Page MenuHomePhabricator

Build and import new release of jwt-authorizer (1.1.0)
Closed, ResolvedPublic


Version 1.1.0 of jwt-authorizer includes token validation errors in the auth challenge which we need to debug GitLab-to-WMF-registry JWT auth failures (see T322453).

@Dzahn would you be able to build and import this version of the package for us? The main branch at should be good to go and includes your prior fix to the control file. I hope the build goes smoother for you this time.

Event Timeline

@Dzahn you described the initial build process of jwt-authorizer package in T309646. I created docs in wikitech for jwt-authorizer and a short summary of the build process. Can you check I guess the DIST=bullseye-backports and --ignore=wrongdistribution is obsolete now?

Let me know if I should try the build or if we should pair to check the build and docs together :)

LSobanski triaged this task as Medium priority.Nov 15 2022, 4:03 PM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.

Mentioned in SAL (#wikimedia-operations) [2022-11-16T19:11:11Z] <jelto> Imported jwt-authorizer 1.1.0-1 to bullseye-wikimedia - T322691

Jelto claimed this task.

I built and published the new version jwt-authorizer | 1.1.0-1 for bullseye. I followed the docs in

@dduvall @Dzahn I still got issues with the go package similar to T309646#7974869:

make[1]: Entering directory '/build/jwt-authorizer-1.1.0'
dh_auto_build -O--buildsystem=golang -- -ldflags "-X main.Version=1.1.0"
        cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0"
src/ cannot find package "io/fs" in any of:
        /build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/ (vendor tree)
        /usr/lib/go-1.15/src/io/fs (from $GOROOT)
        /build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/io/fs (from $GOPATH)
dh_auto_build: error: cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0" returned exit code 1
make[1]: *** [debian/rules:10: override_dh_auto_build] Error 25
make[1]: Leaving directory '/build/jwt-authorizer-1.1.0'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
I: copying local configuration
E: Failed autobuilding of package

So we have to tweak the build a little bit more, but for now the new version should be available. I'm closing this task, as build and publish were successful using the bullseye backports version of golang.

$ apt-cache show jwt-authorizer
Package: jwt-authorizer
Version: 1.1.0-1
Architecture: amd64
Maintainer: Wikimedia Foundation Release Engineering <>

@Jelto or @Dzahn we'll need this built for buster as well since the registry hosts are all buster based.

Mentioned in SAL (#wikimedia-operations) [2022-11-30T22:13:40Z] <mutante> registry* - upgraded jwt-authorizer package on all 4 hosts to version 1.1.0-1 - T322691

@dduvall @Jelto So this was just missing the same import step of the same package but for buster instead of bullseye. I could just import straight from Jelto's homedir:

on apt1001:

$ sudo -i reprepro --ignore=wrongdistribution -C main include buster-wikimedia /home/jelto/jwt-authorizer_1.1.0-1_amd64.changes

and now it's 1.1.0 instead of 1.0.0 for both:

[apt1001:/home/jelto] $ sudo -E reprepro ls jwt-authorizer
jwt-authorizer | 1.1.0-1 |   buster-wikimedia | amd64, source
jwt-authorizer | 1.1.0-1 | bullseye-wikimedia | amd64, source

after this:

[registry2004:~] $ sudo apt-get update
[registry2004:~] $ sudo apt install jwt-authorizer

then did the same on the other 4 registry hosts and now:

[cumin1001:~] $ sudo cumin 'registry*' 'dpkg -l | grep jwt-auth'
4 hosts will be targeted:
Ok to proceed on 4 hosts? Enter the number of affected hosts to confirm or "q" to quit 4
===== NODE GROUP =====                                                                                                                                                                                             
(4) registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet                                                                                                                                                
----- OUTPUT of 'dpkg -l | grep jwt-auth' -----                                                                                                                                                                    
ii  jwt-authorizer                       1.1.0-1                      amd64