[PATCH 0/2] Restore bootstrapping of raspios on trixie host
1 view
Skip to first unread message
Felix Moessbauer
Mar 6, 2026, 11:03:08 AM (12 days ago) Mar 6
to isar-...@googlegroups.com, Felix Moessbauer
When bootstrapping from a trixie host, mmdebstrap uses the host apt for the
first part of the bootstrapping. In Debian trixie, the default apt gpgv
backend is sqv, which blocks SHA1 signed keys from 01.02.2026 on [1] (this
is configured in /usr/share/apt/default-sequoia.config). As a workaround,
we provide variables to instruct mmdebstrap to not check the expiry date,
which internally switches the gpgv backend to gpg which also does not have
a check for the SHA1 deprecation. Unfortunately it is not possible to
instruct apt / sqv to just disable the SHA1 check (except by replacing the
whole config file) [2].
This fixes [3], unblocks the TestCross CI and is release critical.
[1] https://wiki.debian.org/Teams/Apt/Sha1Removal
[2] https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1092747
[3] https://groups.google.com/g/isar-users/c/D5NaB_TdioY
Best regards,
Felix Moessbauer
Siemens AG
Felix Moessbauer (2):
add variables to inject config into mmdebstrap
work around bootstrapping issue of raspios due to SHA1 key removal
RECIPE-API-CHANGELOG.md | 10 ++++++++++
meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
.../isar-mmdebstrap/isar-mmdebstrap-target.bb | 1 +
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
5 files changed, 22 insertions(+)
--
2.53.0
first part of the bootstrapping. In Debian trixie, the default apt gpgv
backend is sqv, which blocks SHA1 signed keys from 01.02.2026 on [1] (this
is configured in /usr/share/apt/default-sequoia.config). As a workaround,
we provide variables to instruct mmdebstrap to not check the expiry date,
which internally switches the gpgv backend to gpg which also does not have
a check for the SHA1 deprecation. Unfortunately it is not possible to
instruct apt / sqv to just disable the SHA1 check (except by replacing the
whole config file) [2].
This fixes [3], unblocks the TestCross CI and is release critical.
[1] https://wiki.debian.org/Teams/Apt/Sha1Removal
[2] https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1092747
[3] https://groups.google.com/g/isar-users/c/D5NaB_TdioY
Best regards,
Felix Moessbauer
Siemens AG
Felix Moessbauer (2):
add variables to inject config into mmdebstrap
work around bootstrapping issue of raspios due to SHA1 key removal
RECIPE-API-CHANGELOG.md | 10 ++++++++++
meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
.../isar-mmdebstrap/isar-mmdebstrap-target.bb | 1 +
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
5 files changed, 22 insertions(+)
--
2.53.0
Felix Moessbauer
Mar 6, 2026, 11:03:08 AM (12 days ago) Mar 6
to isar-...@googlegroups.com, Felix Moessbauer
When working with old repos, signing keys might be used which are not
considered secure by the host apt (which is used during ``mmdebstrap``),
either due to the keys expiry date or due to insecure signature
algorithms. To work around this, we introduce the variables
``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``. While the former
provides an argument to disable the key expiry checking, the latter
allows users to inject custom options into ``mmdebstrap``.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
RECIPE-API-CHANGELOG.md | 10 ++++++++++
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..e44b4b9d 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,13 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
# Optional: set countdown timeout in seconds (default 5)
INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
```
+
+### Working with old and unofficial debian repos
+
+When working with old repos, signing keys might be used which are not considered
+secure by the host apt (which is used during ``mmdebstrap``), either due to the
+keys expiry date or due to insecure signature algorithms. To work around this,
+we introduce the variables ``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``.
+While the former provides an argument to disable the key expiry checking, the
+latter allows users to inject custom options into ``mmdebstrap``. For details,
+see ``man mmdebstrap``. Use with care!
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
index 227ff04c..a9695d44 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
@@ -8,6 +8,7 @@
Description = "Minimal target Debian root file system"
DEPLOY_ISAR_BOOTSTRAP = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}"
+MMOPTS ?= "${DISTRO_MM_OPTS}"
PROVIDES += "bootstrap-target"
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index ce34245f..6c2cb170 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -22,6 +22,12 @@ DPKG_HOOKS ?= "${@'--hook-dir='+d.getVar('MM_HOOK_JESSIE') \
MMHOOKS:focal ?= "${DPKG_HOOKS}"
MMHOOKS:buster ?= "${DPKG_HOOKS}"
+# disable key expiration checking during bootstrapping
+# this also works around the blocking of Sha1 keys when using old repos
+# https://wiki.debian.org/Teams/Apt/Sha1Removal
+MMAPTOPT_NOEXPKEYSIGN = "--aptopt='Apt::Key::gpgvcommand \"/usr/libexec/mmdebstrap/gpgvnoexpkeysig\"'"
+MMOPTS ?= ""
+
DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
def get_distro_have_https_source(d):
@@ -236,6 +242,7 @@ do_bootstrap() {
--customize-hook='chroot "$1" /usr/bin/apt-get -y clean' \
--skip=cleanup/apt \
--skip=download/empty \
+ ${MMOPTS} \
${@get_apt_opts(d, '--aptopt')} \
${@get_distro_components_argument(d)} \
"${@get_distro_suite(d)}" \
--
2.53.0
considered secure by the host apt (which is used during ``mmdebstrap``),
either due to the keys expiry date or due to insecure signature
algorithms. To work around this, we introduce the variables
``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``. While the former
provides an argument to disable the key expiry checking, the latter
allows users to inject custom options into ``mmdebstrap``.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
RECIPE-API-CHANGELOG.md | 10 ++++++++++
.../isar-mmdebstrap/isar-mmdebstrap-target.bb | 1 +
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
3 files changed, 18 insertions(+)
meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 7 +++++++
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..e44b4b9d 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,13 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
# Optional: set countdown timeout in seconds (default 5)
INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
```
+
+### Working with old and unofficial debian repos
+
+When working with old repos, signing keys might be used which are not considered
+secure by the host apt (which is used during ``mmdebstrap``), either due to the
+keys expiry date or due to insecure signature algorithms. To work around this,
+we introduce the variables ``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``.
+While the former provides an argument to disable the key expiry checking, the
+latter allows users to inject custom options into ``mmdebstrap``. For details,
+see ``man mmdebstrap``. Use with care!
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
index 227ff04c..a9695d44 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
@@ -8,6 +8,7 @@
Description = "Minimal target Debian root file system"
DEPLOY_ISAR_BOOTSTRAP = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}"
+MMOPTS ?= "${DISTRO_MM_OPTS}"
PROVIDES += "bootstrap-target"
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index ce34245f..6c2cb170 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -22,6 +22,12 @@ DPKG_HOOKS ?= "${@'--hook-dir='+d.getVar('MM_HOOK_JESSIE') \
MMHOOKS:focal ?= "${DPKG_HOOKS}"
MMHOOKS:buster ?= "${DPKG_HOOKS}"
+# disable key expiration checking during bootstrapping
+# this also works around the blocking of Sha1 keys when using old repos
+# https://wiki.debian.org/Teams/Apt/Sha1Removal
+MMAPTOPT_NOEXPKEYSIGN = "--aptopt='Apt::Key::gpgvcommand \"/usr/libexec/mmdebstrap/gpgvnoexpkeysig\"'"
+MMOPTS ?= ""
+
DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
def get_distro_have_https_source(d):
@@ -236,6 +242,7 @@ do_bootstrap() {
--customize-hook='chroot "$1" /usr/bin/apt-get -y clean' \
--skip=cleanup/apt \
--skip=download/empty \
+ ${MMOPTS} \
${@get_apt_opts(d, '--aptopt')} \
${@get_distro_components_argument(d)} \
"${@get_distro_suite(d)}" \
--
2.53.0
Felix Moessbauer
Mar 6, 2026, 11:03:10 AM (12 days ago) Mar 6
to isar-...@googlegroups.com, Felix Moessbauer
From Feburary 2026 on apt versions used on trixie and later will reject
repository keys which use an SHA1 hash. While this issue needs to be
fixed upstream, a workaround is needed to bootstrap these distributions
from a > trixie host distribution (purely bootstrapping within a
distribution is not affected, as then an older apt is used).
We work around this by applying the recommended mmdebstrap option to
disable key expiry checking (which internally switches from sqv to gpg
which does process SHA1 keys).
For details, see https://wiki.debian.org/Teams/Apt/Sha1Removal.
diff --git a/meta-isar/conf/distro/raspios-bookworm.conf b/meta-isar/conf/distro/raspios-bookworm.conf
index edba011f..0bed3018 100644
--- a/meta-isar/conf/distro/raspios-bookworm.conf
+++ b/meta-isar/conf/distro/raspios-bookworm.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bookworm.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bookworm-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
diff --git a/meta-isar/conf/distro/raspios-bullseye.conf b/meta-isar/conf/distro/raspios-bullseye.conf
index 60782f67..1b108649 100644
--- a/meta-isar/conf/distro/raspios-bullseye.conf
+++ b/meta-isar/conf/distro/raspios-bullseye.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bullseye.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bullseye-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
--
2.53.0
repository keys which use an SHA1 hash. While this issue needs to be
fixed upstream, a workaround is needed to bootstrap these distributions
from a > trixie host distribution (purely bootstrapping within a
distribution is not affected, as then an older apt is used).
We work around this by applying the recommended mmdebstrap option to
disable key expiry checking (which internally switches from sqv to gpg
which does process SHA1 keys).
For details, see https://wiki.debian.org/Teams/Apt/Sha1Removal.
meta-isar/conf/distro/raspios-bookworm.conf | 2 ++
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
2 files changed, 4 insertions(+)
meta-isar/conf/distro/raspios-bullseye.conf | 2 ++
diff --git a/meta-isar/conf/distro/raspios-bookworm.conf b/meta-isar/conf/distro/raspios-bookworm.conf
index edba011f..0bed3018 100644
--- a/meta-isar/conf/distro/raspios-bookworm.conf
+++ b/meta-isar/conf/distro/raspios-bookworm.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bookworm.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bookworm-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
diff --git a/meta-isar/conf/distro/raspios-bullseye.conf b/meta-isar/conf/distro/raspios-bullseye.conf
index 60782f67..1b108649 100644
--- a/meta-isar/conf/distro/raspios-bullseye.conf
+++ b/meta-isar/conf/distro/raspios-bullseye.conf
@@ -14,6 +14,8 @@ HOST_DISTRO_APT_SOURCES ?= "conf/distro/${HOST_DISTRO}.list"
DISTRO_APT_SOURCES ?= "conf/distro/raspios-bullseye.list"
DISTRO_APT_SOURCES:arm64 ?= "conf/distro/raspios-bullseye-64.list"
+# workaround for https://wiki.debian.org/Teams/Apt/Sha1Removal
+DISTRO_MM_OPTS += "${MMAPTOPT_NOEXPKEYSIGN}"
DISTRO_BOOTSTRAP_KEYS = "http://raspbian.raspberrypi.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
DISTRO_BOOTSTRAP_KEYS:arm64 = ""
--
2.53.0
Anton Mikanovich
Mar 10, 2026, 6:36:24 AM (8 days ago) Mar 10
to Felix Moessbauer, isar-...@googlegroups.com
Applied to next, thanks.
Reply all
Reply to author
Forward
0 new messages