini PCs (often used as Home Assistant nodes) but currently lacks
native driver support in Home Assistant OS out of the box. Adding these
flags restores native network connectivity for these devices.
2026-06-09 17:16:39 +02:00
Jan Čermák b7bb667e35 Add CI check for sufficient validity of the OTA signing certificate (#4751)
* Add CI check for sufficient validity of the OTA signing certificate

To ensure that we don't miss expiration of the signing certificate, add
a CI check that checks its validity and validity of the full chain of
trust, ensuring CA doesn't expire either. Currently set to 25 months,
which should be enough to allow migration of existing devices to new CA
and allow some wiggle room for upgrades and downgrades.

Refs #4743

* Find real issuer when walking the chain

* Add number of certs checked to the suceess message
2026-06-08 17:31:55 +02:00
Jan Čermák b721d6df27 Update Docker to v29.5.3 (#4755)
* buildroot da2546993b...89ddb15854 (2):
  > package/docker-cli: bump version to v29.5.3
  > package/docker-engine: bump version to v29.5.3
2026-06-08 17:31:02 +02:00