[PATCH master] ci: container: fix various breakage in container build

[PATCH master] ci: container: fix various breakage in container build

[Ahmad Fatoum]

The LLVM apt repositories can't be used at the moment without further
changes to sequoia configuration:

   Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound:
              No binding signature at time 2025-08-09T21:49:56Z
     because: Policy rejected non-revocation signature (PositiveCertification)
              requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Let's bump the date by four months until this is resolved.

While at it, also make sure to use -y to answer possible upgrade prompts
and do an apt-get update before the second install as well as we delete
the cache in-between.

I briefly considered using the prebuilt LLVM toolchains on kernel.org,
but they do not work for our purposes:

  /usr/bin/ld: have you installed the static version of the
    clang_rt.fuzzer_no_main-x86_64 library ?

[1]: https://github.com/llvm/llvm-project/issues/153385#issuecomment-3239875987

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Containerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/test/Containerfile b/test/Containerfile
index 8b0c37a6b20a..6e4515f7d582 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -10,7 +10,7 @@ LABEL Description="This image is for building and testing barebox inside a conta
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and install things from apt now
-RUN apt-get update && apt-get upgrade && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
 	bison \
 	build-essential \
 	coreutils \
@@ -64,8 +64,12 @@ RUN apt-get update && apt-get upgrade && apt-get install -y --no-install-recomme
 ENV GCC_VERSION=15.2.0
 ENV LLVM_VERSION=20
 
-RUN apt-get install -y --no-install-recommends lsb-release gnupg \
+RUN apt-get update && apt-get install -y --no-install-recommends lsb-release gnupg \
 	&& wget https://apt.llvm.org/llvm.sh \
+	&& mkdir -p /etc/crypto-policies/back-ends/ \
+	&& sed 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' \
+	    < /usr/share/apt/default-sequoia.config \
+	    > /etc/crypto-policies/back-ends/apt-sequoia.config \
 	&& chmod +x llvm.sh && ./llvm.sh ${LLVM_VERSION} \
 	&& apt-get remove -y lsb-release gnupg \
 	&& apt-get autoremove -y --purge \
-- 
2.47.3

Re: [PATCH master] ci: container: fix various breakage in container build

[Sascha Hauer]

On Tue, 10 Feb 2026 12:50:24 +0100, Ahmad Fatoum wrote:
> The LLVM apt repositories can't be used at the moment without further
> changes to sequoia configuration:
> 
>    Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound:
>               No binding signature at time 2025-08-09T21:49:56Z
>      because: Policy rejected non-revocation signature (PositiveCertification)
>               requiring second pre-image resistance
>      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
> 
> [...]

Applied, thanks!

[1/1] ci: container: fix various breakage in container build
      https://git.pengutronix.de/cgit/barebox/commit/?id=ffd4db2ea98e (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>