diff --git a/iso/builder/config/hooks/normal/9001-amd-rocm.hook.chroot b/iso/builder/config/hooks/normal/9001-amd-rocm.hook.chroot
index c5f0ecd..9e4d795 100755
--- a/iso/builder/config/hooks/normal/9001-amd-rocm.hook.chroot
+++ b/iso/builder/config/hooks/normal/9001-amd-rocm.hook.chroot
@@ -8,14 +8,45 @@ set -e
 ROCM_VERSION="6.4"
 ROCM_KEYRING="/etc/apt/keyrings/rocm.gpg"
 ROCM_LIST="/etc/apt/sources.list.d/rocm.list"
+APT_UPDATED=0
 
 echo "=== AMD ROCm ${ROCM_VERSION}: adding repository ==="
 
 mkdir -p /etc/apt/keyrings
 
+ensure_tool() {
+    tool="$1"
+    pkg="$2"
+    if command -v "${tool}" >/dev/null 2>&1; then
+        return 0
+    fi
+    if [ "${APT_UPDATED}" -eq 0 ]; then
+        apt-get update -qq
+        APT_UPDATED=1
+    fi
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${pkg}"
+}
+
+ensure_cert_bundle() {
+    if [ -s /etc/ssl/certs/ca-certificates.crt ]; then
+        return 0
+    fi
+    if [ "${APT_UPDATED}" -eq 0 ]; then
+        apt-get update -qq
+        APT_UPDATED=1
+    fi
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates
+}
+
+# live-build chroot may not include fetch/signing tools yet
+if ! ensure_cert_bundle || ! ensure_tool wget wget || ! ensure_tool gpg gpg; then
+    echo "WARN: failed to install wget/gpg/ca-certificates prerequisites — skipping ROCm install"
+    exit 0
+fi
+
 # Download and import AMD GPG key
 if ! wget -qO- "https://repo.radeon.com/rocm/rocm.gpg.key" \
-        | gpg --dearmor > "${ROCM_KEYRING}"; then
+        | gpg --dearmor --yes --output "${ROCM_KEYRING}"; then
     echo "WARN: failed to fetch AMD ROCm GPG key — skipping ROCm install"
     exit 0
 fi