Merge bitcoin/bitcoin#34475: ci: Treat SHA1 LLVM signing key as warning

3c8f5e48f7 ci: Treat SHA1 LLVM signing key as warning (will) Pull request description: The current SHA1 LLVM signing key is considered not secure since 2026-02-01T00:00:00Z which makes this run fail when downloading packages. See: https://github.com/llvm/llvm-project/issues/153385 Apply the fix from the issue to temporarily to treat this error as a warning, until the upstream key can be updated. This PR should be reverted once the upstream key is updated. ACKs for top commit: hebasto: ACK 3c8f5e48f7, tested by running the "iwyu" CI job locally on Ubuntu 25.10 after burning all podman's caches. Tree-SHA512: fbccf98bfd73cb338670f1ceea994d277d746acbc88b9b90a403d9a59d82abda0f3ba34c4d484b70926340c2d0c873259f930c36ccd4f9d18bb1d22d49ee70c4
2026-02-11 01:33:21 +01:00 · 2026-02-02 12:32:27 +00:00
parent 5cb4cf9b42 3c8f5e48f7
commit 9f8764c814
1 changed files with 5 additions and 0 deletions
--- a/ci/test/01_base_install.sh
+++ b/ci/test/01_base_install.sh
@@ -22,6 +22,11 @@ if [ -n "$DPKG_ADD_ARCH" ]; then
 fi

 if [ -n "${APT_LLVM_V}" ]; then
+  # Temporarily work around Sequoia PGP policy deadline for legacy repositories.
+  # See https://github.com/llvm/llvm-project/issues/153385.
+  if [ -f /usr/share/apt/default-sequoia.config ]; then
+    sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config
+  fi
  ${CI_RETRY_EXE} apt-get update
  ${CI_RETRY_EXE} apt-get install curl -y
  curl "https://apt.llvm.org/llvm-snapshot.gpg.key" | tee "/etc/apt/trusted.gpg.d/apt.llvm.org.asc"