ci: Treat SHA1 LLVM signing key as warning #34475

1. 
   willcl-ark commented at 10:46 am on February 2, 2026: member

   The current SHA1 LLVM signing key is considered not secure since 2026-02-01T00:00:00Z which makes this run fail when downloading packages.

   See: https://github.com/llvm/llvm-project/issues/153385

   Apply the fix from the issue to temporarily to treat this error as a warning, until the upstream key can be updated.

   This PR should be reverted once the upstream key is updated.

2. DrahtBot added the label Tests on Feb 2, 2026
3. 
   DrahtBot commented at 10:46 am on February 2, 2026: contributor

   The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

   Reviews

   See the guideline for information on the review process.

   Type	Reviewers
   ACK	hebasto

   If your review is incorrectly listed, please copy-paste <!–meta-tag:bot-skip–> into the comment that the bot should ignore.

4. 
   fanquake commented at 11:03 am on February 2, 2026: member

   https://github.com/bitcoin/bitcoin/actions/runs/21587031608/job/62197757338?pr=34475#step:11:474:

   0[73](https://github.com/bitcoin/bitcoin/actions/runs/21587031608/job/62197757338?pr=34475#step:11:474)
   10.045 + mkdir -p /etc/crypto-policies/back-ends/
   20.047 + cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
   30.048 cp: cannot stat '/usr/share/apt/default-sequoia.config': No such file or directory
   

5. willcl-ark force-pushed on Feb 2, 2026
6. DrahtBot added the label CI failed on Feb 2, 2026
7. 
   hebasto commented at 11:46 am on February 2, 2026: member

   Concept ACK.
8. ci: Treat SHA1 LLVM signing key as warning

   The current SHA1 LLVM signing key is considered not secure since
   2026-02-01T00:00:00Z which makes this run fail when downloading
   packages.
   
   See: https://github.com/llvm/llvm-project/issues/153385
   
   Apply the fix from the issue to temporarily to treat this error as a
   warning, until the upstream key can be updated.
   
   This PR should be reverted once the upstream key is updated.

   3c8f5e48f7
9. in ci/test/01_base_install.sh:30 in db5e61d99d

   21@@ -22,6 +22,13 @@ if [ -n "$DPKG_ADD_ARCH" ]; then
   22 fi
   23 
   24 if [ -n "${APT_LLVM_V}" ]; then
   25+  # This should be removed when LLVM updates their upstream key
   26+  if [ -f /usr/share/apt/default-sequoia.config ]; then
   27+    mkdir -p /etc/crypto-policies/back-ends/
   28+    cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
   29+    sed -i 's/sha1.second_preimage_resistance = 2026-02-01/sha1.second_preimage_resistance = 2026-09-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
   30+    sed -i 's/^sha224 = 2026-02-01/sha224 = 2026-09-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
   

   ---

   ---

   

   hebasto commented at 11:47 am on February 2, 2026:

   What do you think of using a shorter implementation from https://github.com/bitcoin-core/secp256k1/pull/1816/changes/0ffb1749a5811bb63902f00c9fa73b49588d0557?

   ---

   

   willcl-ark commented at 11:56 am on February 2, 2026:

   Thanks, I took the simplified version in 3c8f5e48f710313de78bcbfafd09fed71890d754

   I kept the gating on the file existence so that our ubuntu jobs don’t fail again.

10. willcl-ark force-pushed on Feb 2, 2026
11. hebasto approved
12. 
    hebasto commented at 12:06 pm on February 2, 2026: member

    ACK 3c8f5e48f710313de78bcbfafd09fed71890d754, tested by running the “iwyu” CI job locally on Ubuntu 25.10 after burning all podman’s caches.
13. 
    fanquake commented at 12:32 pm on February 2, 2026: member

    This shouldn’t need to be backported.
14. fanquake merged this on Feb 2, 2026
15. fanquake closed this on Feb 2, 2026

    ---

Contributors
willcl-ark DrahtBot fanquake hebasto

Labels
Tests CI failed