Skip to content

Remove MD5 sums for Debian repositories

Mathieu Parent requested to merge sathieu/gitlab:debian_no_md5 into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Enable Debian repository in FIPS mode (#366937 (closed)).

Screenshots or screen recordings

Vars:

api_token=*REDACTED*
project_id=21
codename=unstable

Create distribution

$ curl --request POST --header "PRIVATE-TOKEN: $api_token" "http://localhost:3000/api/v4/projects/$project_id/debian_distributions?codename=unstable"
{"id":3,"codename":"unstable","suite":null,"origin":null,"label":null,"version":null,"description":null,"valid_time_duration_seconds":null,"components":["main"],"architectures":["all","amd64"]}

Upload with dput (see here):

$ cat <<EOF > dput.cf
[gitlab]
method = http
fqdn = root:$api_token@localhost:3000
incoming = /api/v4/projects/$project_id/packages/debian
EOF
$ dput --config=dput.cf --unchecked --no-upload-log gitlab spec/fixtures/packages/debian/sample_1.2.3~alpha2_amd64.changes

Test with an old APT (jessie is EOL and was released in 2015):

$ docker run -ti --network=host debian:jessie
root@porthieu:/# apt update
[snip]
W: GPG error: http://deb.debian.org jessie-updates InRelease: The following signatures were invalid: KEYEXPIRED 1668891673
W: GPG error: http://deb.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1668891673
root@porthieu:/# apt install  curl
[snip]
Do you want to continue? [Y/n]
WARNING: The following packages cannot be authenticated!
  libkeyutils1
Install these packages without verification? [y/N] y
[snip]
root@porthieu:/# project_id=21
root@porthieu:/# codename=unstable
root@porthieu:/#
root@porthieu:/# mkdir -p /usr/local/share/keyrings
root@porthieu:/# curl --header "PRIVATE-TOKEN: $api_token"        "http://localhost:3000/api/v4/projects/$project_id/debian_distributions/$codename/key.asc" | gpg --dearmor > /usr/local/share/keyrings/$codename-archive-keyring.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1729  100  1729    0     0  26847      0 --:--:-- --:--:-- --:--:-- 27015
root@porthieu:/# echo "deb [ signed-by=/usr/local/share/keyrings/$codename-archive-keyring.gpg ] http://localhost:3000/api/v4/projects/$project_id/packages/debian $codename main" \
>    | sudo tee /etc/apt/sources.list.d/gitlab_project.list
bash: sudo: command not found
root@porthieu:/# echo "deb [ signed-by=/usr/local/share/keyrings/$codename-archive-keyring.gpg ] http://localhost:3000/api/v4/projects/$project_id/packages/debian $codename main"    |  tee /etc/apt/sources.list.d/gitlab_project.list
deb [ signed-by=/usr/local/share/keyrings/unstable-archive-keyring.gpg ] http://localhost:3000/api/v4/projects/21/packages/debian unstable main
root@porthieu:/# apt update
Hit http://security.debian.org jessie/updates InRelease
Ign http://deb.debian.org jessie InRelease
Get:1 http://deb.debian.org jessie-updates InRelease [16.3 kB]
Get:2 http://localhost:3000 unstable InRelease [1543 B]
Get:3 http://deb.debian.org jessie Release.gpg [1652 B]
Hit http://deb.debian.org jessie Release
Get:4 http://security.debian.org jessie/updates/main amd64 Packages [992 kB]
Ign http://deb.debian.org jessie-updates InRelease
Get:5 http://deb.debian.org jessie-updates/main amd64 Packages [20 B]
Ign http://localhost:3000 unstable InRelease
Ign http://deb.debian.org jessie Release
Get:6 http://deb.debian.org jessie/main amd64 Packages [9098 kB]
Get:7 http://localhost:3000 unstable/main amd64 Packages [1015 B]
Fetched 10.1 MB in 6s (1468 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: GPG error: http://deb.debian.org jessie-updates InRelease: The following signatures were invalid: KEYEXPIRED 1668891673
W: GPG error: http://localhost:3000 unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB29D269FF59F3A8
W: GPG error: http://deb.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1668891673
root@porthieu:/# cat /usr/local/share/
ca-certificates/ keyrings/        man/
root@porthieu:/# cat /usr/local/share/keyrings/unstable-archive-keyring.gpg  | apt-key add -
OK
root@porthieu:/# apt update
Hit http://security.debian.org jessie/updates InRelease
Ign http://deb.debian.org jessie InRelease
Get:1 http://deb.debian.org jessie-updates InRelease [16.3 kB]
Get:2 http://localhost:3000 unstable InRelease [1543 B]
Get:3 http://deb.debian.org jessie Release.gpg [1652 B]
Hit http://deb.debian.org jessie Release
Get:4 http://security.debian.org jessie/updates/main amd64 Packages [992 kB]
Ign http://deb.debian.org jessie-updates InRelease
Get:5 http://deb.debian.org jessie-updates/main amd64 Packages [20 B]
Ign http://deb.debian.org jessie Release
Get:6 http://deb.debian.org jessie/main amd64 Packages [9098 kB]
Get:7 http://localhost:3000 unstable/main amd64 Packages [1015 B]
Fetched 10.1 MB in 6s (1464 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: GPG error: http://deb.debian.org jessie-updates InRelease: The following signatures were invalid: KEYEXPIRED 1668891673
W: GPG error: http://deb.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1668891673
root@porthieu:/# apt install libsample0
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  libsample0
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1124 B of archives.
After this operation, 7168 B of additional disk space will be used.
Get:1 http://localhost:3000/api/v4/projects/21/packages/debian/ unstable/main libsample0 amd64 1.2.3~alpha2 [1124 B]
Fetched 1124 B in 0s (12.1 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libsample0:amd64.
(Reading database ... 8066 files and directories currently installed.)
Preparing to unpack .../libsample0_1.2.3~alpha2_amd64.deb ...
Unpacking libsample0:amd64 (1.2.3~alpha2) ...
Setting up libsample0:amd64 (1.2.3~alpha2) ...

Debmirror (recent version):

# docker run -ti --network=host debian:bullseye

# apt update
# apt install debmirror
# debmirror  --host localhost:3000 --root /api/v4/projects/21/packages/debian --method http --dist unstable --no-check-gpg /mnt/mirror
[... it works ...]

Merge request reports