diff --git a/linux/build/docker/Dockerfile.builder b/linux/build/docker/Dockerfile.builder
index 1a64547..6bbecb8 100644
--- a/linux/build/docker/Dockerfile.builder
+++ b/linux/build/docker/Dockerfile.builder
@@ -17,10 +17,10 @@
 # check, commit all four changes together.
 
 # debian:bookworm-slim — pinned by digest.
-# TODO(M1.1): replace placeholder digest with the actual one resolved at
-# image-build time. The placeholder is intentionally invalid so a build that
-# forgets to update it fails fast rather than silently using "latest".
-FROM debian:bookworm-slim@sha256:0000000000000000000000000000000000000000000000000000000000000000
+# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
+# Bumping this requires rebuilding + pushing the silvermetal-builder image
+# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
+FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
 
 # Reproducibility-friendly apt configuration.
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -35,13 +35,21 @@ ENV DEBIAN_FRONTEND=noninteractive \
 ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
 ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
 
+# Two-phase install:
+#   1. Use the base image's default mirror to seed ca-certificates so HTTPS
+#      to snapshot.debian.org works. (slim images don't ship CA bundles.)
+#   2. Pin sources.list to the snapshot and install the actual toolchain.
+# The first phase touches deb.debian.org without a pin; that's fine because
+# nothing it installs ends up in the final ISO — only the toolchain installed
+# in phase 2 does, and that is fully snapshot-pinned.
 RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends ca-certificates; \
     rm -f /etc/apt/sources.list.d/*; \
     printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
     printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
     apt-get -o Acquire::Check-Valid-Until=false update; \
     apt-get install -y --no-install-recommends \
-        ca-certificates \
         debootstrap \
         diffoscope-minimal \
         dosfstools \