template: log hashes of all downloaded packages before installation

This, connected with append-only build log (QubesOS/qubes-issues#2023) will allow for meaningful inspection what really got installed during template build, even if signature verification is buggy, or release signing key is compromised. Adding this for debootstrap - after downloading but before installing packages is somehow complex. Split the operation into two phases - first download all the packages, then install them. Point at local directory for the second run to not download packages (or repository metadata) the second time. That local directory needs to have proper repository metadata. (cherry picked from commit f1e2283)
QubesOS · Dec 17, 2016 · 03a2fac · 03a2fac
1 parent 5c55340
commit 03a2fac
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/template_debian/01_install_core.sh b/template_debian/01_install_core.sh
@@ -24,13 +24,33 @@ bootstrap() {
         if [ ! -d "${INSTALLDIR}/${TMPDIR}" ]; then
             mkdir -p "${INSTALLDIR}/${TMPDIR}"
         fi
+        rm -rf "${INSTALLDIR}/${TMPDIR}/dummy-repo"
+        mkdir -p "${INSTALLDIR}/${TMPDIR}/dummy-repo/dists/${DIST}"
         echo ${mirror} > "${INSTALLDIR}/${TMPDIR}/.mirror"
+
+        # Download packages first, and log hash of them _before_ installing
+        # them. Needs to copy Release{,.gpg} to a dummy _local_ repo, because
+        # debootstrap insists on downloading it each time but we want to be sure to use
+        # packages downloaded earlier (and logged)
+        COMPONENTS="" $DEBOOTSTRAP_PREFIX debootstrap \
+            --arch=amd64 \
+            --include="ncurses-term,locales,tasksel,$eatmydata_maybe" \
+            --components=main \
+            --download-only \
+            --keyring="${SCRIPTSDIR}/../keys/${DIST}-${DISTRIBUTION}-archive-keyring.gpg" \
+            "${DIST}" "${INSTALLDIR}" "${mirror}" && \
+        sha256sum "${INSTALLDIR}/var/cache/apt/archives"/*.deb && \
+        cp "${INSTALLDIR}/var/lib/apt/lists/debootstrap.invalid_dists_jessie_Release" \
+            "${INSTALLDIR}/${TMPDIR}/dummy-repo/dists/${DIST}/Release" && \
+        cp "${INSTALLDIR}/var/lib/apt/lists/debootstrap.invalid_dists_jessie_Release.gpg" \
+            "${INSTALLDIR}/${TMPDIR}/dummy-repo/dists/${DIST}/Release.gpg" && \
         COMPONENTS="" $DEBOOTSTRAP_PREFIX debootstrap \
             --arch=amd64 \
             --include="ncurses-term,locales,tasksel,$eatmydata_maybe" \
             --components=main \
             --keyring="${SCRIPTSDIR}/../keys/${DIST}-${DISTRIBUTION}-archive-keyring.gpg" \
-            "${DIST}" "${INSTALLDIR}" "${mirror}" && return 0
+            "${DIST}" "${INSTALLDIR}" "file://${INSTALLDIR}/${TMPDIR}/dummy-repo" && \
+        return 0
     done
     error "Debootstrap failed!"
     exit 1;

diff --git a/template_debian/distribution.sh b/template_debian/distribution.sh
@@ -140,19 +140,25 @@ function prepareChroot() {
 # ==============================================================================
 function aptUpgrade() {
     aptUpdate
+    chroot_cmd apt-get ${APT_GET_OPTIONS} --download-only upgrade -u -y
+    sha256sum "${INSTALLDIR}/var/cache/apt/archives"/*.deb
     DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
         chroot_cmd env APT_LISTCHANGES_FRONTEND=none $eatmydata_maybe \
             apt-get ${APT_GET_OPTIONS} upgrade -u -y
+    chroot_cmd apt-get ${APT_GET_OPTIONS} clean
 }
 
 # ==============================================================================
 # apt-get dist-upgrade
 # ==============================================================================
 function aptDistUpgrade() {
     aptUpdate
+    chroot_cmd apt-get ${APT_GET_OPTIONS} --download-only dist-upgrade -u -y
+    sha256sum "${INSTALLDIR}/var/cache/apt/archives"/*.deb
     DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
         chroot_cmd env APT_LISTCHANGES_FRONTEND=none $eatmydata_maybe \
             apt-get ${APT_GET_OPTIONS} dist-upgrade -u -y
+    chroot_cmd apt-get ${APT_GET_OPTIONS} clean
 }
 
 # ==============================================================================
@@ -181,6 +187,8 @@ function aptRemove() {
 # ==============================================================================
 function aptInstall() {
     files="$@"
+    chroot_cmd apt-get ${APT_GET_OPTIONS} --download-only install ${files[@]}
+    sha256sum "${INSTALLDIR}/var/cache/apt/archives"/*.deb
     DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
         chroot_cmd $eatmydata_maybe apt-get ${APT_GET_OPTIONS} install ${files[@]}
     retcode=$?