From 2a163bb9e72b94a3d47979635fe246ab7586e6c2 Mon Sep 17 00:00:00 2001
From: SysAdmin <sysadmin@silverlabs.uk>
Date: Thu, 7 May 2026 11:31:03 +0100
Subject: [PATCH] fix(linux/build): install sq-git/Sequoia stack for
 derivative-maker (M1.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Run #4255 reached deeper into 1100_sanity-tests, finished its apt-get
phase, and then died at the supply-chain verification step:

    /workspace/.../help-steps/git_sanity_test: line 184: sq-git: command not found
    ERROR: sq-git verification failed: main repo
    INFO: If this is intentional, configure your own sq-git policy file.
          See 'buildconfig.d/30_signing_key.conf'.

derivative-maker uses sq-git (sequoia-git) to authenticate the commit
chain against an OpenPGP policy file before building. The policy file
itself ships in the upstream repo (./openpgp-policy.toml) and the
trust-root defaults are correctly configured by help-steps/variables
(line 232 + 290) for non-redistributable builds — i.e. the verification
machinery is fully wired and just needs the binary.

Aligns with the upstream container's package list at
linux/build/derivative-maker/docker/derivative-maker-docker-setup.

Changes:
- Dockerfile.builder: add sq, sqv, sqop, sequoia-git,
  sequoia-chameleon-gnupg, gpg-agent. All available in trixie main.
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:c1490bab…5c97
  (rebuilt on 10.0.0.51, sq-git binary verified present at /usr/bin/sq-git).

No reproducibility implications — image rebuilds against the same
pinned snapshot timestamp.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 linux/build/docker/Dockerfile.builder | 6 ++++++
 linux/build/scripts/build.sh          | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/linux/build/docker/Dockerfile.builder b/linux/build/docker/Dockerfile.builder
index f4fd129..328894b 100644
--- a/linux/build/docker/Dockerfile.builder
+++ b/linux/build/docker/Dockerfile.builder
@@ -60,11 +60,17 @@ RUN set -eux; \
         fakeroot \
         git \
         gnupg \
+        gpg-agent \
         isolinux \
         live-build \
         mtools \
         reprepro \
         rsync \
+        sequoia-chameleon-gnupg \
+        sequoia-git \
+        sq \
+        sqop \
+        sqv \
         squashfs-tools \
         sudo \
         syslinux-common \
diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh
index 1ec4559..987efa5 100755
--- a/linux/build/scripts/build.sh
+++ b/linux/build/scripts/build.sh
@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
 # outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
 # registers as an insecure-registry. The host-style "docker-registry:5000"
 # is *not* DNS-resolvable; do not use it.
-BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}"
+BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:c1490bab7785e86b431cea3efaf60c4c41b566fd3de085f5f0c4a53b236e5c97}"
 
 if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
     echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2