From fd54e9ca918a8d7f773b4024e89a16713150ca81 Mon Sep 17 00:00:00 2001
From: Aiden McClelland <me@drbonez.dev>
Date: Thu, 12 Mar 2026 13:37:35 -0600
Subject: [PATCH] fix: use raspberrypi-archive-keyring for sqv-compatible GPG
 key

The old raspberrypi.gpg.key has SHA1-only UID binding signatures,
which sqv (Sequoia PGP) on Trixie rejects as of 2026-02-01. Fetch the
key from the raspberrypi-archive-keyring package instead, which has
re-signed bindings using SHA-256/512.
---
 build/image-recipe/build.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/build/image-recipe/build.sh b/build/image-recipe/build.sh
index bc6fa43e7..bde6fd360 100755
--- a/build/image-recipe/build.sh
+++ b/build/image-recipe/build.sh
@@ -176,7 +176,13 @@ sed -i -e '2i set timeout=5' config/bootloaders/grub-pc/config.cfg
 mkdir -p config/archives
 
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
-	curl -fsSL https://archive.raspberrypi.com/debian/raspberrypi.gpg.key | gpg --dearmor -o config/archives/raspi.key
+	# Fetch the keyring package (not the old raspberrypi.gpg.key, which has
+	# SHA1-only binding signatures that sqv on Trixie rejects).
+	KEYRING_DEB=$(mktemp)
+	curl -fsSL -o "$KEYRING_DEB" https://archive.raspberrypi.com/debian/pool/main/r/raspberrypi-archive-keyring/raspberrypi-archive-keyring_2025.1+rpt1_all.deb
+	dpkg-deb -x "$KEYRING_DEB" "$KEYRING_DEB.d"
+	cp "$KEYRING_DEB.d/usr/share/keyrings/raspberrypi-archive-keyring.gpg" config/archives/raspi.key
+	rm -rf "$KEYRING_DEB" "$KEYRING_DEB.d"
 	echo "deb [arch=${IB_TARGET_ARCH} signed-by=/etc/apt/trusted.gpg.d/raspi.key.gpg] https://archive.raspberrypi.com/debian/ ${IB_SUITE} main" > config/archives/raspi.list
 fi