Kudos on the script and the work behind it!
I wish that were true! Unfortunately, the script does not currently seem to be cryptographically signed, let alone signed with a key in the strong set. In particular, the Git repository containing the script seems to be this one. All of the recent commits to that repo are unsigned. Nor have I been able to find a detached signature anywhere, applying to the script. (If it is signed, and I have failed to notice this, please could you point me to the signature?)
That being so, we cannot be very confident that nobody has tampered with the script. This has obvious implications for the amount of trust we should place in the resulting Coreboot build.
Please could you sign the latest commit (and future commits) in the repo - or at least publish a detached signature for current and future versions of build_coreboot.sh - with a key that clearly belongs to a Purism employee and that is in the strong set? Thanks.