download and hash verify all packages before install

This commit is contained in:
Lance Vick 2020-10-16 01:37:56 -07:00
parent 249e93bcce
commit 73d0e657fa
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
6 changed files with 257 additions and 240 deletions

View File

@ -13,6 +13,7 @@ ADD scripts/ /usr/local/bin/
## Install packages from packages.list with retry
ADD config/container/sources.list /etc/apt/sources.list
ADD config/container/packages.list /etc/apt/packages.list
ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt
ADD config/container/apt.conf /etc/apt/apt.conf
RUN apt-install

View File

@ -2,6 +2,7 @@
01e99d68427722e64c603d45f00063c303b02afb53d85c8d1476deca70db64c6 libreadline7_7.0-5_amd64.deb
0226c5853f5e48d7e99796c2e6332591383e9c337ac588e1b689f537abd0a891 libssh2-1_1.8.0-2.1_amd64.deb
02f795889390fa0e1f29c6ecdd4a30cd0aae39c0c6b1379410055404b0897c66 libx11-data_2%3a1.6.7-1+deb10u1_all.deb
03a133833154325c731291c8a87daef5962dcfb75dee7cdb11f7fb923de2db82 openssl_1.1.1d-0+deb10u3_amd64.deb
042967b8267ee537ed9a1bf012533622847aab433362e3b57c9108a53bfcb99a libkrb5-3_1.17-3_amd64.deb
05e64681a0c3037fa71c94c083a8aabb6eb5f40e974c4ec548e0376635cffeb0 gpg-wks-server_2.2.12-1+deb10u1_amd64.deb
05e90f94363055cf27cd88b7968820645180d37a649a93cf5d7ea6f3c7fe973e gcc-8_8.3.0-6_amd64.deb
@ -78,6 +79,7 @@ a65ea1c2a2c32995ea5337dc769ea2de503dd65e0ee2cde345d565ba06575d0c file_1%3a5.35-4
a73b05c10399636a7c7bff266205de05631dc4af502bfb441cbbc6af0a7deb2a libmpc3_1.1.0-1_amd64.deb
a7857b726c3e0d16cda2fbb9020d42e024a3160d54ef858f58578612276683e8 libxau6_1%3a1.0.8-1+b2_amd64.deb
ae756853eff06749370f37f717339098d7ead8eb40d8eca9050c4dd8d64be33a g++_4%3a8.3.0-1_amd64.deb
b293309a892730986e779aea48e97ea94cd58f34f07fefbd432c210ee4a427e2 libssl1.1_1.1.1d-0+deb10u3_amd64.deb
b3392a29de0cea29f9e8e07793d1f03fcb84a3ca25b7471e2db0e0fa93ffa566 libldap-common_2.4.47+dfsg-3+deb10u2_all.deb
b582f4bc549877d59254318feaaf1354020d695cfe9b9e6aab0aa26b65c29071 libubsan1_8.3.0-6_amd64.deb
b9db9483510589d939ee897b8b2b15661d243c8fac13dfa18e6daa10be5d0a2a liblsan0_8.3.0-6_amd64.deb

View File

@ -1,119 +1,121 @@
patch=2.7.6-3+deb10u1
libreadline7=7.0-5
libssh2-1=1.8.0-2.1
libx11-data=2%3a1.6.7-1+deb10u1
libkrb5-3=1.17-3
gpg-wks-server=2.2.12-1+deb10u1
gcc-8=8.3.0-6
libbsd0=0.9.1-2
perl=5.28.1-6+deb10u1
libkeyutils1=1.6-6
libperl5.28=5.28.1-6+deb10u1
libtsan0=8.3.0-6
libmagic-mgc=1%3a5.35-4+deb10u1
openssh-client=1%3a7.9p1-10+deb10u2
readline-common=7.0-5
libpcre2-8-0=10.32-5
libmagic1=1%3a5.35-4+deb10u1
libdpkg-perl=1.19.7
make=4.2.1-1.2
libncurses6=6.1+20181013-2+deb10u2
xauth=1%3a1.0.10-1
libpsl5=0.20.2-2
libksba8=1.3.5-2
lsb-base=10.2019051400
libgpm2=1.20.7-5
libxmuu1=2%3a1.1.2-2+b3
libalgorithm-diff-xs-perl=0.04-5+b1
git-man=1%3a2.20.1-2+deb10u3
gnupg=2.2.12-1+deb10u1
wget=1.20.1-1.1
build-essential=12.6
gpg-wks-client=2.2.12-1+deb10u1
perl-base=5.28.1-6+deb10u1
libc6-dev=2.28-10
libgssapi-krb5-2=1.17-3
libsasl2-2=2.1.27+dfsg-1+deb10u1
dpkg-dev=1.19.7
git=1%3a2.20.1-2+deb10u3
gpgsm=2.2.12-1+deb10u1
bzip2=1.0.6-9.2~deb10u1
librtmp1=2.4+20151223.gitfa8646d.1-2
less=487-0.1+b1
libcc1-0=8.3.0-6
libgdbm-compat4=1.18.1-4
liberror-perl=0.17027-2
perl-modules-5.28=5.28.1-6+deb10u1
manpages=4.16-2
libcurl3-gnutls=7.64.0-4+deb10u1
cpp-8=8.3.0-6
unzip=6.0-23+deb10u1
libnghttp2-14=1.36.0-2+deb10u1
gpg-agent=2.2.12-1+deb10u1
libpopt0=1.16-12
libxext6=2%3a1.3.3-1+b2
libmpx2=8.3.0-6
libquadmath0=8.3.0-6
libfakeroot=1.23-1
gnupg-utils=2.2.12-1+deb10u1
libsasl2-modules=2.1.27+dfsg-1+deb10u1
ca-certificates=20200601~deb10u1
libstdc++-8-dev=8.3.0-6
rsync=3.1.3-6
libitm1=8.3.0-6
libalgorithm-merge-perl=0.08-3
libxcb1=1.13.1-2
manpages-dev=4.16-2
dirmngr=2.2.12-1+deb10u1
libc-dev-bin=2.28-10
libgomp1=8.3.0-6
publicsuffix=20190415.1030-1
libassuan0=2.5.2-1
libnpth0=1.6-1
base-files=10.3+deb10u6
bc=1.07.1-2+b1
binutils-common=2.31.1-16
gpg=2.2.12-1+deb10u1
krb5-locales=1.17-3
libgcc-8-dev=8.3.0-6
file=1%3a5.35-4+deb10u1
libmpc3=1.1.0-1
libxau6=1%3a1.0.8-1+b2
g++=4%3a8.3.0-1
libldap-common=2.4.47+dfsg-3+deb10u2
libubsan1=8.3.0-6
liblsan0=8.3.0-6
libk5crypto3=1.17-3
libbinutils=2.31.1-16
netbase=5.6
libgnutls30=3.6.7-4+deb10u5
libcurl4=7.64.0-4+deb10u1
binutils-x86-64-linux-gnu=2.31.1-16
binutils=2.31.1-16
libalgorithm-diff-perl=1.19.03-2
gpgconf=2.2.12-1+deb10u1
gcc=4%3a8.3.0-1
libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
libfile-fcntllock-perl=0.22-3+b5
libedit2=3.1-20181209-1
libmpfr6=4.0.2-1
libgdbm6=1.18.1-4
g++-8=8.3.0-6
libasan5=8.3.0-6
libisl19=0.20-2
libexpat1=2.2.6-2+deb10u1
linux-libc-dev=4.19.146-1
build-essential=12.6
bzip2=1.0.6-9.2~deb10u1
ca-certificates=20200601~deb10u1
cpio=2.12+dfsg-9
liblocale-gettext-perl=1.07-3+b4
xz-utils=5.2.4-1
libkrb5support0=1.17-3
libldap-2.4-2=2.4.47+dfsg-3+deb10u2
cpp-8=8.3.0-6
cpp=4:8.3.0-1
curl=7.64.0-4+deb10u1
dirmngr=2.2.12-1+deb10u1
dpkg-dev=1.19.7
fakeroot=1.23-1
file=1:5.35-4+deb10u1
g++-8=8.3.0-6
g++=4:8.3.0-1
gcc-8=8.3.0-6
gcc=4:8.3.0-1
git-man=1:2.20.1-2+deb10u3
git=1:2.20.1-2+deb10u3
gnupg-l10n=2.2.12-1+deb10u1
cpp=4%3a8.3.0-1
libxdmcp6=1%3a1.1.2-3
base-files=10.3+deb10u6
pinentry-curses=1.1.0-2
gnupg-utils=2.2.12-1+deb10u1
gnupg=2.2.12-1+deb10u1
gpg-agent=2.2.12-1+deb10u1
gpg-wks-client=2.2.12-1+deb10u1
gpg-wks-server=2.2.12-1+deb10u1
gpg=2.2.12-1+deb10u1
gpgconf=2.2.12-1+deb10u1
gpgsm=2.2.12-1+deb10u1
krb5-locales=1.17-3
less=487-0.1+b1
libalgorithm-diff-perl=1.19.03-2
libalgorithm-diff-xs-perl=0.04-5+b1
libalgorithm-merge-perl=0.08-3
libasan5=8.3.0-6
libassuan0=2.5.2-1
libatomic1=8.3.0-6
bc=1.07.1-2+b1
libx11-6=2%3a1.6.7-1+deb10u1
libbinutils=2.31.1-16
libbsd0=0.9.1-2
libc-dev-bin=2.28-10
libc6-dev=2.28-10
libcc1-0=8.3.0-6
libcurl3-gnutls=7.64.0-4+deb10u1
libcurl4=7.64.0-4+deb10u1
libdpkg-perl=1.19.7
libedit2=3.1-20181209-1
liberror-perl=0.17027-2
libexpat1=2.2.6-2+deb10u1
libfakeroot=1.23-1
libfile-fcntllock-perl=0.22-3+b5
libgcc-8-dev=8.3.0-6
libgdbm-compat4=1.18.1-4
libgdbm6=1.18.1-4
libgnutls30=3.6.7-4+deb10u5
libgomp1=8.3.0-6
libgpm2=1.20.7-5
libgssapi-krb5-2=1.17-3
libisl19=0.20-2
libitm1=8.3.0-6
libk5crypto3=1.17-3
libkeyutils1=1.6-6
libkrb5-3=1.17-3
libkrb5support0=1.17-3
libksba8=1.3.5-2
libldap-2.4-2=2.4.47+dfsg-3+deb10u2
libldap-common=2.4.47+dfsg-3+deb10u2
liblocale-gettext-perl=1.07-3+b4
liblsan0=8.3.0-6
libmagic-mgc=1:5.35-4+deb10u1
libmagic1=1:5.35-4+deb10u1
libmpc3=1.1.0-1
libmpfr6=4.0.2-1
libmpx2=8.3.0-6
libncurses6=6.1+20181013-2+deb10u2
libnghttp2-14=1.36.0-2+deb10u1
libnpth0=1.6-1
libpcre2-8-0=10.32-5
libperl5.28=5.28.1-6+deb10u1
libpopt0=1.16-12
libpsl5=0.20.2-2
libquadmath0=8.3.0-6
libreadline7=7.0-5
librtmp1=2.4+20151223.gitfa8646d.1-2
libsasl2-2=2.1.27+dfsg-1+deb10u1
libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
libsasl2-modules=2.1.27+dfsg-1+deb10u1
libsqlite3-0=3.27.2-3
libssh2-1=1.8.0-2.1
libssl1.1=1.1.1d-0+deb10u3
libstdc++-8-dev=8.3.0-6
libtsan0=8.3.0-6
libubsan1=8.3.0-6
libx11-6=2:1.6.7-1+deb10u1
libx11-data=2:1.6.7-1+deb10u1
libxau6=1:1.0.8-1+b2
libxcb1=1.13.1-2
libxdmcp6=1:1.1.2-3
libxext6=2:1.3.3-1+b2
libxmuu1=2:1.1.2-2+b3
linux-libc-dev=4.19.146-1
lsb-base=10.2019051400
make=4.2.1-1.2
manpages-dev=4.16-2
manpages=4.16-2
netbase=5.6
openssh-client=1:7.9p1-10+deb10u2
openssl=1.1.1d-0+deb10u3
patch=2.7.6-3+deb10u1
perl-base=5.28.1-6+deb10u1
perl-modules-5.28=5.28.1-6+deb10u1
perl=5.28.1-6+deb10u1
pinentry-curses=1.1.0-2
publicsuffix=20190415.1030-1
readline-common=7.0-5
rsync=3.1.3-6
unzip=6.0-23+deb10u1
wget=1.20.1-1.1
xauth=1:1.0.10-1
xz-utils=5.2.4-1

View File

@ -1,6 +1,6 @@
deb http://deb.debian.org/debian buster main
deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster main
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main
deb http://security.debian.org/debian-security buster/updates main
deb http://snapshot.debian.org/archive/debian-security/20201015T000000Z buster/updates main
deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
deb http://deb.debian.org/debian buster-updates main
deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster-updates main
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main

View File

@ -2,9 +2,20 @@
set -e;
apt-get update
until apt-get install -y $(cat /etc/apt/packages.list); do
until apt-get install --download-only -y $(cat /etc/apt/packages.list); do
echo "apt install failed. Likely throttled. Retrying in 10 mins...";
sleep 600;
done;
(
cd /var/cache/apt/archives \
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
| sed 's/.\///g' \
| LC_ALL=C sort
) > /etc/apt/package-hashes-compare.txt
diff /etc/apt/package-hashes{,-compare}.txt
apt-get install -y $(cat /etc/apt/packages.list)
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*;

View File

@ -16,17 +16,18 @@ deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates ma
EOF
apt-get update
apt install -y openssl
apt-get install -y --download-only $(cat /etc/apt/packages.list)
(
cd /var/cache/apt/archives \
&& find . -type f \( -iname \*.deb \) -exec openssl sha256 -r {} \; \
| sed 's/ \*.\// /g' \
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
| sed 's/.\///g' \
| LC_ALL=C sort
) > /etc/apt/package-hashes.txt
cat /etc/apt/package-hashes.txt \
| awk '{ print $2 }' \
| sed -e 's/_[a-z0-9]\+\.deb//g' -e 's/_/=/g' \
> /etc/apt/packages.list
cp /dev/null /etc/apt/packages.list
for deb in /var/cache/apt/archives/*.deb; do
package=$(dpkg-deb -f $deb Package);
version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g');
echo "${package}=${version}" >> /etc/apt/packages.list;
done