Skip to content

Commit 0aa535d

Browse files
kuznetssskuznetsss
committed
Fix build
1 parent 6e61e3e commit 0aa535d

File tree

2 files changed

+23
-2
lines changed

2 files changed

+23
-2
lines changed

docker/debian/Dockerfile

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -255,8 +255,16 @@ curl --no-progress-meter https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dear
255255
printf "%s\n%s\n" \
256256
"deb [signed-by=/etc/apt/keyrings/llvm.gpg] https://apt.llvm.org/${DEBIAN_VERSION}/ llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} main" \
257257
| tee /etc/apt/sources.list.d/llvm.list
258+
# As of 2026-02-01, Debian Trixie rejects GPG keys using SHA1 signatures as insecure.
259+
# The LLVM apt repository (apt.llvm.org) GPG key still uses SHA1, causing signature
260+
# verification to fail. We configure apt to allow weak signatures and use
261+
# --allow-unauthenticated for this trusted repository until LLVM updates their signing key.
262+
printf "%s\n" \
263+
"Acquire::AllowInsecureRepositories \"true\";" \
264+
"Acquire::AllowWeakRepositories \"true\";" \
265+
| tee /etc/apt/apt.conf.d/99llvm-allow-weak
258266
apt-get update
259-
apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends \
267+
apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends --allow-unauthenticated \
260268
clang-${CLANG_VERSION} \
261269
libclang-rt-${CLANG_VERSION}-dev \
262270
llvm-${CLANG_VERSION}
@@ -352,3 +360,6 @@ cd ..
352360
rm -rf test
353361
EOF
354362

363+
364+
365+

docker/ubuntu/Dockerfile

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,8 +221,15 @@ ARG UBUNTU_VERSION
221221
# Install Clang. Some build dependencies require GCC to be also available.
222222
ARG CLANG_VERSION
223223
RUN <<EOF
224+
# As of 2026-02-01, newer distros reject GPG keys using SHA1 signatures as insecure.
225+
# Some LLVM/Clang repository GPG keys may still use SHA1. We configure apt to allow
226+
# weak signatures and use --allow-unauthenticated as a workaround for trusted repositories.
227+
printf "%s\n" \
228+
"Acquire::AllowInsecureRepositories \"true\";" \
229+
"Acquire::AllowWeakRepositories \"true\";" \
230+
| tee /etc/apt/apt.conf.d/99allow-weak
224231
apt-get update
225-
apt-get install -y --no-install-recommends \
232+
apt-get install -y --no-install-recommends --allow-unauthenticated \
226233
clang-${CLANG_VERSION} \
227234
libclang-rt-${CLANG_VERSION}-dev \
228235
llvm-${CLANG_VERSION} \
@@ -320,3 +327,6 @@ cd ..
320327
rm -rf test
321328
EOF
322329

330+
331+
332+

0 commit comments

Comments
 (0)