From 5e1f8f80bc174d95ed5c43de5c0c9b3741a1e40d Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Wed, 20 May 2026 01:32:05 +0200
Subject: [PATCH] ci(pi-gen): apt qemu-user-static instead of tonistiigi
 (chroot needs static binary)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

tonistiigi/binfmt registers /usr/bin/qemu-aarch64 (dynamic). Even with F-flag
preload, qemu still dlopen's its libs at exec time — fails inside pi-gen's
chroot. Debian's qemu-user-static ships /usr/bin/qemu-aarch64-static and
post-install sets F flag automatically. Pi-gen's dependencies_check needs
the static path.
---
 .github/workflows/build.yml | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0f6d719..18bec62 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -175,17 +175,24 @@ jobs:
       # docker/setup-qemu-action wraps, called directly here so we control
       # the flags + can sanity-check after.
       - name: Register QEMU binfmt for arm64
-        # tonistiigi/binfmt --install arm64 sets the F (fix-binary) flag,
-        # so the kernel preloads qemu-aarch64-static into kernel memory at
-        # registration time. The qemu emulation then works inside pi-gen's
-        # nested container without needing /usr/bin/qemu-aarch64-static to
-        # be present in the chroot.
+        # Host-install qemu-user-static (Debian/Ubuntu package). It auto-
+        # registers binfmt_misc entries pointing at
+        # /usr/bin/qemu-aarch64-static. The Debian post-install also sets
+        # the F (fix-binary) flag so the kernel preloads the static binary
+        # bytes — meaning the chroot inside pi-gen doesn't need a copy.
+        # tonistiigi/binfmt only ships /usr/bin/qemu-aarch64 (dynamic),
+        # which fails inside a chroot at exec time when ld.so + libs are
+        # missing. Pi-gen specifically wants the -static path.
         run: |
-          docker run --rm --privileged tonistiigi/binfmt --install arm64
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            qemu-user-static binfmt-support
+          sudo update-binfmts --enable qemu-aarch64
           echo "--- binfmt_misc registrations ---"
           ls -la /proc/sys/fs/binfmt_misc/ || true
-          echo "--- qemu-aarch64 detail (look for 'flags: F') ---"
+          echo "--- qemu-aarch64 detail (interpreter should be -static) ---"
           cat /proc/sys/fs/binfmt_misc/qemu-aarch64 || true
+          file /usr/bin/qemu-aarch64-static || true
 
       - name: Build Pi image (pi-gen)
         uses: usimd/pi-gen-action@v1