SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(linux/build): install sq-git/Sequoia stack for derivative-maker (M1.1)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m21s
Details

Browse Source 
Run #4255 reached deeper into 1100_sanity-tests, finished its apt-get
phase, and then died at the supply-chain verification step:

    /workspace/.../help-steps/git_sanity_test: line 184: sq-git: command not found
    ERROR: sq-git verification failed: main repo
    INFO: If this is intentional, configure your own sq-git policy file.
          See 'buildconfig.d/30_signing_key.conf'.

derivative-maker uses sq-git (sequoia-git) to authenticate the commit
chain against an OpenPGP policy file before building. The policy file
itself ships in the upstream repo (./openpgp-policy.toml) and the
trust-root defaults are correctly configured by help-steps/variables
(line 232 + 290) for non-redistributable builds — i.e. the verification
machinery is fully wired and just needs the binary.

Aligns with the upstream container's package list at
linux/build/derivative-maker/docker/derivative-maker-docker-setup.

Changes:
- Dockerfile.builder: add sq, sqv, sqop, sequoia-git,
  sequoia-chameleon-gnupg, gpg-agent. All available in trixie main.
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:c1490bab…5c97
  (rebuilt on 10.0.0.51, sq-git binary verified present at /usr/bin/sq-git).

No reproducibility implications — image rebuilds against the same
pinned snapshot timestamp.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-05-07 11:31:03 +01:00
parent 433eb18947
commit 2a163bb9e7
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
linux/build/scripts/build.sh
View File

@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
# registers as an insecure-registry. The host-style "docker-registry:5000"
# is *not* DNS-resolvable; do not use it.
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}"
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:c1490bab7785e86b431cea3efaf60c4c41b566fd3de085f5f0c4a53b236e5c97}"
if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2