Merge branch 'docker-buildserver-always-apt-https' into 'master'

buildserver: always use HTTPS for apt connections in Docker image See merge request fdroid/fdroidserver!1603
buildserver: always use HTTPS for apt connections in Docker image
2025-09-13 06:22:27 +03:00 · 2025-07-23 16:24:56 +00:00 · 2025-07-23 16:09:20 +00:00 · 2025-07-23 16:08:48 +00:00 · 2025-07-22 21:52:28 +02:00
2 changed files with 22 additions and 3 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -98,6 +98,14 @@ metadata_v0:
    # Ubuntu and other distros often lack https:// support
    - grep Debian /etc/issue.net
        && { find /etc/apt/sources.list* -type f | xargs sed -i s,http:,https:, ; }
+    # The official Debian docker images ship without ca-certificates,
+    # TLS certificates cannot be verified until that is installed. The
+    # following code turns off TLS verification, and enables HTTPS, so
+    # at least unverified TLS is used for apt-get instead of plain
+    # HTTP.  Once ca-certificates is installed, the CA verification is
+    # enabled by removing this config.  This set up makes the initial
+    # `apt-get update` and `apt-get install` look the same as verified
+    # TLS to the network observer and hides the metadata.
    - echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates
    - apt-get update
    - apt-get install ca-certificates
@ -765,12 +773,12 @@ docker:

 # PUBLISH is the signing server.  It has a very minimal manual setup.
 PUBLISH:
-  image: debian:bullseye-backports
+  image: debian:bookworm-backports
  <<: *python-rules-changes
  script:
    - apt-get update
    - apt-get -qy upgrade
-    - apt-get -qy install --no-install-recommends -t bullseye-backports
+    - apt-get -qy install --no-install-recommends -t bookworm-backports
        androguard
        apksigner
        curl
--- a/buildserver/Dockerfile
+++ b/buildserver/Dockerfile
@ -37,11 +37,22 @@ RUN useradd --create-home -s /bin/bash vagrant && echo -n 'vagrant:vagrant' | ch
 #
 # Ensure fdroidserver's dependencies are marked manual before purging
 # unneeded packages, otherwise, all its dependencies get purged.
+#
+# The official Debian docker images ship without ca-certificates, so
+# TLS certificates cannot be verified until that is installed. The
+# following code temporarily turns off TLS verification, and enables
+# HTTPS, so at least unverified TLS is used for apt-get instead of
+# plain HTTP.  Once ca-certificates is installed, the CA verification
+# is enabled by removing the newly created config file.  This set up
+# makes the initial `apt-get update` and `apt-get install` look the
+# same as verified TLS to the network observer and hides the metadata.
 RUN printf "path-exclude=/usr/share/locale/*\npath-exclude=/usr/share/man/*\npath-exclude=/usr/share/doc/*\npath-include=/usr/share/doc/*/copyright\n" >/etc/dpkg/dpkg.cfg.d/01_nodoc \
 	&& mkdir -p /usr/share/man/man1 \
+	&& echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates \
+	&& find /etc/apt/sources.list* -type f -exec sed -i s,http:,https:, {} \; \
 	&& apt-get update \
 	&& apt-get install ca-certificates \
-        && sed -i 's,http:,https:,' /etc/apt/sources.list.d/debian.sources \
+	&& rm /etc/apt/apt.conf.d/99nocacertificates \
 	&& apt-get upgrade \
 	&& apt-get dist-upgrade \
 	&& apt-get install openssh-client iproute2 python3 openssh-server sudo \
Author	SHA1	Message	Date
Hans-Christoph Steiner	e4b54c9768	Merge branch 'docker-buildserver-always-apt-https' into 'master' buildserver: always use HTTPS for apt connections in Docker image See merge request fdroid/fdroidserver!1603	2025-07-23 16:24:56 +00:00
Hans-Christoph Steiner	7988c54d00	buildserver: always use HTTPS for apt connections in Docker image This configuration has been in use in .gitlab-ci.yml scripts for a while now and has proven reliable. This is a "low hanging fruit" improvement. It provides an extra layer of protection for when their are apt vulns. And it makes it much harder to profile what a server/laptop is doing based on the internet traffic. The network observer will no longer be able to see which packages are being downloaded since apt uses HTTP pipelining so size attacks are not really possible. And HTTPS hides the URLs, filenames, download contents, etc.	2025-07-23 16:09:20 +00:00
Hans-Christoph Steiner	05c4bf2483	Merge branch 'ci-PUBLISH-to-bookworm' into 'master' gitlab-ci: update PUBLISH to bookworm since prod has already See merge request fdroid/fdroidserver!1685	2025-07-23 16:08:48 +00:00
Hans-Christoph Steiner	7e219561b7	gitlab-ci: update PUBLISH to bookworm since prod has already	2025-07-22 21:52:28 +02:00