diff --git a/Dockerfile.build b/Dockerfile.build
index d22307f..d3c3c9b 100644
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -1,12 +1,11 @@
 # explicitly use Debian for maximum cross-architecture compatibility
-FROM debian:bookworm-slim
+FROM debian:trixie-slim
 
 RUN set -eux; \
-	apt-get update; \
 	dpkgArch="$(dpkg --print-architecture)"; \
-	apt-get install -y --no-install-recommends \
+	apt-get install --update -y --no-install-recommends \
 		ca-certificates \
-		gnupg \
+		sq \
 		wget \
 		\
 		gcc \
@@ -37,20 +36,35 @@ RUN set -eux; \
 		\
 		arch-test \
 		file \
+		patch \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	apt-get dist-clean
 
 # https://musl.libc.org/releases.html
 ENV MUSL_VERSION 1.2.5
 RUN set -eux; \
-	wget -O musl.tgz.asc "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc"; \
-	wget -O musl.tgz "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz"; \
-	\
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '836489290BB6B70F99FFDA0556BCDB593020450F'; \
-	gpg --batch --verify musl.tgz.asc musl.tgz; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" musl.tgz.asc; \
+# > Since 1.1.7, releases are signed with the project GPG key. Its fingerprint is 8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F.
+	muslKey='8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F'; \
+#
+# Error: No binding signature at time 2025-08-12T23:23:25Z
+# because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
+# because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
+#
+# and then:
+#
+# Error: Policy rejected non-revocation signature (Binary) requiring collision resistance
+# because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
+# 0 authenticated signatures, 1 bad signature.
+#
+	sq='sq --policy-as-of 2013-01-01T00:00:00Z'; \
+	$sq network search "$muslKey"; \
+	$sq pki link add --cert "$muslKey" --userid 'musl libc <musl@libc.org>'; \
+	$sq download \
+		--output 'musl.tgz' \
+		--url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz" \
+		--signature-url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc" \
+		--signer "$muslKey" \
+	; \
 	\
 	mkdir /usr/local/src/musl; \
 	tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \
@@ -59,6 +73,9 @@ RUN set -eux; \
 WORKDIR /usr/src/hello
 COPY . .
 
+# https://bugs.debian.org/1050429: error: unrecognized command-line option '-EL' (on mips64le specifically/only)
+RUN patch --input="$PWD/musl-gcc-mips64le.patch" /usr/local/src/musl/tools/musl-gcc.specs.sh
+
 # the following steps are grouped into "architecture families" and roughly ordered in a descending compatibility way such that we end up with the most accurate ".host-arch" symlink we can reasonably get
 
 RUN set -ex; \
diff --git a/Makefile b/Makefile
index 3f1bd74..206022c 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,8 @@ $(MUSL_GCC):
 	mkdir -p '$(MUSL_DIR)'
 	cd '$(MUSL_DIR)' && '$(MUSL_SRC)/configure' --disable-shared --prefix='$(MUSL_PREFIX)' > /dev/null
 	$(MAKE) -C '$(MUSL_DIR)' -j '$(shell nproc)' install > /dev/null
+.PHONY: musl
+musl: $(MUSL_GCC)
 
 $(C_TARGETS): hello.c $(MUSL_GCC)
 	$(MUSL_GCC) $(CFLAGS) -Wl,--gc-sections -static \
diff --git a/amd64/hello-world/hello b/amd64/hello-world/hello
index 3ffc66f..8cf6df2 100755
Binary files a/amd64/hello-world/hello and b/amd64/hello-world/hello differ
diff --git a/arm32v5/hello-world/hello b/arm32v5/hello-world/hello
index c9e599e..e9cfc4f 100755
Binary files a/arm32v5/hello-world/hello and b/arm32v5/hello-world/hello differ
diff --git a/arm32v6/hello-world/hello b/arm32v6/hello-world/hello
index a0336df..a498f45 100755
Binary files a/arm32v6/hello-world/hello and b/arm32v6/hello-world/hello differ
diff --git a/arm32v7/hello-world/hello b/arm32v7/hello-world/hello
index dcf0633..b5cf738 100755
Binary files a/arm32v7/hello-world/hello and b/arm32v7/hello-world/hello differ
diff --git a/arm64v8/hello-world/hello b/arm64v8/hello-world/hello
index 7d07099..3a12772 100755
Binary files a/arm64v8/hello-world/hello and b/arm64v8/hello-world/hello differ
diff --git a/i386/hello-world/hello b/i386/hello-world/hello
index d51e54c..e6f30d4 100755
Binary files a/i386/hello-world/hello and b/i386/hello-world/hello differ
diff --git a/mips64le/hello-world/hello b/mips64le/hello-world/hello
index fff7035..2d46227 100755
Binary files a/mips64le/hello-world/hello and b/mips64le/hello-world/hello differ
diff --git a/musl-gcc-mips64le.patch b/musl-gcc-mips64le.patch
new file mode 100644
index 0000000..ef09070
--- /dev/null
+++ b/musl-gcc-mips64le.patch
@@ -0,0 +1,19 @@
+Origin: https://bugs.debian.org/1050429#64
+
+--- tools/musl-gcc.specs.sh	2024-03-01 02:07:33.000000000 +0000
++++ tools/musl-gcc.specs.sh.new	2025-06-17 21:19:01.669504848 +0000
+@@ -3,12 +3,13 @@
+ ldso=$3
+ cat <<EOF
+ %rename cpp_options old_cpp_options
++%rename cc1 old_cc1
+ 
+ *cpp_options:
+ -nostdinc -isystem $incdir -isystem include%s %(old_cpp_options)
+ 
+ *cc1:
+-%(cc1_cpu) -nostdinc -isystem $incdir -isystem include%s
++-nostdinc -isystem $incdir -isystem include%s %(old_cc1)
+ 
+ *link_libgcc:
+ -L$libdir -L .%s
diff --git a/ppc64le/hello-world/hello b/ppc64le/hello-world/hello
index 22c63e0..b89838b 100755
Binary files a/ppc64le/hello-world/hello and b/ppc64le/hello-world/hello differ
diff --git a/riscv64/hello-world/hello b/riscv64/hello-world/hello
index af967ef..b6a3318 100755
Binary files a/riscv64/hello-world/hello and b/riscv64/hello-world/hello differ
diff --git a/s390x/hello-world/hello b/s390x/hello-world/hello
index 986d234..986f557 100755
Binary files a/s390x/hello-world/hello and b/s390x/hello-world/hello differ