download and hash verify all packages before install

config/container/Dockerfile

@@ -13,6 +13,7 @@ ADD scripts/ /usr/local/bin/
 ## Install packages from packages.list with retry
 ADD config/container/sources.list /etc/apt/sources.list
 ADD config/container/packages.list /etc/apt/packages.list
+ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt
 ADD config/container/apt.conf /etc/apt/apt.conf
 RUN apt-install
 

config/container/package-hashes.txt

@@ -2,6 +2,7 @@
 01e99d68427722e64c603d45f00063c303b02afb53d85c8d1476deca70db64c6  libreadline7_7.0-5_amd64.deb
 0226c5853f5e48d7e99796c2e6332591383e9c337ac588e1b689f537abd0a891  libssh2-1_1.8.0-2.1_amd64.deb
 02f795889390fa0e1f29c6ecdd4a30cd0aae39c0c6b1379410055404b0897c66  libx11-data_2%3a1.6.7-1+deb10u1_all.deb
+03a133833154325c731291c8a87daef5962dcfb75dee7cdb11f7fb923de2db82  openssl_1.1.1d-0+deb10u3_amd64.deb
 042967b8267ee537ed9a1bf012533622847aab433362e3b57c9108a53bfcb99a  libkrb5-3_1.17-3_amd64.deb
 05e64681a0c3037fa71c94c083a8aabb6eb5f40e974c4ec548e0376635cffeb0  gpg-wks-server_2.2.12-1+deb10u1_amd64.deb
 05e90f94363055cf27cd88b7968820645180d37a649a93cf5d7ea6f3c7fe973e  gcc-8_8.3.0-6_amd64.deb
@@ -78,6 +79,7 @@ a65ea1c2a2c32995ea5337dc769ea2de503dd65e0ee2cde345d565ba06575d0c file_1%3a5.35-4
 a73b05c10399636a7c7bff266205de05631dc4af502bfb441cbbc6af0a7deb2a  libmpc3_1.1.0-1_amd64.deb
 a7857b726c3e0d16cda2fbb9020d42e024a3160d54ef858f58578612276683e8  libxau6_1%3a1.0.8-1+b2_amd64.deb
 ae756853eff06749370f37f717339098d7ead8eb40d8eca9050c4dd8d64be33a  g++_4%3a8.3.0-1_amd64.deb
+b293309a892730986e779aea48e97ea94cd58f34f07fefbd432c210ee4a427e2  libssl1.1_1.1.1d-0+deb10u3_amd64.deb
 b3392a29de0cea29f9e8e07793d1f03fcb84a3ca25b7471e2db0e0fa93ffa566  libldap-common_2.4.47+dfsg-3+deb10u2_all.deb
 b582f4bc549877d59254318feaaf1354020d695cfe9b9e6aab0aa26b65c29071  libubsan1_8.3.0-6_amd64.deb
 b9db9483510589d939ee897b8b2b15661d243c8fac13dfa18e6daa10be5d0a2a  liblsan0_8.3.0-6_amd64.deb

config/container/packages.list

@@ -1,119 +1,121 @@
-patch=2.7.6-3+deb10u1
+base-files=10.3+deb10u6
-libreadline7=7.0-5
+bc=1.07.1-2+b1
-libssh2-1=1.8.0-2.1
-libx11-data=2%3a1.6.7-1+deb10u1
-libkrb5-3=1.17-3
-gpg-wks-server=2.2.12-1+deb10u1
-gcc-8=8.3.0-6
-libbsd0=0.9.1-2
-perl=5.28.1-6+deb10u1
-libkeyutils1=1.6-6
-libperl5.28=5.28.1-6+deb10u1
-libtsan0=8.3.0-6
-libmagic-mgc=1%3a5.35-4+deb10u1
-openssh-client=1%3a7.9p1-10+deb10u2
-readline-common=7.0-5
-libpcre2-8-0=10.32-5
-libmagic1=1%3a5.35-4+deb10u1
-libdpkg-perl=1.19.7
-make=4.2.1-1.2
-libncurses6=6.1+20181013-2+deb10u2
-xauth=1%3a1.0.10-1
-libpsl5=0.20.2-2
-libksba8=1.3.5-2
-lsb-base=10.2019051400
-libgpm2=1.20.7-5
-libxmuu1=2%3a1.1.2-2+b3
-libalgorithm-diff-xs-perl=0.04-5+b1
-git-man=1%3a2.20.1-2+deb10u3
-gnupg=2.2.12-1+deb10u1
-wget=1.20.1-1.1
-build-essential=12.6
-gpg-wks-client=2.2.12-1+deb10u1
-perl-base=5.28.1-6+deb10u1
-libc6-dev=2.28-10
-libgssapi-krb5-2=1.17-3
-libsasl2-2=2.1.27+dfsg-1+deb10u1
-dpkg-dev=1.19.7
-git=1%3a2.20.1-2+deb10u3
-gpgsm=2.2.12-1+deb10u1
-bzip2=1.0.6-9.2~deb10u1
-librtmp1=2.4+20151223.gitfa8646d.1-2
-less=487-0.1+b1
-libcc1-0=8.3.0-6
-libgdbm-compat4=1.18.1-4
-liberror-perl=0.17027-2
-perl-modules-5.28=5.28.1-6+deb10u1
-manpages=4.16-2
-libcurl3-gnutls=7.64.0-4+deb10u1
-cpp-8=8.3.0-6
-unzip=6.0-23+deb10u1
-libnghttp2-14=1.36.0-2+deb10u1
-gpg-agent=2.2.12-1+deb10u1
-libpopt0=1.16-12
-libxext6=2%3a1.3.3-1+b2
-libmpx2=8.3.0-6
-libquadmath0=8.3.0-6
-libfakeroot=1.23-1
-gnupg-utils=2.2.12-1+deb10u1
-libsasl2-modules=2.1.27+dfsg-1+deb10u1
-ca-certificates=20200601~deb10u1
-libstdc++-8-dev=8.3.0-6
-rsync=3.1.3-6
-libitm1=8.3.0-6
-libalgorithm-merge-perl=0.08-3
-libxcb1=1.13.1-2
-manpages-dev=4.16-2
-dirmngr=2.2.12-1+deb10u1
-libc-dev-bin=2.28-10
-libgomp1=8.3.0-6
-publicsuffix=20190415.1030-1
-libassuan0=2.5.2-1
-libnpth0=1.6-1
 binutils-common=2.31.1-16
-gpg=2.2.12-1+deb10u1
-krb5-locales=1.17-3
-libgcc-8-dev=8.3.0-6
-file=1%3a5.35-4+deb10u1
-libmpc3=1.1.0-1
-libxau6=1%3a1.0.8-1+b2
-g++=4%3a8.3.0-1
-libldap-common=2.4.47+dfsg-3+deb10u2
-libubsan1=8.3.0-6
-liblsan0=8.3.0-6
-libk5crypto3=1.17-3
-libbinutils=2.31.1-16
-netbase=5.6
-libgnutls30=3.6.7-4+deb10u5
-libcurl4=7.64.0-4+deb10u1
 binutils-x86-64-linux-gnu=2.31.1-16
 binutils=2.31.1-16
-libalgorithm-diff-perl=1.19.03-2
+build-essential=12.6
-gpgconf=2.2.12-1+deb10u1
+bzip2=1.0.6-9.2~deb10u1
-gcc=4%3a8.3.0-1
+ca-certificates=20200601~deb10u1
-libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
-libfile-fcntllock-perl=0.22-3+b5
-libedit2=3.1-20181209-1
-libmpfr6=4.0.2-1
-libgdbm6=1.18.1-4
-g++-8=8.3.0-6
-libasan5=8.3.0-6
-libisl19=0.20-2
-libexpat1=2.2.6-2+deb10u1
-linux-libc-dev=4.19.146-1
 cpio=2.12+dfsg-9
-liblocale-gettext-perl=1.07-3+b4
+cpp-8=8.3.0-6
-xz-utils=5.2.4-1
+cpp=4:8.3.0-1
-libkrb5support0=1.17-3
-libldap-2.4-2=2.4.47+dfsg-3+deb10u2
 curl=7.64.0-4+deb10u1
+dirmngr=2.2.12-1+deb10u1
+dpkg-dev=1.19.7
 fakeroot=1.23-1
+file=1:5.35-4+deb10u1
+g++-8=8.3.0-6
+g++=4:8.3.0-1
+gcc-8=8.3.0-6
+gcc=4:8.3.0-1
+git-man=1:2.20.1-2+deb10u3
+git=1:2.20.1-2+deb10u3
 gnupg-l10n=2.2.12-1+deb10u1
-cpp=4%3a8.3.0-1
+gnupg-utils=2.2.12-1+deb10u1
-libxdmcp6=1%3a1.1.2-3
+gnupg=2.2.12-1+deb10u1
-base-files=10.3+deb10u6
+gpg-agent=2.2.12-1+deb10u1
-pinentry-curses=1.1.0-2
+gpg-wks-client=2.2.12-1+deb10u1
+gpg-wks-server=2.2.12-1+deb10u1
+gpg=2.2.12-1+deb10u1
+gpgconf=2.2.12-1+deb10u1
+gpgsm=2.2.12-1+deb10u1
+krb5-locales=1.17-3
+less=487-0.1+b1
+libalgorithm-diff-perl=1.19.03-2
+libalgorithm-diff-xs-perl=0.04-5+b1
+libalgorithm-merge-perl=0.08-3
+libasan5=8.3.0-6
+libassuan0=2.5.2-1
 libatomic1=8.3.0-6
-bc=1.07.1-2+b1
+libbinutils=2.31.1-16
-libx11-6=2%3a1.6.7-1+deb10u1
+libbsd0=0.9.1-2
+libc-dev-bin=2.28-10
+libc6-dev=2.28-10
+libcc1-0=8.3.0-6
+libcurl3-gnutls=7.64.0-4+deb10u1
+libcurl4=7.64.0-4+deb10u1
+libdpkg-perl=1.19.7
+libedit2=3.1-20181209-1
+liberror-perl=0.17027-2
+libexpat1=2.2.6-2+deb10u1
+libfakeroot=1.23-1
+libfile-fcntllock-perl=0.22-3+b5
+libgcc-8-dev=8.3.0-6
+libgdbm-compat4=1.18.1-4
+libgdbm6=1.18.1-4
+libgnutls30=3.6.7-4+deb10u5
+libgomp1=8.3.0-6
+libgpm2=1.20.7-5
+libgssapi-krb5-2=1.17-3
+libisl19=0.20-2
+libitm1=8.3.0-6
+libk5crypto3=1.17-3
+libkeyutils1=1.6-6
+libkrb5-3=1.17-3
+libkrb5support0=1.17-3
+libksba8=1.3.5-2
+libldap-2.4-2=2.4.47+dfsg-3+deb10u2
+libldap-common=2.4.47+dfsg-3+deb10u2
+liblocale-gettext-perl=1.07-3+b4
+liblsan0=8.3.0-6
+libmagic-mgc=1:5.35-4+deb10u1
+libmagic1=1:5.35-4+deb10u1
+libmpc3=1.1.0-1
+libmpfr6=4.0.2-1
+libmpx2=8.3.0-6
+libncurses6=6.1+20181013-2+deb10u2
+libnghttp2-14=1.36.0-2+deb10u1
+libnpth0=1.6-1
+libpcre2-8-0=10.32-5
+libperl5.28=5.28.1-6+deb10u1
+libpopt0=1.16-12
+libpsl5=0.20.2-2
+libquadmath0=8.3.0-6
+libreadline7=7.0-5
+librtmp1=2.4+20151223.gitfa8646d.1-2
+libsasl2-2=2.1.27+dfsg-1+deb10u1
+libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
+libsasl2-modules=2.1.27+dfsg-1+deb10u1
 libsqlite3-0=3.27.2-3
+libssh2-1=1.8.0-2.1
+libssl1.1=1.1.1d-0+deb10u3
+libstdc++-8-dev=8.3.0-6
+libtsan0=8.3.0-6
+libubsan1=8.3.0-6
+libx11-6=2:1.6.7-1+deb10u1
+libx11-data=2:1.6.7-1+deb10u1
+libxau6=1:1.0.8-1+b2
+libxcb1=1.13.1-2
+libxdmcp6=1:1.1.2-3
+libxext6=2:1.3.3-1+b2
+libxmuu1=2:1.1.2-2+b3
+linux-libc-dev=4.19.146-1
+lsb-base=10.2019051400
+make=4.2.1-1.2
+manpages-dev=4.16-2
+manpages=4.16-2
+netbase=5.6
+openssh-client=1:7.9p1-10+deb10u2
+openssl=1.1.1d-0+deb10u3
+patch=2.7.6-3+deb10u1
+perl-base=5.28.1-6+deb10u1
+perl-modules-5.28=5.28.1-6+deb10u1
+perl=5.28.1-6+deb10u1
+pinentry-curses=1.1.0-2
+publicsuffix=20190415.1030-1
+readline-common=7.0-5
+rsync=3.1.3-6
+unzip=6.0-23+deb10u1
+wget=1.20.1-1.1
+xauth=1:1.0.10-1
+xz-utils=5.2.4-1

config/container/sources.list

@@ -1,6 +1,6 @@
 deb http://deb.debian.org/debian buster main
-deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster main
+deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main
 deb http://security.debian.org/debian-security buster/updates main
-deb http://snapshot.debian.org/archive/debian-security/20201015T000000Z buster/updates main
+deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
 deb http://deb.debian.org/debian buster-updates main
-deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster-updates main
+deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main

scripts/apt-install

@@ -2,9 +2,20 @@
 set -e;
 
 apt-get update
-until apt-get install -y $(cat /etc/apt/packages.list); do
+until apt-get install --download-only -y $(cat /etc/apt/packages.list); do
     echo "apt install failed. Likely throttled. Retrying in 10 mins...";
     sleep 600;
 done;
 
+(
+	cd /var/cache/apt/archives \
+		&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
+		| sed 's/.\///g' \
+		| LC_ALL=C sort
+) > /etc/apt/package-hashes-compare.txt
+
+diff /etc/apt/package-hashes{,-compare}.txt
+
+apt-get install -y $(cat /etc/apt/packages.list)
+
 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*;

scripts/update-packages

@@ -16,17 +16,18 @@ deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates ma
 EOF
 
 apt-get update
-apt install -y openssl
 apt-get install -y --download-only $(cat /etc/apt/packages.list)
 
 (
 	cd /var/cache/apt/archives \
-		&& find . -type f \( -iname \*.deb \) -exec openssl sha256 -r {} \; \
+		&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
-		| sed 's/ \*.\// /g' \
+		| sed 's/.\///g' \
 		| LC_ALL=C sort
 ) > /etc/apt/package-hashes.txt
 
-cat /etc/apt/package-hashes.txt \
+cp /dev/null /etc/apt/packages.list
-	| awk '{ print $2 }' \
+for deb in /var/cache/apt/archives/*.deb; do
-	| sed -e 's/_[a-z0-9]\+\.deb//g' -e 's/_/=/g' \
+	package=$(dpkg-deb -f $deb Package);
-	> /etc/apt/packages.list
+	version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g');
+	echo "${package}=${version}" >> /etc/apt/packages.list;
+done