Skip to content

Commit 0b80d06

Browse files
kuznetssskuznetsss
committed
Fix build
1 parent 6e61e3e commit 0b80d06

File tree

3 files changed

+67
-2
lines changed

3 files changed

+67
-2
lines changed

docker/debian/Dockerfile

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -203,6 +203,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
203203
nix --version
204204
EOF
205205

206+
# Add nix to PATH and set NIX environment variables so nix is available in all
207+
# shells including non-interactive shells (e.g., GitHub Actions).
208+
ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
209+
ENV NIX_PROFILES="/nix/var/nix/profiles/default"
210+
ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
211+
206212
# Set the Conan home directory, so the users of this image can find the default
207213
# profile.
208214
ENV HOME=/root
@@ -255,8 +261,16 @@ curl --no-progress-meter https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dear
255261
printf "%s\n%s\n" \
256262
"deb [signed-by=/etc/apt/keyrings/llvm.gpg] https://apt.llvm.org/${DEBIAN_VERSION}/ llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} main" \
257263
| tee /etc/apt/sources.list.d/llvm.list
264+
# As of 2026-02-01, Debian Trixie rejects GPG keys using SHA1 signatures as insecure.
265+
# The LLVM apt repository (apt.llvm.org) GPG key still uses SHA1, causing signature
266+
# verification to fail. We configure apt to allow weak signatures and use
267+
# --allow-unauthenticated for this trusted repository until LLVM updates their signing key.
268+
printf "%s\n" \
269+
"Acquire::AllowInsecureRepositories \"true\";" \
270+
"Acquire::AllowWeakRepositories \"true\";" \
271+
| tee /etc/apt/apt.conf.d/99llvm-allow-weak
258272
apt-get update
259-
apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends \
273+
apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends --allow-unauthenticated \
260274
clang-${CLANG_VERSION} \
261275
libclang-rt-${CLANG_VERSION}-dev \
262276
llvm-${CLANG_VERSION}
@@ -352,3 +366,8 @@ cd ..
352366
rm -rf test
353367
EOF
354368

369+
370+
371+
372+
373+

docker/rhel/Dockerfile

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -319,6 +319,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
319319
nix --version
320320
EOF
321321

322+
# Add nix to PATH and set NIX environment variables so nix is available in all
323+
# shells including non-interactive shells (e.g., GitHub Actions).
324+
ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
325+
ENV NIX_PROFILES="/nix/var/nix/profiles/default"
326+
ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
327+
322328
# Set the Conan home directory, so the users of this image can find the default
323329
# profile.
324330
ENV HOME=/root
@@ -354,3 +360,5 @@ cd ..
354360
rm -rf test
355361
EOF
356362

363+
364+

docker/ubuntu/Dockerfile

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
176176
nix --version
177177
EOF
178178

179+
# Add nix to PATH and set NIX environment variables so nix is available in all
180+
# shells including non-interactive shells (e.g., GitHub Actions).
181+
ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
182+
ENV NIX_PROFILES="/nix/var/nix/profiles/default"
183+
ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
184+
179185
# Set the Conan home directory, so the users of this image can find the default
180186
# profile.
181187
ENV HOME=/root
@@ -221,8 +227,15 @@ ARG UBUNTU_VERSION
221227
# Install Clang. Some build dependencies require GCC to be also available.
222228
ARG CLANG_VERSION
223229
RUN <<EOF
230+
# As of 2026-02-01, newer distros reject GPG keys using SHA1 signatures as insecure.
231+
# Some LLVM/Clang repository GPG keys may still use SHA1. We configure apt to allow
232+
# weak signatures and use --allow-unauthenticated as a workaround for trusted repositories.
233+
printf "%s\n" \
234+
"Acquire::AllowInsecureRepositories \"true\";" \
235+
"Acquire::AllowWeakRepositories \"true\";" \
236+
| tee /etc/apt/apt.conf.d/99allow-weak
224237
apt-get update
225-
apt-get install -y --no-install-recommends \
238+
apt-get install -y --no-install-recommends --allow-unauthenticated \
226239
clang-${CLANG_VERSION} \
227240
libclang-rt-${CLANG_VERSION}-dev \
228241
llvm-${CLANG_VERSION} \
@@ -285,6 +298,23 @@ rm -rf ccache-${CCACHE_VERSION}
285298
ccache --version
286299
EOF
287300

301+
# Install nix
302+
RUN <<EOF
303+
sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
304+
305+
# Source the nix daemon script to make nix available in the current shell.
306+
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
307+
308+
# Verify the installation.
309+
nix --version
310+
EOF
311+
312+
# Add nix to PATH and set NIX environment variables so nix is available in all
313+
# shells including non-interactive shells (e.g., GitHub Actions).
314+
ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
315+
ENV NIX_PROFILES="/nix/var/nix/profiles/default"
316+
ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
317+
288318
# Set the Conan home directory, so the users of this image can find the default
289319
# profile.
290320
ENV HOME=/root
@@ -320,3 +350,11 @@ cd ..
320350
rm -rf test
321351
EOF
322352

353+
354+
355+
356+
357+
358+
359+
360+

0 commit comments

Comments
 (0)