ci: Fix LLVM repository signature failure #34478

pull hebasto wants to merge 1 commits into bitcoin:master from hebasto:260202-llvm-signature changing 1 files +4 −0
  1. hebasto commented at 11:39 am on February 2, 2026: member

    The LLVM apt repository uses legacy SHA1 signatures which are now rejected by the stricter Sequoia PGP policy.

    This change extends the sha1.second_preimage_resistance cutoff date to 9999-01-01 in the default Sequoia config. This effectively whitelists the legacy signature algorithm, preventing “OpenPGP signature verification failed” errors during apt-get update.

    See https://github.com/llvm/llvm-project/issues/153385.

  2. ci: Fix LLVM repository signature failure 
    The LLVM apt repository uses legacy SHA1 signatures which are now
rejected by the stricter Sequoia PGP policy.

This change extends the 'sha1.second_preimage_resistance' cutoff date to
9999-01-01 in the default Sequoia config. This effectively whitelists
the legacy signature algorithm, preventing "OpenPGP signature
verification failed" errors during `apt-get update`.

See https://github.com/llvm/llvm-project/issues/153385.
    784cb9d2cc
  3. DrahtBot added the label Tests on Feb 2, 2026
  4. DrahtBot commented at 11:39 am on February 2, 2026: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

  5. fanquake commented at 11:43 am on February 2, 2026: member
    Duplicate of #34475?
  6. hebasto closed this on Feb 2, 2026
  7. hebasto commented at 11:44 am on February 2, 2026: member

    Duplicate of #34475?

    Sorry. Missed that.

  8. in ci/test/01_base_install.sh:35 in 784cb9d2cc 
    28@@ -29,6 +29,10 @@ if [ -n "${APT_LLVM_V}" ]; then
29     # shellcheck disable=SC2034
30     source /etc/os-release
31     echo "deb http://apt.llvm.org/${VERSION_CODENAME}/ llvm-toolchain-${VERSION_CODENAME}-${APT_LLVM_V} main" > "/etc/apt/sources.list.d/llvm-toolchain-${VERSION_CODENAME}-${APT_LLVM_V}.list"
32+    # Temporarily work around Sequoia PGP policy deadline for legacy repositories.
33+    # See https://github.com/llvm/llvm-project/issues/153385.
34+    sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config && \
35+    apt-get update && \
    maflcko commented at 11:48 am on February 2, 2026:

    I don’t like the && \ here. I think we should globally exit on non-zero exit code, but i guess this is needed in a sub-shell?

    My preference would be to use set -o errexit -o pipefail -o xtrace

  9. maflcko commented at 11:48 am on February 2, 2026: member

    Though, this one is correct?

    lgtm ACK 784cb9d2cc046602b9af26342af6f2b6991b3b7c

  10. fanquake commented at 12:08 pm on February 2, 2026: member

    I don’t think so? Running it locally is broken:

    0+ MAKEJOBS=-j16
1+ '[' -n '' ']'
2./ci/test/01_base_install.sh: line 36: syntax error near unexpected token `)'
3Error: building at STEP "RUN bash -c cd /ci_container_base/ && set -o errexit && source ./ci/test/00_setup_env.sh && ./ci/test/01_base_install.sh": while running runtime: exit status 2
4Command '['docker', 'buildx', 'build', '--file=/root/ci_scratch/ci/test_imagefile', '--build-arg=CI_IMAGE_NAME_TAG=mirror.gcr.io/ubuntu:24.04', '--build-arg=FILE_ENV=./ci/test/00_setup_env_native_fuzz.sh', '--build-arg=BASE_ROOT_DIR=/ci_container_base', '--platform=linux', '--label=bitcoin-ci-test', '--tag=ci_native_fuzz', '/root/ci_scratch']' returned non-zero exit status 2.
  11. hebasto deleted the branch on Feb 2, 2026


hebasto DrahtBot fanquake maflcko

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-02-22 18:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me