* [PATCH 1/2] add variables to inject config into mmdebstrap
2026-03-06 16:02 [PATCH 0/2] Restore bootstrapping of raspios on trixie host 'Felix Moessbauer' via isar-users
@ 2026-03-06 16:02 ` 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` [PATCH 2/2] work around bootstrapping issue of raspios due to SHA1 key removal 'Felix Moessbauer' via isar-users
2026-03-10 10:36 ` [PATCH 0/2] Restore bootstrapping of raspios on trixie host Anton Mikanovich
2 siblings, 0 replies; 4+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2026-03-06 16:02 UTC (permalink / raw)
To: isar-users; +Cc: Felix Moessbauer
When working with old repos, signing keys might be used which are not
considered secure by the host apt (which is used during ``mmdebstrap``),
either due to the keys expiry date or due to insecure signature
algorithms. To work around this, we introduce the variables
``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``. While the former
provides an argument to disable the key expiry checking, the latter
allows users to inject custom options into ``mmdebstrap``.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
RECIPE-API-CHANGELOG.md | 10 ++++++++++
.../isar-mmdebstrap/isar-mmdebstrap-target.bb | 1 +
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
3 files changed, 18 insertions(+)
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..e44b4b9d 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,13 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
# Optional: set countdown timeout in seconds (default 5)
INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
```
+
+### Working with old and unofficial debian repos
+
+When working with old repos, signing keys might be used which are not considered
+secure by the host apt (which is used during ``mmdebstrap``), either due to the
+keys expiry date or due to insecure signature algorithms. To work around this,
+we introduce the variables ``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``.
+While the former provides an argument to disable the key expiry checking, the
+latter allows users to inject custom options into ``mmdebstrap``. For details,
+see ``man mmdebstrap``. Use with care!
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
index 227ff04c..a9695d44 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
@@ -8,6 +8,7 @@
Description = "Minimal target Debian root file system"
DEPLOY_ISAR_BOOTSTRAP = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}"
+MMOPTS ?= "${DISTRO_MM_OPTS}"
PROVIDES += "bootstrap-target"
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index ce34245f..6c2cb170 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -22,6 +22,12 @@ DPKG_HOOKS ?= "${@'--hook-dir='+d.getVar('MM_HOOK_JESSIE') \
MMHOOKS:focal ?= "${DPKG_HOOKS}"
MMHOOKS:buster ?= "${DPKG_HOOKS}"
+# disable key expiration checking during bootstrapping
+# this also works around the blocking of Sha1 keys when using old repos
+# https://wiki.debian.org/Teams/Apt/Sha1Removal
+MMAPTOPT_NOEXPKEYSIGN = "--aptopt='Apt::Key::gpgvcommand \"/usr/libexec/mmdebstrap/gpgvnoexpkeysig\"'"
+MMOPTS ?= ""
+
DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
def get_distro_have_https_source(d):
@@ -236,6 +242,7 @@ do_bootstrap() {
--customize-hook='chroot "$1" /usr/bin/apt-get -y clean' \
--skip=cleanup/apt \
--skip=download/empty \
+ ${MMOPTS} \
${@get_apt_opts(d, '--aptopt')} \
${@get_distro_components_argument(d)} \
"${@get_distro_suite(d)}" \
--
2.53.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260306160255.1017503-2-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 2/2] work around bootstrapping issue of raspios due to SHA1 key removal
2026-03-06 16:02 [PATCH 0/2] Restore bootstrapping of raspios on trixie host 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` [PATCH 1/2] add variables to inject config into mmdebstrap 'Felix Moessbauer' via isar-users
@ 2026-03-06 16:02 ` 'Felix Moessbauer' via isar-users
2026-03-10 10:36 ` [PATCH 0/2] Restore bootstrapping of raspios on trixie host Anton Mikanovich
2 siblings, 0 replies; 4+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2026-03-06 16:02 UTC (permalink / raw)
To: isar-users; +Cc: Felix Moessbauer
From Feburary 2026 on apt versions used on trixie and later will reject
repository keys which use an SHA1 hash. While this issue needs to be
fixed upstream, a workaround is needed to bootstrap these distributions
from a > trixie host distribution (purely bootstrapping within a
distribution is not affected, as then an older apt is used).
We work around this by applying the recommended mmdebstrap option to
disable key expiry checking (which internally switches from sqv to gpg
which does process SHA1 keys).
For details, see https://wiki.debian.org/Teams/Apt/Sha1Removal.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
2 files changed, 4 insertions(+)
diff --git a/meta-isar/conf/distro/raspios-bookworm.conf b/meta-isar/conf/distro/raspios-bookworm.conf
index edba011f..0bed3018 100644
--- a/meta-isar/conf/distro/raspios-bookworm.conf
+++ b/meta-isar/conf/distro/raspios-bookworm.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bookworm.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bookworm-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
diff --git a/meta-isar/conf/distro/raspios-bullseye.conf b/meta-isar/conf/distro/raspios-bullseye.conf
index 60782f67..1b108649 100644
--- a/meta-isar/conf/distro/raspios-bullseye.conf
+++ b/meta-isar/conf/distro/raspios-bullseye.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bullseye.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bullseye-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
--
2.53.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260306160255.1017503-3-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] Restore bootstrapping of raspios on trixie host
2026-03-06 16:02 [PATCH 0/2] Restore bootstrapping of raspios on trixie host 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` [PATCH 1/2] add variables to inject config into mmdebstrap 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` [PATCH 2/2] work around bootstrapping issue of raspios due to SHA1 key removal 'Felix Moessbauer' via isar-users
@ 2026-03-10 10:36 ` Anton Mikanovich
2 siblings, 0 replies; 4+ messages in thread
From: Anton Mikanovich @ 2026-03-10 10:36 UTC (permalink / raw)
To: Felix Moessbauer, isar-users
Applied to next, thanks.
06.03.2026 18:02, 'Felix Moessbauer' via isar-users wrote:
> When bootstrapping from a trixie host, mmdebstrap uses the host apt for the
> first part of the bootstrapping. In Debian trixie, the default apt gpgv
> backend is sqv, which blocks SHA1 signed keys from 01.02.2026 on [1] (this
> is configured in /usr/share/apt/default-sequoia.config). As a workaround,
> we provide variables to instruct mmdebstrap to not check the expiry date,
> which internally switches the gpgv backend to gpg which also does not have
> a check for the SHA1 deprecation. Unfortunately it is not possible to
> instruct apt / sqv to just disable the SHA1 check (except by replacing the
> whole config file) [2].
>
> This fixes [3], unblocks the TestCross CI and is release critical.
>
> [1] https://wiki.debian.org/Teams/Apt/Sha1Removal
> [2] https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1092747
> [3] https://groups.google.com/g/isar-users/c/D5NaB_TdioY
>
> Best regards,
> Felix Moessbauer
> Siemens AG
>
> Felix Moessbauer (2):
> add variables to inject config into mmdebstrap
> work around bootstrapping issue of raspios due to SHA1 key removal
>
> RECIPE-API-CHANGELOG.md | 10 ++++++++++
> meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
> meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
> .../isar-mmdebstrap/isar-mmdebstrap-target.bb | 1 +
> meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
> 5 files changed, 22 insertions(+)
>
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/237a6715-5243-4dc7-b4f6-0432c1f3329e%40ilbers.de.
^ permalink raw reply [flat|nested] 4+ messages in thread