Use libgit2 from "unstable" / "sid"

We received reports from users no longer being able to clone Git repositories using libgit2 because of errors during the cloning attempt: `error: Failed to authenticate SSH session: Unable to extract public key from private key.` After an extensive scavenger hunt I was able to pinpoint the issue to `libssh2` being linked against `libgcrypt` instead of `openssl`. The problem with this is that the libgcrypt backend in libssh2 contains a hand written slimmed down ASN.1 parser to read out keys, while the OpenSSL backend in libssh2 uses OpenSSL, which supports a lot more formats (and more specifically, most PKCS* formats). As Debian's bullseye/testing repository has been frozen, and a backport has not been made available yet, fetching the dependency from "unstable" seems to be the best option for now, as this has `libssh2` available including OpenSSL. Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-06-22 10:55:36 +02:00 · 2021-06-22 10:55:36 +02:00 · c7e7b61e34
parent 850157cc7a
commit c7e7b61e34
1 changed files with 21 additions and 9 deletions
--- a/30
+++ b/30
@ -1,12 +1,20 @@
 FROM golang:1.16-buster as builder
 # Up-to-date libgit2 dependencies are only available in
-# >=bullseye (testing).
+# unstable, as libssh2 in testing/bullseye has been linked
-RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \
+# against gcrypt which causes issues with PKCS* formats.
-    && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list
+# Explicitly listing all build dependencies is required because
 # they can only be automagically found for AMD64 builds.
 # Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
 RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
 RUN set -eux; \
    apt-get update \
-    && apt-get install -y libgit2-dev/testing zlib1g-dev/testing libssh2-1-dev/testing libpcre3-dev/testing \
+    && apt-get install -y \
        libgit2-dev/unstable \
        zlib1g-dev/unstable \
        libssh2-1-dev/unstable \
        libpcre3-dev/unstable \
    && apt-get clean \
    && apt-get autoremove --purge -y \
    && rm -rf /var/lib/apt/lists/*
@ -38,12 +46,16 @@ FROM debian:buster-slim as controller
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 # Up-to-date libgit2 dependencies are only available in
-# >=bullseye (testing).
+# unstable, as libssh2 in testing/bullseye has been linked
-RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \
+# against gcrypt which causes issues with PKCS* formats.
-    && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list
+# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
 RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
 RUN set -eux; \
    apt-get update \
-    && apt-get install -y ca-certificates libgit2-1.1 \
+    && apt-get install -y \
        ca-certificates \
        libgit2-1.1 \
    && apt-get clean \
    && apt-get autoremove --purge -y \
    && rm -rf /var/lib/apt/lists/*
@ -54,4 +66,4 @@ RUN groupadd controller && \
    useradd --gid controller --shell /bin/sh --create-home controller
 USER controller
-ENTRYPOINT ["source-controller"]
+ENTRYPOINT [ "source-controller" ]