datadog-agent-arm
datadog-agent-arm copied to clipboard
adrienkohlbecker
Build fails: Verification for cacerts failed due to a checksum mismatch
I'm sorta just hacking at this point and I'm trying to use this in a way that is different from the instructions :)
I attempted to run the build within a Docker container (arm64v8/ubuntu:16.04). I ran the aforementioned container with interactive shell and then did the following:
apt-get update
apt-get install -y git
cd /root
git clone https://github.com/adrienkohlbecker/datadog-agent-arm.git
cp -R ./datadog-agent-arm/* ./
sudo mv /bin/true /sbin/swapon # HACK: The script calls swapon but that's not allowed in a Docker container!
bash ./build.sh
It then failed with the following - apparently a checksum has changed somewhere:
Progress: |=====================================================================================================================================================================================================|
[NetFetcher: cacerts] I | 2019-09-10T23:19:28+00:00 | Verifying checksum
Verification for cacerts failed due to a checksum mismatch:
expected: c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000
actual: 38b6230aa4bee062cd34ee0ff6da173250899642b1937fc130896290b6bd91e3
This added security check is used to prevent MITM attacks when downloading the
remote file. If you have updated the version or URL for the download, you will
also need to update the checksum value. You can find the checksum value on the
software publisher's website.
So, where's that hash?
root@1b3fba884f46:~# grep -R c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000 /var/lib/gems/
/var/lib/gems/2.3.0/bundler/gems/omnibus-software-5d392843015d/config/software/cacerts_py2.rb: sha256: "c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000"
/var/lib/gems/2.3.0/bundler/gems/omnibus-software-5d392843015d/config/software/cacerts.rb: sha256: "c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000"
/var/lib/gems/2.3.0/bundler/gems/omnibus-software-5d392843015d/config/software/cacerts_py3.rb: sha256: "c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000"
Ah, here at least (var/lib/gems/2.3.0/bundler/gems/omnibus-software-5d392843015d/config/software/cacerts.rb):
# We always pull the latest version,
# so the hashsum check will break every time the file is updated on the remote
default_version "latest"
source url: "https://curl.haxx.se/ca/cacert.pem",
sha256: "c1fd9b235896b1094ee97bfb7e042f93530b5e300781f59b45edf84ee8c75000"
That sounds like a hash mismatch is expeted! I'll bet it's a simple fix, I'm just not yet sure how since I'm not familiar with Omnibus, etc. I'll keep poking around, but thought I'd log this issue in case someone else is interested to fix it and knows what to do!
As part of my hacking, I forked your omnibus-software repo, modified the hash, then also forked the datadog-agent-arm and updated to use my omnibus-software.
Then, it got past the above issue only to break later in the build for some other reason.
Just in case it's useful, here are the commits:
Change the hash:
- https://github.com/njgraham/omnibus-software/commit/e511382ba3c88878045436cddb4403df5eabd536
Use my fork:
- https://github.com/njgraham/datadog-agent-arm/commit/33befbfc7858cc1701de78b999826553a2c3b1b2
Meanwhile, it looks like an official ARM version is in the works so maybe this won't be relevant for long: https://github.com/DataDog/datadog-agent/issues/3839
That hash has recently updated, by the way.
$ curl https://curl.haxx.se/ca/cacert.pem.sha256 5cd8052fcf548ba7e08899d8458a32942bf70450c9af67a0850b4c711804a2e4
