diff options
Diffstat (limited to 'taskcluster/docker/debian-raw')
| -rw-r--r-- | taskcluster/docker/debian-raw/Dockerfile | 62 | ||||
| -rwxr-xr-x | taskcluster/docker/debian-raw/gpgvnoexpkeysig | 52 | ||||
| -rwxr-xr-x | taskcluster/docker/debian-raw/taskcluster-hack.sh | 7 |
3 files changed, 121 insertions, 0 deletions
diff --git a/taskcluster/docker/debian-raw/Dockerfile b/taskcluster/docker/debian-raw/Dockerfile new file mode 100644 index 0000000000..33b28d11a2 --- /dev/null +++ b/taskcluster/docker/debian-raw/Dockerfile @@ -0,0 +1,62 @@ +ARG BASE_IMAGE +FROM $BASE_IMAGE +MAINTAINER Mike Hommey <mhommey@mozilla.com> + +ENV DEBIAN_FRONTEND=noninteractive + +# Set a default command useful for debugging +CMD ["/bin/bash", "--login"] + +# %include taskcluster/docker/recipes/setup_packages.sh +COPY topsrcdir/taskcluster/docker/recipes/setup_packages.sh /usr/local/sbin/ + +COPY taskcluster-hack.sh /usr/local/sbin +COPY gpgvnoexpkeysig /usr/local/sbin + +ARG DIST +ARG SNAPSHOT +ARG TASKCLUSTER_ROOT_URL +# Set apt sources list to a snapshot. +# Note: the use of gpgvnoexpkeysig is because the Debian Jessie GPG key expired. +RUN if [ -n "$DIST" ]; then for s in debian_$DIST debian_$DIST-updates debian_$DIST-backports debian-security_$DIST-security debian-debug_$DIST-debug debian-debug_$DIST-proposed-updates-debug debian-debug_$DIST-backports-debug; do \ + case "$s" in \ + debian-debug_jessie*|debian_jessie-updates) \ + : No debian-debug/updates archive for Jessie; \ + ;; \ + debian-security_jessie-security) \ + echo "deb http://archive.debian.org/debian-security/ jessie/updates main"; \ + ;; \ + debian*_jessie*) \ + echo "deb http://archive.debian.org/${s%_*}/ ${s#*_} main"; \ + ;; \ + debian-security_buster-security) \ + d=${s#*_}; \ + echo "deb http://snapshot.debian.org/archive/${s%_*}/$SNAPSHOT/ ${d%-security}/updates main"; \ + ;; \ + *) \ + echo "deb http://snapshot.debian.org/archive/${s%_*}/$SNAPSHOT/ ${s#*_} main"; \ + ;; \ + esac; \ + done > /etc/apt/sources.list ; fi && \ + ( echo 'quiet "true";'; \ + echo 'APT::Get::Assume-Yes "true";'; \ + echo 'APT::Install-Recommends "false";'; \ + echo 'Acquire::Check-Valid-Until "false";'; \ + echo 'Acquire::Retries "5";'; \ + if dpkg --compare-versions $(apt --version | awk '{print $2}') ge 2.1.15; then \ + echo 'dir::bin::methods::https "/usr/local/sbin/taskcluster-hack.sh";'; \ + fi; \ + if [ "$DIST" = "jessie" ]; then \ + echo 'Dir::Bin::gpg "/usr/local/sbin/gpgvnoexpkeysig";'; \ + fi; \ + ) > /etc/apt/apt.conf.d/99taskcluster && \ + ( echo 'Package: *'; \ + echo 'Pin: origin "'$TASKCLUSTER_ROOT_URL'"' | sed 's,https://,,'; \ + echo 'Pin-Priority: 1001'; \ + ) > /etc/apt/preferences.d/99taskcluster + +RUN apt-get update && \ + apt-get dist-upgrade && \ + apt-get install \ + apt-transport-https \ + ca-certificates diff --git a/taskcluster/docker/debian-raw/gpgvnoexpkeysig b/taskcluster/docker/debian-raw/gpgvnoexpkeysig new file mode 100755 index 0000000000..fbbfd7a658 --- /dev/null +++ b/taskcluster/docker/debian-raw/gpgvnoexpkeysig @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Downloaded from https://gitlab.mister-muffin.de/josch/mmdebstrap/raw/branch/main/gpgvnoexpkeysig +# +# This script is in the public domain +# +# Author: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> +# +# This is a wrapper around gpgv as invoked by apt. It turns EXPKEYSIG results +# from gpgv into GOODSIG results. This is necessary for apt to access very old +# timestamps from snapshot.debian.org for which the GPG key is already expired: +# +# Get:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease [242 kB] +# Err:1 http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease +# The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# Reading package lists... +# W: GPG error: http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease: The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org> +# E: The repository 'http://snapshot.debian.org/archive/debian/20150106T000000Z unstable InRelease' is not signed. +# +# To use this script, call apt with +# +# -o Apt::Key::gpgvcommand=/usr/libexec/mmdebstrap/gpgvnoexpkeysig +# +# Scripts doing similar things can be found here: +# +# * debuerreotype as /usr/share/debuerreotype/scripts/.gpgv-ignore-expiration.sh +# * derivative census: salsa.d.o/deriv-team/census/-/blob/master/bin/fakegpgv + +set -eu + +find_gpgv_status_fd() { + while [ "$#" -gt 0 ]; do + if [ "$1" = '--status-fd' ]; then + echo "$2" + return 0 + fi + shift + done + # default fd is stdout + echo 1 +} +GPGSTATUSFD="$(find_gpgv_status_fd "$@")" + +case $GPGSTATUSFD in + ''|*[!0-9]*) + echo "invalid --status-fd argument" >&2 + exit 1 + ;; +esac + +# we need eval because we cannot redirect a variable fd +eval 'exec gpgv "$@" '"$GPGSTATUSFD"'>&1 | sed "s/^\[GNUPG:\] EXPKEYSIG /[GNUPG:] GOODSIG /" >&'"$GPGSTATUSFD" diff --git a/taskcluster/docker/debian-raw/taskcluster-hack.sh b/taskcluster/docker/debian-raw/taskcluster-hack.sh new file mode 100755 index 0000000000..eecac021ec --- /dev/null +++ b/taskcluster/docker/debian-raw/taskcluster-hack.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# APT version 2.1.15 and newer changed how they handle quoting in redirections +# in a way that breaks the setup for APT repos in taskcluster artifacts +# (unfortunately, there's also no setup on the taskcluster end that would work +# with both old and newer versions of APT, short of removing redirections +# entirely). +/usr/lib/apt/methods/https | sed -u '/^New-URI:/s/+/%2b/g' |