Further APT CI hardening

Dockerfile

@@ -11,9 +11,10 @@ ARG BUILD_ARCH=armhf
 
 COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening
 COPY --chmod=0755 retry /usr/local/bin/retry
+COPY --chmod=0755 apt_check /usr/local/bin/apt_check
 COPY --chmod=0755 apt_update /usr/local/bin/apt_update
 COPY --chmod=0755 apt_install /usr/local/bin/apt_install
-RUN apt_update && apt_install -y wget
+RUN apt_update && apt_install -y wget iproute2 && apt_check
 
 # Checks if the 'crossbuilder' user exists. 
 RUN if ! id crossbuilder 2>/dev/null;then \

Dockerfile-cross

@@ -8,13 +8,14 @@ ARG BUILD_GID=499
 ARG KEEP_BUILD_ARTIFACTS=FALSE
 ARG TARGET_DIR=NON_EXISTENT_FILE
 ARG BUILD_ARCH=armhf
-ARG EARLY_EXIT_STEP=
+ARG EARLY_EXIT_STEP=""
 
 COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening
 COPY --chmod=0755 retry /usr/local/bin/retry
+COPY --chmod=0755 apt_check /usr/local/bin/apt_check
 COPY --chmod=0755 apt_update /usr/local/bin/apt_update
 COPY --chmod=0755 apt_install /usr/local/bin/apt_install
-RUN apt_update && apt_install -y wget
+RUN apt_update && apt_install -y wget iproute2 && apt_check
 
 RUN groupadd -g $BUILD_GID crossbuilder
 RUN useradd -d /home/crossbuilder -m -g $BUILD_GID -u $BUILD_UID -s /bin/bash crossbuilder

apt-ci-hardening

@@ -11,4 +11,4 @@ Acquire::ForceIPv4 "true";
 Acquire::CompressionTypes::Order { "gz"; "xz"; };
 
 # Be tolerant of transient mirror issues
-Acquire::Check-Valid-Until "false";
+Acquire::Check-Valid-Until "false";

apt_check

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+REPO_HOST="aptrepo.effective-range.com"
+
+DNS_RESULT=$(getent hosts "$REPO_HOST")
+if [ -z "$DNS_RESULT" ]; then
+  echo "[ERROR] DNS resolution failed for $REPO_HOST" >&2
+  exit 1
+else
+  echo "[INFO] DNS resolution for $REPO_HOST: $DNS_RESULT"
+  REPO_IP=$(echo "$DNS_RESULT" | awk '{print $1}')
+fi
+
+ROUTE_RESULT=$(ip route get "$REPO_IP" 2>&1)
+if [ $? -ne 0 ]; then
+  echo "[ERROR] No route to host $REPO_HOST ($REPO_IP)" >&2
+  echo "$ROUTE_RESULT"
+  exit 2
+else
+  echo "[INFO] Route to $REPO_HOST ($REPO_IP):"
+  echo "$ROUTE_RESULT"
+fi
+
+KEY_URL="http://$REPO_HOST/effectiverange.gpg.key"
+echo "[INFO] Checking HTTP connectivity to $KEY_URL..."
+if ! wget --spider --timeout=10 --tries=2 "$KEY_URL"; then
+  echo "[ERROR] Failed to fetch $KEY_URL" >&2
+  exit 3
+else
+  echo "[INFO] Successfully fetched $KEY_URL"
+fi
+
+echo "[INFO] All connectivity checks passed for $REPO_HOST"
+exit 0

retry

@@ -1,7 +1,7 @@
 #!/bin/bash
 n=0 
-max=5 
-delay=2
+max=3
+delay=1
 until "$@"; do
     ((n++))
     if [ "$n" -ge "$max" ]; then

scripts/build_steps_armhf/04-schroot_setup

@@ -28,9 +28,9 @@ EOF
 
 # Fetch the latest raspberrypi-archive-keyring .deb and install it in the chroot
 RPI_KEYRING_URL="https://archive.raspberrypi.com/debian/pool/main/r/raspberrypi-archive-keyring"
-RPI_KEYRING_DEB=$(retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/" \
+RPI_KEYRING_DEB=$(curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/" \
     | grep -oP 'raspberrypi-archive-keyring_[^"]+_all\.deb' | sort -V | tail -1)
-retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/${RPI_KEYRING_DEB}" -o "/tmp/${RPI_KEYRING_DEB}"
+curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/${RPI_KEYRING_DEB}" -o "/tmp/${RPI_KEYRING_DEB}"
 cp "/tmp/${RPI_KEYRING_DEB}" "/var/chroot/buildroot/tmp/${RPI_KEYRING_DEB}"
 chroot /var/chroot/buildroot dpkg -i "/tmp/${RPI_KEYRING_DEB}"
 

scripts/build_steps_armhf/06-erapt_setup

@@ -12,7 +12,7 @@ source /etc/os-release
 
 install -d /usr/share/keyrings
 rm -f /usr/share/keyrings/debian-archive-keys-latest.gpg
-retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 https://ftp-master.debian.org/keys/archive-key-$VERSION_ID.asc -o /tmp/archive-key-$VERSION_ID.asc
+curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 https://ftp-master.debian.org/keys/archive-key-$VERSION_ID.asc -o /tmp/archive-key-$VERSION_ID.asc
 cat /tmp/archive-key-$VERSION_ID.asc | gpg --dearmor  -o /usr/share/keyrings/debian-archive-keys-latest.gpg
 
 # sanity check the keys received
@@ -36,7 +36,7 @@ Components: main
 Signed-By: /usr/share/keyrings/er-keyring.pgp
 EOF
 
-retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 http://aptrepo.effective-range.com/effectiverange.gpg.key -o /usr/share/keyrings/er-keyring.pgp
+curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 http://aptrepo.effective-range.com/effectiverange.gpg.key -o /usr/share/keyrings/er-keyring.pgp
 
 # sanity check the keys received
 gpg --show-keys /usr/share/keyrings/er-keyring.pgp

scripts/build_steps_cross/11-raspberrysetup

@@ -20,9 +20,9 @@ EOF
 
 # Fetch the latest raspberrypi-archive-keyring .deb and install it
 RPI_KEYRING_URL="https://archive.raspberrypi.com/debian/pool/main/r/raspberrypi-archive-keyring"
-RPI_KEYRING_DEB=$(retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/" \
+RPI_KEYRING_DEB=$(curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/" \
     | grep -oP 'raspberrypi-archive-keyring_[^"]+_all\.deb' | sort -V | tail -1)
-retry curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 8 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/${RPI_KEYRING_DEB}" -o "/tmp/${RPI_KEYRING_DEB}"
+curl -4 -fSL --connect-timeout 5 --max-time 20 --retry 5 --retry-all-errors --retry-delay 1 "${RPI_KEYRING_URL}/${RPI_KEYRING_DEB}" -o "/tmp/${RPI_KEYRING_DEB}"
 dpkg -i "/tmp/${RPI_KEYRING_DEB}"
 
 # sanity check the keys received

test/build_complex_test/deps.json

@@ -18,6 +18,11 @@
             "libprotobuf32"
         ]
     },
+    "trixie":{
+        "deps":[
+            "libprotobuf32t64"
+        ]
+    },
     "build_deps": [
         "libc6-dev",
         {