chore: verify signatures for apt keys

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This pull request updates the development container Dockerfiles for C++ and base images to improve reliability and reproducibility of package installation, especially for the Clang and Mull toolchains. The changes focus on prefetching GPG keys, restructuring how dependencies are mounted and installed, and enhancing build script robustness.

Key improvements include:

Reliability and Security Improvements:

• GPG keys for LLVM and Mull repositories are now downloaded and added to the image in a dedicated build stage (downloader), rather than being fetched at build time with wget. This ensures reproducible builds and avoids network-related failures during subsequent build stages. [1] [2]
• The installation of APT requirements for both base and Clang toolchains now uses set -e to ensure the build stops on errors, improving robustness. [1] [2] [3]

Build Process Refactoring:

• The Clang and Mull GPG keys are copied from the downloader stage to the build context and then installed from local files, replacing the previous wget | gpg --dearmor approach. This also removes the need for live downloads during the build. [1] [2]
• The Clang toolchain and Mull repository setup is consolidated into a single multi-line RUN block, using the pre-fetched keys and improving clarity.

Dependency Management:

• The Clang-specific APT requirements file is now mounted together with the base requirements, streamlining the installation process and making the Dockerfile more maintainable.

These changes collectively make the container builds more deterministic, secure, and easier to maintain.

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1104

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	165.43 MB	165.43 MB	+385 B (+0%)	🔼
linux/arm64	158.37 MB	158.37 MB	6 B (0%)	🔽

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	20		0	0	0.49s
✅ DOCKERFILE	hadolint	3		0	0	0.71s
✅ GHERKIN	gherkin-lint	6		0	0	2.36s
✅ JSON	npm-package-json-lint	yes		no	no	0.42s
✅ JSON	prettier	21	4	0	0	0.52s
✅ JSON	v8r	21		0	0	7.38s
✅ MARKDOWN	markdownlint	12	0	0	0	0.87s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.2s
✅ REPOSITORY	checkov	yes		no	no	16.82s
✅ REPOSITORY	gitleaks	yes		no	no	0.51s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	28.3s
✅ REPOSITORY	secretlint	yes		no	no	0.9s
✅ REPOSITORY	syft	yes		no	no	1.98s
✅ REPOSITORY	trivy	yes		no	no	5.46s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.22s
✅ REPOSITORY	trufflehog	yes		no	no	2.25s
⚠️ SPELL	lychee	80		3	0	23.67s
✅ YAML	prettier	28	0	0	0	0.94s
✅ YAML	v8r	28		0	0	8.22s
✅ YAML	yamllint	28		0	0	0.74s

Detailed Issues

⚠️ SPELL / lychee - 3 errors

[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?
[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....121
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........3

Errors in README.md
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

Errors in .github/CODE_OF_CONDUCT.md
[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-1104

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	545.84 MB	545.84 MB	+422 B (+0%)	🔼
linux/arm64	500.48 MB	500.48 MB	+57 B (+0%)	🔼

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-1104

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	681.23 MB	680.42 MB	808.27 kB (-0.12%)	🔽
linux/arm64	663.14 MB	662.34 MB	798.42 kB (-0.12%)	🔽

[github-actions]

Test Results

 7 files  ±0   7 suites  ±0   3m 56s ⏱️ - 1m 50s
33 tests ±0  33 ✅ ±0  0 💤 ±0  0 ❌ ±0 
69 runs  ±0  69 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 9b06e2b. ± Comparison against base commit 9254783.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Pull Request Report (#1104)

Static measures

Description	Value
Number of added lines	25
Number of deleted lines	16
Number of changed files	2
Number of commits	1
Number of reviews	2
Number of comments (w/o review comments)	6
Number of reviews that contains a comment to resolve	1
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	5

Time related measures

Description	Value
PR lead time (from creation to close of PR)	1.6 Hours
Time that was spend on the branch before the PR was created	47 Sec
Time that was spend on the branch before the PR was merged	1.6 Hours
Time to merge after last review	41.3 Min

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	44.6 Min
Total time spend in last status check run on PR	19.3 Min