docker run -v "$PWD":/work cgr.dev/chainguard/apko build --debug java.yaml java:test java.tar
I see the following error:
Nov 23 10:58:07.365 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.616 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: UNTRUSTED signature
Nov 23 10:58:07.616 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.808 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://apk.bell-sw.com/main/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.808 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: UNTRUSTED signature
Nov 23 10:58:07.979 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] ERROR: unable to select packages:
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] zlib (no such package):
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] required by: bellsoft-java19-runtime-lite-19.0.1_p11-r0[zlib]
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] java-common (no such package):
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] required by: bellsoft-java19-runtime-lite-19.0.1_p11-r0[java-common]
It seems that the system key files are ignored in case a custom key file is defined in the keyring attribute. These leads to the issue that main and community repositories are ignored due to untrusted keys.
I expected the additional keys to be appended to the system keys and not replacing them. Otherwise when I define a custom key, I would also have to add the keys for the common alpine repositories which is problematic as there are arch specific keys for them, so my apko file would not work for all archs anymore.
I tried to create an image with bellsoft java runtime like this:
When running the build command like this
docker run -v "$PWD":/work cgr.dev/chainguard/apko build --debug java.yaml java:test java.tar
I see the following error:
It seems that the system key files are ignored in case a custom key file is defined in the keyring attribute. These leads to the issue that main and community repositories are ignored due to untrusted keys.
I think the following lines cause this issue: https://github.com/chainguard-dev/apko/blob/30e7a8d4aa352b81b007a9a06f74861a6a3a80ef/pkg/apk/apk_implementation.go#L111-L116
I expected the additional keys to be appended to the system keys and not replacing them. Otherwise when I define a custom key, I would also have to add the keys for the common alpine repositories which is problematic as there are arch specific keys for them, so my apko file would not work for all archs anymore.