From: "'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 2/2] work around bootstrapping issue of raspios due to SHA1 key removal
Date: Fri, 6 Mar 2026 17:02:55 +0100 [thread overview]
Message-ID: <20260306160255.1017503-3-felix.moessbauer@siemens.com> (raw)
In-Reply-To: <20260306160255.1017503-1-felix.moessbauer@siemens.com>
From Feburary 2026 on apt versions used on trixie and later will reject
repository keys which use an SHA1 hash. While this issue needs to be
fixed upstream, a workaround is needed to bootstrap these distributions
from a > trixie host distribution (purely bootstrapping within a
distribution is not affected, as then an older apt is used).
We work around this by applying the recommended mmdebstrap option to
disable key expiry checking (which internally switches from sqv to gpg
which does process SHA1 keys).
For details, see https://wiki.debian.org/Teams/Apt/Sha1Removal.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
2 files changed, 4 insertions(+)
diff --git a/meta-isar/conf/distro/raspios-bookworm.conf b/meta-isar/conf/distro/raspios-bookworm.conf
index edba011f..0bed3018 100644
--- a/meta-isar/conf/distro/raspios-bookworm.conf
+++ b/meta-isar/conf/distro/raspios-bookworm.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bookworm.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bookworm-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
diff --git a/meta-isar/conf/distro/raspios-bullseye.conf b/meta-isar/conf/distro/raspios-bullseye.conf
index 60782f67..1b108649 100644
--- a/meta-isar/conf/distro/raspios-bullseye.conf
+++ b/meta-isar/conf/distro/raspios-bullseye.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bullseye.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bullseye-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
--
2.53.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260306160255.1017503-3-felix.moessbauer%40siemens.com.
next prev parent reply other threads:[~2026-03-06 16:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 16:02 [PATCH 0/2] Restore bootstrapping of raspios on trixie host 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` [PATCH 1/2] add variables to inject config into mmdebstrap 'Felix Moessbauer' via isar-users
2026-03-06 16:02 ` 'Felix Moessbauer' via isar-users [this message]
2026-03-10 10:36 ` [PATCH 0/2] Restore bootstrapping of raspios on trixie host Anton Mikanovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260306160255.1017503-3-felix.moessbauer@siemens.com \
--to=isar-users@googlegroups.com \
--cc=felix.moessbauer@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox