buildserver: always use HTTPS for apt connections in Docker image

This configuration has been in use in .gitlab-ci.yml scripts for a while now and has proven reliable. This is a "low hanging fruit" improvement. It provides an extra layer of protection for when their are apt vulns. And it makes it much harder to profile what a server/laptop is doing based on the internet traffic. The network observer will no longer be able to see which packages are being downloaded since apt uses HTTP pipelining so size attacks are not really possible. And HTTPS hides the URLs, filenames, download contents, etc.
2025-09-13 14:32:28 +03:00 · 2025-02-13 14:58:16 +01:00 · 2025-02-13 14:58:16 +01:00 · 7988c54d00
commit 7988c54d00
parent 05c4bf2483
2 changed files with 20 additions and 1 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -98,6 +98,14 @@ metadata_v0:
    # Ubuntu and other distros often lack https:// support
    - grep Debian /etc/issue.net
        && { find /etc/apt/sources.list* -type f | xargs sed -i s,http:,https:, ; }
+    # The official Debian docker images ship without ca-certificates,
+    # TLS certificates cannot be verified until that is installed. The
+    # following code turns off TLS verification, and enables HTTPS, so
+    # at least unverified TLS is used for apt-get instead of plain
+    # HTTP.  Once ca-certificates is installed, the CA verification is
+    # enabled by removing this config.  This set up makes the initial
+    # `apt-get update` and `apt-get install` look the same as verified
+    # TLS to the network observer and hides the metadata.
    - echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates
    - apt-get update
    - apt-get install ca-certificates