chore: verify signature for arm-gcc toolchain

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This pull request updates the .devcontainer/cpp/Dockerfile to improve how the ARM GCC toolchain is installed for both x86_64 and aarch64 development containers. The changes streamline the download and extraction process, ensure better caching for package installs, and remove redundant installation steps.

ARM GCC toolchain integration:

• Added steps to download the ARM GNU toolchain archives for both x86_64 and aarch64 architectures during the image build process, ensuring the correct toolchain is available for cross-compilation. [1] [2]
• Updated the extraction process to unpack the ARM toolchain from the downloaded archive (excluding unnecessary components) directly during the main build stage, and moved the extracted toolchain to /opt/gcc-arm-none-eabi. [1] [2]
• Removed the previous approach of downloading and extracting the ARM toolchain via a separate wget command, reducing redundancy and potential network failures during build.

Build performance improvements:

• Introduced caching for apt package management directories to speed up repeated builds and reduce network usage.

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[Copilot]

Pull request overview

This pull request enhances the ARM GCC toolchain installation process in the C++ devcontainer by pre-downloading the toolchain archives during the build stage and verifying their integrity with checksums. The changes eliminate the runtime wget download, improve build performance through apt caching, and ensure the correct architecture-specific toolchain is available.

Changes:

• Added ARM GNU toolchain downloads with SHA256 checksums for both x86_64 and aarch64 architectures in the downloader stages
• Consolidated toolchain extraction into the main RUN instruction with apt caching enabled
• Replaced the separate wget-based ARM toolchain installation with extraction from pre-downloaded archives

[Copilot]

The ARM toolchain extraction lacks an explicit destination directory (no -C flag), which means it extracts to the current working directory (/). This could create unexpected files in the root filesystem. Consider adding -C /src or another appropriate destination directory to match the later mv /src/arm-none-eabi command on line 125.

Suggested change

	tar xJf /dl/arm-gnu-toolchain.tar.xz --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
	mkdir -p /src
	tar xJf /dl/arm-gnu-toolchain.tar.xz -C /src --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1

[Copilot]

This command assumes that the ARM toolchain was extracted to /src/arm-none-eabi, but the extraction on line 58 doesn't specify -C /src as the destination. The toolchain is being extracted to the working directory (/) with --strip-components=1, which would place the arm-none-eabi directory at /arm-none-eabi, not /src/arm-none-eabi. Either update line 58 to extract to /src or change this line to mv /arm-none-eabi /opt/gcc-arm-none-eabi.

Suggested change

	mv /src/arm-none-eabi /opt/gcc-arm-none-eabi
	mv /arm-none-eabi /opt/gcc-arm-none-eabi

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	20		0	0	0.47s
✅ DOCKERFILE	hadolint	3		0	0	0.67s
✅ GHERKIN	gherkin-lint	6		0	0	2.44s
✅ JSON	npm-package-json-lint	yes		no	no	0.47s
✅ JSON	prettier	21	4	0	0	0.51s
✅ JSON	v8r	21		0	0	7.64s
✅ MARKDOWN	markdownlint	12	0	0	0	0.95s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.23s
✅ REPOSITORY	checkov	yes		no	no	18.1s
✅ REPOSITORY	gitleaks	yes		no	no	0.52s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	28.92s
✅ REPOSITORY	secretlint	yes		no	no	0.95s
✅ REPOSITORY	syft	yes		no	no	1.94s
✅ REPOSITORY	trivy	yes		no	no	5.65s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.23s
✅ REPOSITORY	trufflehog	yes		no	no	2.3s
⚠️ SPELL	lychee	80		3	0	21.65s
✅ YAML	prettier	28	0	0	0	0.97s
✅ YAML	v8r	28		0	0	8.58s
✅ YAML	yamllint	28		0	0	0.68s

Detailed Issues

⚠️ SPELL / lychee - 3 errors

[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?
[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[ERROR] https://www.sigstore.dev/ | Network error: error sending request for url (https://www.sigstore.dev/) Maybe a certificate error?
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....121
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........3

Errors in .github/CODE_OF_CONDUCT.md
[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

Errors in README.md
[ERROR] https://www.sigstore.dev/ | Network error: error sending request for url (https://www.sigstore.dev/) Maybe a certificate error?

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1108

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	165.43 MB	167.84 MB	+2.41 MB (+1.46%)	🔼
linux/arm64	158.37 MB	160.6 MB	+2.23 MB (+1.41%)	🔼

[github-actions]

Test Results

2 files   -  5  2 suites   - 5   0s ⏱️ - 3m 59s
1 tests  - 32  1 ✅  - 32  0 💤 ±0  0 ❌ ±0 
2 runs   - 67  2 ✅  - 67  0 💤 ±0  0 ❌ ±0 

Results for commit 8ba1f2c. ± Comparison against base commit 30b6a59.