0

Background

I have some mutiplatform C++ application. On Linux installation package is created using appimge-builder.

$ appimagetool --version
appimagetool, continuous build (commit 76bf860), build <local dev build> built on 2022-02-13 18:52:16 UTC
$ uname -a
Linux d1bc106a5f0f 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Now in my continuous integration builds (Jenkins) are failing. In logs I see

[2023-01-11T17:36:58.520Z] INFO:main:Running main script
[2023-01-11T17:36:58.520Z] INFO:main:Running apt deploy
[2023-01-11T17:36:58.520Z] INFO:apt:Download key file: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3b4fe6acc0b21f32
[2023-01-11T17:36:58.520Z] Traceback (most recent call last):
[2023-01-11T17:36:58.520Z]   File "/home/jenkins/.local/bin/appimage-builder", line 8, in <module>
[2023-01-11T17:36:58.520Z]     sys.exit(__main__())
[2023-01-11T17:36:58.520Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/__main__.py", line 58, in __main__
[2023-01-11T17:36:58.520Z]     invoker.execute(commands)
[2023-01-11T17:36:58.521Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/invoker.py", line 41, in execute
[2023-01-11T17:36:58.521Z]     command()
[2023-01-11T17:36:58.521Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/commands/apt_deploy.py", line 42, in __call__
[2023-01-11T17:36:58.521Z]     apt_venv = self._setup_apt_venv()
[2023-01-11T17:36:58.521Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/commands/apt_deploy.py", line 60, in _setup_apt_venv
[2023-01-11T17:36:58.521Z]     apt_venv = Venv(
[2023-01-11T17:36:58.521Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/modules/deploy/apt/venv.py", line 48, in __init__
[2023-01-11T17:36:58.521Z]     self._write_keys(keys)
[2023-01-11T17:36:58.521Z]   File "/home/jenkins/.local/lib/python3.8/site-packages/appimagebuilder/modules/deploy/apt/venv.py", line 121, in _write_keys
[2023-01-11T17:36:58.521Z]     request.urlretrieve(key_url, key_path)
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 247, in urlretrieve
[2023-01-11T17:36:58.521Z]     with contextlib.closing(urlopen(url, data)) as fp:
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
[2023-01-11T17:36:58.521Z]     return opener.open(url, data, timeout)
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 531, in open
[2023-01-11T17:36:58.521Z]     response = meth(req, response)
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
[2023-01-11T17:36:58.521Z]     response = self.parent.error(
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 569, in error
[2023-01-11T17:36:58.521Z]     return self._call_chain(*args)
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
[2023-01-11T17:36:58.521Z]     result = func(*args)
[2023-01-11T17:36:58.521Z]   File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
[2023-01-11T17:36:58.521Z]     raise HTTPError(req.full_url, code, msg, hdrs, fp)
[2023-01-11T17:36:58.521Z] urllib.error.HTTPError: HTTP Error 503: Service Unavailable

Problem

This logs show clearly some network issue, for some reason server responds with 503: Service Unavailable. I do not know why this error is reported only on Jenkins and I can't reproduce it only local machine. If someone has clues this is bonus question.

A real interesting issue is details of this logs: Download key file: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3b4fe6acc0b21f32.

  1. Note http protocol not https
  2. Content of this url is "PGP PUBLIC KEY"!

This look like a security hole. Dynamically fetching public key using insecure channel.

Questions

  • Am I right to suspect security hole here? (I was not able to quickly inspect consequences for appimage-builder). Is this appimage-builder problem or only version distributed for Ubuntu has it?
  • can I change system configuration, so I will manually upload this public key somewhere (once) and configure appimage-builder to use this key and disable downloading of this key.
  • bonus question: is there other way to address this build failure?
Marek R
  • 32,568
  • 6
  • 55
  • 140

0 Answers0