From 7988c54d0016c2f8eaedf27345e1c7b0be0df735 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 13 Feb 2025 14:58:16 +0100 Subject: [PATCH] buildserver: always use HTTPS for apt connections in Docker image This configuration has been in use in .gitlab-ci.yml scripts for a while now and has proven reliable. This is a "low hanging fruit" improvement. It provides an extra layer of protection for when their are apt vulns. And it makes it much harder to profile what a server/laptop is doing based on the internet traffic. The network observer will no longer be able to see which packages are being downloaded since apt uses HTTP pipelining so size attacks are not really possible. And HTTPS hides the URLs, filenames, download contents, etc. --- .gitlab-ci.yml | 8 ++++++++ buildserver/Dockerfile | 13 ++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8276f062..295752e8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -98,6 +98,14 @@ metadata_v0: # Ubuntu and other distros often lack https:// support - grep Debian /etc/issue.net && { find /etc/apt/sources.list* -type f | xargs sed -i s,http:,https:, ; } + # The official Debian docker images ship without ca-certificates, + # TLS certificates cannot be verified until that is installed. The + # following code turns off TLS verification, and enables HTTPS, so + # at least unverified TLS is used for apt-get instead of plain + # HTTP. Once ca-certificates is installed, the CA verification is + # enabled by removing this config. This set up makes the initial + # `apt-get update` and `apt-get install` look the same as verified + # TLS to the network observer and hides the metadata. - echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates - apt-get update - apt-get install ca-certificates diff --git a/buildserver/Dockerfile b/buildserver/Dockerfile index 3e863df5..27ada3f8 100644 --- a/buildserver/Dockerfile +++ b/buildserver/Dockerfile @@ -37,11 +37,22 @@ RUN useradd --create-home -s /bin/bash vagrant && echo -n 'vagrant:vagrant' | ch # # Ensure fdroidserver's dependencies are marked manual before purging # unneeded packages, otherwise, all its dependencies get purged. +# +# The official Debian docker images ship without ca-certificates, so +# TLS certificates cannot be verified until that is installed. The +# following code temporarily turns off TLS verification, and enables +# HTTPS, so at least unverified TLS is used for apt-get instead of +# plain HTTP. Once ca-certificates is installed, the CA verification +# is enabled by removing the newly created config file. This set up +# makes the initial `apt-get update` and `apt-get install` look the +# same as verified TLS to the network observer and hides the metadata. RUN printf "path-exclude=/usr/share/locale/*\npath-exclude=/usr/share/man/*\npath-exclude=/usr/share/doc/*\npath-include=/usr/share/doc/*/copyright\n" >/etc/dpkg/dpkg.cfg.d/01_nodoc \ && mkdir -p /usr/share/man/man1 \ + && echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates \ + && find /etc/apt/sources.list* -type f -exec sed -i s,http:,https:, {} \; \ && apt-get update \ && apt-get install ca-certificates \ - && sed -i 's,http:,https:,' /etc/apt/sources.list.d/debian.sources \ + && rm /etc/apt/apt.conf.d/99nocacertificates \ && apt-get upgrade \ && apt-get dist-upgrade \ && apt-get install openssh-client iproute2 python3 openssh-server sudo \