Skip to content

Enable unpack and repack of .deb containers#15345

Merged
NikolaMilosavljevic merged 11 commits intodotnet:mainfrom
NikolaMilosavljevic:deb.repack
Jan 2, 2025
Merged

Enable unpack and repack of .deb containers#15345
NikolaMilosavljevic merged 11 commits intodotnet:mainfrom
NikolaMilosavljevic:deb.repack

Conversation

@NikolaMilosavljevic
Copy link
Member

Fixes: #14436

This work enables unpack and repack of .deb containers. I've tested this with all current .NET DEB packages.

I've updated test.deb to include a signable file - this makes the DEB test complete.

@ellahathaway
Copy link
Member

Do you have a binlog from an arcade-validation (or some equivalent repo) build with these changes? Wondering if you've done e2e testing and also curious to see what the SignTool output looks like.

using System.Data;
using System.Diagnostics;
using Microsoft.DotNet.Build.Tasks.Installers;
using Microsoft.DotNet.Build.Tasks.Installers.src;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change the namespaces in the Installers package to remove the .src nested namespace?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, will do that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed with 9fe1ae4

@NikolaMilosavljevic
Copy link
Member Author

Do you have a binlog from an arcade-validation (or some equivalent repo) build with these changes? Wondering if you've done e2e testing and also curious to see what the SignTool output looks like.

Working on this validation right now.

@NikolaMilosavljevic
Copy link
Member Author

Binlog from local validation in arcade-validation repo:
msbuild.zip

Debian signing log entries:

File /src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb is not signed.
Extracting file 'data.tar.gz' from '/src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' isNested=True
Extracting file 'hello' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello' isNested=True
Ignoring non-signable file: /src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello
Caching file hello 036E707FF7B4A823E1182FE6DF81E90A93AE44EA17A8B2F0044A11CDE169342E
Caching file data.tar.gz 57989E84E7AFBDE7A3396AC35B47F4F3553B0EF68ADC6652C70507814FA45BA2
Caching file test.deb EC14B84B6074AF3A402E8CA7AF2381373705D121EDEAC5310425FD659E23EDC2

This is with current test.deb package in arcade-validation repo. I will recheck with newer version of the package that I've prepared for this PR.

@NikolaMilosavljevic
Copy link
Member Author

Here's the binlog from signing test that includes the updated test.deb (with signable binary, mscorlib.dll):
msbuild.zip

Log shows additional entries for this binary, i.e.:

Extracting file 'mscorlib.dll' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/39/./usr/local/bin/mscorlib.dll'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/39/./usr/local/bin/mscorlib.dll' isNested=True

Copy link
Member

@mmitche mmitche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add another test or two that validates that the repacked deb has the expected content?

  • Correct checksums/metadata
  • Correct files/layout

Otherwise looks great aside from some questions/nits.

@NikolaMilosavljevic
Copy link
Member Author

Can you add another test or two that validates that the repacked deb has the expected content?

  • Correct checksums/metadata
  • Correct files/layout

Otherwise looks great aside from some questions/nits.

Certainly. Will do.

@ellahathaway
Copy link
Member

Binlog from local validation in arcade-validation repo: msbuild.zip

Debian signing log entries:

File /src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb is not signed.
Extracting file 'data.tar.gz' from '/src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' isNested=True
Extracting file 'hello' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello' isNested=True
Ignoring non-signable file: /src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello
Caching file hello 036E707FF7B4A823E1182FE6DF81E90A93AE44EA17A8B2F0044A11CDE169342E
Caching file data.tar.gz 57989E84E7AFBDE7A3396AC35B47F4F3553B0EF68ADC6652C70507814FA45BA2
Caching file test.deb EC14B84B6074AF3A402E8CA7AF2381373705D121EDEAC5310425FD659E23EDC2

This is with current test.deb package in arcade-validation repo. I will recheck with newer version of the package that I've prepared for this PR.

Binlog looks great. Thanks for validating that.

@NikolaMilosavljevic
Copy link
Member Author

Can you add another test or two that validates that the repacked deb has the expected content?

  • Correct checksums/metadata
  • Correct files/layout

Otherwise looks great aside from some questions/nits.

Fixed with 3172fe5

mmitche
mmitche previously approved these changes Dec 19, 2024
@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Dec 20, 2024

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

public void MissingCertificateNameButExtensionIsIgnored(string extension)

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.

It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.

If I put back the old test.deb file (without a signable file), this test succeeds.

I can add another test DEB package, to be used by this test, but is that the right option?

@ellahathaway
Copy link
Member

ellahathaway commented Dec 20, 2024

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

public void MissingCertificateNameButExtensionIsIgnored(string extension)

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.

It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.

If I put back the old test.deb file (without a signable file), this test succeeds.

I can add another test DEB package, to be used by this test, but is that the right option?

Can we have two test deb packages? One called SignableDeb.deb and the other called UnsignableDeb.deb? I don't see harm in having two test packages.

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Dec 20, 2024

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

public void MissingCertificateNameButExtensionIsIgnored(string extension)

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.
It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.
If I put back the old test.deb file (without a signable file), this test succeeds.
I can add another test DEB package, to be used by this test, but is that the right option?

Can we have two test deb packages? One called SignableDeb.deb and the other called UnsignableDeb.deb? I don't see harm in having two test packages.

Yeah, that is an option. But, we first need to understand why this is failing and if it's a real issue. We don't want to add a test package for the sake of passing a test-case. @mmitche is going to investigate this.

@NikolaMilosavljevic
Copy link
Member Author

Hmm, not sure why NuGet.Packaging was added - will remove.

@NikolaMilosavljevic
Copy link
Member Author

Two commits were not reviewed so this is still blocked. Checks are now passing.

@NikolaMilosavljevic NikolaMilosavljevic merged commit c1862c6 into dotnet:main Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enable unpack/repack of .deb containers

4 participants