Add Azure Linux 4.0 .NET 11 image graph

[richlander]

Summary

• Port the full Azure Linux net11.0 image graph from 3.0 to 4.0
• Add build, crossdeps, crossdeps-builder, crossdeps-llvm, cross, Android, WebAssembly, FPM, and opt images
• Register Azure Linux 4.0 net11.0 tags in the manifest

Notable changes

• Use the Azure Linux 4.0 beta base image
• Replace AzL 3.0 package names with AzL 4.0 equivalents (dnf, gawk, wget2-wget, zlib-ng-compat-devel, docker-cli)
• Install PowerShell as a pinned .NET global tool (POWERSHELL_VERSION=7.6.1)
• Use packaged libbsd-devel/libmd for FreeBSD cross images
• Patch the local arcade rootfs script to use gpgv for explicit keyring verification on GnuPG 2.4/keyboxd

Fixes #1646

Validation

• pwsh ./run-tests.ps1
• Built/smoked: build, crossdeps, crossdeps-builder, crossdeps-llvm, fpm, opt, cross-amd64, cross-x86, cross-loongarch64, cross-freebsd-14-amd64, android, cross-android, android-docker, cross-android-openssl, and webassembly images locally

[richlander]

@sbomer -- PTAL

[richlander]

We'll need to decide on rollout.

Plan:

• Merge this PR
• Create test PR on runtime targeting main
• Replace the Azure 3.0 variant of 11.0 images on runtime and delete source Dockerfiles in this repo.

[richlander]

FYI @jkotas

[akoeplinger]

I did a quick diff over AZL3 by overwriting the files for easier review: akoeplinger@aff5127

[akoeplinger]

we might want to install wget1-wget if we run into problems with the new wget fork

[am11]

If we don't have confidence on wget2 package, we can always remove / not install it and let curl take care of download. All our scripts support curl.

[akoeplinger]

this is something we should handle in the arcade scripts, not via sed replacement here

actually it seems to not be needed, we install gnupg2 which provides a working gpg --verify ?

[jkotas]

Why does this need to depend on AZL3 .NET 10 image?

[richlander]

That's a temporary workaround. The base issue is that PowerShell isn't yet available in the feed. The PowerShell tool is framework-dependent so we need a runtime to run it. The --copy trick was my idea for one-line runtime deployment.

[richlander]

I'll switch it to pull powershell and the runtime from the same SDK image. That will make cleanup later easier.

[richlander]

Thanks for the feedback. Updates:

• Removed moby-engine from the Android Docker image in 66a61cd3. Since docker-cli pulls moby-engine as a weak dependency on AZL 4.0, the image now installs docker-cli/docker-buildx with --setopt=install_weak_deps=False so it keeps Docker client/buildx tooling without the daemon package.
• Removed the separate mcr.microsoft.com/dotnet/runtime:10.0-azurelinux3.0 stage in 8b847468. The build and crossdeps images now copy the runtime-shaped /usr/share/dotnet files from the SDK stage that is already used to install the PowerShell tool.
• Leaving wget2-wget for now. I don't see wget1-wget in the current AZL 4.0 beta repo; we can switch later if that package appears or if we hit a wget2-specific issue.
• Agree the install-debs.py verification workaround belongs in Arcade. Keeping it here for now because AZL 4.0's GnuPG/keyboxd behavior causes gpg --keyring ... --verify ... to ignore the supplied keyring, while gpgv --keyring ... works for this detached-signature verification path.