Add signature checking to install-debs.py #15374
Conversation
|
Could you apply fully_trusted change here as well? No need for another PR since Azure Linux has 3.12 atm and won't be updating anytime soon given their pace of updates. 😅 |
I could but then I can't approve it since it's my own PR :) |
|
Yea no rush. Images are building fine (with python 3.12) for now. $ docker run --rm mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-loongarch64 \
python3 --version
Python 3.12.3 |
eng/common/cross/install-debs.py
Outdated
| await download_file(session, release_gpg_url, release_gpg_file.name) | ||
|
|
||
| if args.keyring != '': | ||
| keyring_arg = f"--keyring {args.keyring}" |
There was a problem hiding this comment.
When __Keyring is set in bash script, it has this prefix.
arcade/eng/common/cross/build-rootfs.sh
Line 183 in 2f07a67
There was a problem hiding this comment.
that's intentional, we pass --keyring <file> to install-debs.py which in turn parses that arg and sets the file and we pass the value on to gpg
|
@akoeplinger I think 43f2fa5 is not optional if we want to keep arguments order independent. I'm a bit busy with another build but please double check before merging. |
|
@am11 I looked at the script but I don't see where it'd make a difference. That said I think we can remove the global __Keyring and move the check further down |
|
@akoeplinger have you tested it with --skipsigcheck with different orders of argument? It matters when we are running it locally vs. in prereqs. |
|
hm I think I see what you mean. I don't think we can rely on __UbuntuArch when parsing the |
|
It will be so that |
|
|
||
| results = await asyncio.gather(*tasks, return_exceptions=True) | ||
| results = await asyncio.gather(*tasks) |
There was a problem hiding this comment.
This is intentional. We need to continue on error here otherwise it fails the build. Some index files are optional and may not be available for certain distro.
There was a problem hiding this comment.
that's already handled by fetch_and_decompress returning None when response.status is not 200
There was a problem hiding this comment.
It fails from this script when it doesn't find some index. That's why I added success and error logging here. apt behavior is the same, it warns and continue for the missing index.
Lets see if it fails dotnet/dotnet-buildtools-prereqs-docker#1310. Local build was failing when I applied your patch. I suggest you open a similar PR to test variations. You can update loongarch with --skipemulation --skipsigcheck (we don't have keys for Debian sid) and riscv with --skipemulation without skipping the check (we have keys for Ubuntu noble) to showcase that it is working.
There was a problem hiding this comment.
There are other issues:
https://dev.azure.com/dnceng-public/public/_build/results?buildId=906926&view=logs&s=6884a131-87da-5381-61f3-d7acc3b91d76&j=fc59f0f2-c1bd-58ae-b870-833d1e8a924c
> [builder 3/4] RUN rootfsEnv="/usr/local/share/rootfs" && python3 -m venv "$rootfsEnv" && "$rootfsEnv/bin/python" -m pip install aiohttp zstandard && PYTHON_EXECUTABLE="$rootfsEnv/bin/python" /scripts/eng/common/cross/build-rootfs.sh loongarch64 sid --skipunmount --skipemulation:
12.19 Downloaded http://ftp.ports.debian.org/debian-ports//dists/unreleased/Release at /tmp/tmp9kl7odro
12.19 Downloaded http://ftp.ports.debian.org/debian-ports//dists/unreleased/Release.gpg at /tmp/tmpd_jy2s9z
12.19 Verifying signature of Release with Release.gpg.
12.19 Error fetching http://ftp.ports.debian.org/debian-ports//dists/unreleased/main/binary-loong64/Packages.gz: cannot access local variable 'keyring_arg' where it is not associated with a value
12.19 Downloaded index: http://ftp.ports.debian.org/debian-ports//dists/sid/main/binary-loong64/Packages.gz
12.19 Downloaded http://ftp.ports.debian.org/debian-ports//dists/sid/Release at /tmp/tmphulowxes
12.19 Downloaded http://ftp.ports.debian.org/debian-ports//dists/sid/Release.gpg at /tmp/tmp5h7tvol5
12.19 Verifying signature of Release with Release.gpg.
12.19 Error fetching http://ftp.ports.debian.org/debian-ports//dists/sid/main/binary-loong64/Packages.gz: cannot access local variable 'keyring_arg' where it is not associated with a value
12.19 Error: Package 'build-essential' was not found in the available packages.
------
ERROR: failed to solve: executor failed running [/bin/sh -c rootfsEnv="/usr/local/share/rootfs" && python3 -m venv "$rootfsEnv" && "$rootfsEnv/bin/python" -m pip install aiohttp zstandard && PYTHON_EXECUTABLE="$rootfsEnv/bin/python" /scripts/eng/common/cross/build-rootfs.sh loongarch64 sid --skipunmount --skipemulation]: exit code: 1
Retry 4/5, retrying in 125 seconds...
#0 building with "default" instance using docker driver
I will now revert this line from the PR, and highly recommend you open similar PR downstream with that line in LA64 and RA64 net10.0 docksfiles so we have some coverage.
RUN rm -rf /scripts && git clone https://github.com/dotnet/arcade --single-branch --depth 1 -b akoeplinger-patch-1 /scripts@akoeplinger, this PR is great, my intention with the feedback is we get the local and cloud scenarios right. For local testing, I'm using podman desktop on macOS for loongarch to test without --skipemulation and docker&podman deskotp with --skipemulation as docker desktop is missing the registration docker/roadmap#764. I am sharing the use-cases which I was testing locally. Hope my feedback doesn't come across different than the intended spirit. 👍
There was a problem hiding this comment.
@am11 I tried locally and it fails because we don't have /usr/share/keyrings/debian-archive-keyring.gpg nor /usr/share/keyrings/debian-ports-archive-keyring.gpg in the builder image, I suppose we need to add it to https://github.com/dotnet/dotnet-buildtools-prereqs-docker/blob/c77a9f6b01eff67ba53a9363f949dee7ccde38c5/src/azurelinux/3.0/net10.0/crossdeps-builder/amd64/Dockerfile#L46-L51
Was this fetched by debootstrap before?
Hope my feedback doesn't come across different than the intended spirit. 👍
No worries, I'm still on vacation till tomorrow so I can't spend a lot of time on this yet 😄
There was a problem hiding this comment.
--skipsigcheck should not require the keyring. That's the purpose of this arg. If you incorporate the feedback:
- Add signature checking to install-debs.py #15374 (comment) (apply that patch)
- undo
results = await asyncio.gather(*tasks, return_exceptions=True)
it will resolve both issues.
akoeplinger
force-pushed
the
akoeplinger-patch-1
branch
from
aa168ef to
e74cb5a
Compare
cc @am11