From c7e7b61e3418ac0bffd96b4ff215b7036e57539b Mon Sep 17 00:00:00 2001
From: Hidde Beydals <hello@hidde.co>
Date: Tue, 22 Jun 2021 10:55:36 +0200
Subject: [PATCH] Use libgit2 from "unstable" / "sid"

We received reports from users no longer being able to clone Git
repositories using libgit2 because of errors during the cloning
attempt: `error: Failed to authenticate SSH session: Unable to extract
public key from private key.`

After an extensive scavenger hunt I was able to pinpoint the issue to
`libssh2` being linked against `libgcrypt` instead of `openssl`. The
problem with this is that the libgcrypt backend in libssh2 contains
a hand written slimmed down ASN.1 parser to read out keys, while the
OpenSSL backend in libssh2 uses OpenSSL, which supports a lot more
formats (and more specifically, most PKCS* formats).

As Debian's bullseye/testing repository has been frozen, and a
backport has not been made available yet, fetching the dependency from
"unstable" seems to be the best option for now, as this has `libssh2`
available including OpenSSL.

Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271

Signed-off-by: Hidde Beydals <hello@hidde.co>
---
 Dockerfile | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3775d267..059a25bb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,12 +1,20 @@
 FROM golang:1.16-buster as builder
 
 # Up-to-date libgit2 dependencies are only available in
-# >=bullseye (testing).
-RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \
-    && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list
+# unstable, as libssh2 in testing/bullseye has been linked
+# against gcrypt which causes issues with PKCS* formats.
+# Explicitly listing all build dependencies is required because
+# they can only be automagically found for AMD64 builds.
+# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
+RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
+    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
 RUN set -eux; \
     apt-get update \
-    && apt-get install -y libgit2-dev/testing zlib1g-dev/testing libssh2-1-dev/testing libpcre3-dev/testing \
+    && apt-get install -y \
+        libgit2-dev/unstable \
+        zlib1g-dev/unstable \
+        libssh2-1-dev/unstable \
+        libpcre3-dev/unstable \
     && apt-get clean \
     && apt-get autoremove --purge -y \
     && rm -rf /var/lib/apt/lists/*
@@ -38,12 +46,16 @@ FROM debian:buster-slim as controller
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
 # Up-to-date libgit2 dependencies are only available in
-# >=bullseye (testing).
-RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \
-    && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list
+# unstable, as libssh2 in testing/bullseye has been linked
+# against gcrypt which causes issues with PKCS* formats.
+# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
+RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
+    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
 RUN set -eux; \
     apt-get update \
-    && apt-get install -y ca-certificates libgit2-1.1 \
+    && apt-get install -y \
+        ca-certificates \
+        libgit2-1.1 \
     && apt-get clean \
     && apt-get autoremove --purge -y \
     && rm -rf /var/lib/apt/lists/*
@@ -54,4 +66,4 @@ RUN groupadd controller && \
     useradd --gid controller --shell /bin/sh --create-home controller
 
 USER controller
-ENTRYPOINT ["source-controller"]
+ENTRYPOINT [ "source-controller" ]