search

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile
https://apko.dev
Apache License 2.0
1.13k stars 107 forks source link

System Keyring is not loaded when defining an additional public key #417

Closed tommy1199 closed 1 year ago

tommy1199 commented 1 year ago

I tried to create an image with bellsoft java runtime like this:

contents:
  repositories:
  - https://dl-cdn.alpinelinux.org/alpine/edge/main
  - https://dl-cdn.alpinelinux.org/alpine/edge/community
  - https://apk.bell-sw.com/main
  packages:
  - bellsoft-java19-runtime-lite
  keyring:
  - https://apk.bell-sw.com/info@bell-sw.com-5fea454e.rsa.pub
entrypoint:
  command: java --version
environment:
  PATH: /usr/lib/jvm/bellsoft-java19-runtime-lite/bin

When running the build command like this

docker run -v "$PWD":/work cgr.dev/chainguard/apko build --debug java.yaml java:test java.tar

I see the following error:

Nov 23 10:58:07.365 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.616 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: UNTRUSTED signature
Nov 23 10:58:07.616 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.808 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] fetch https://apk.bell-sw.com/main/aarch64/APKINDEX.tar.gz
Nov 23 10:58:07.808 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: UNTRUSTED signature
Nov 23 10:58:07.979 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:] ERROR: unable to select packages:
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:]   zlib (no such package):
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:]     required by: bellsoft-java19-runtime-lite-19.0.1_p11-r0[zlib]
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:]   java-common (no such package):
Nov 23 10:58:07.982 [DEBUG] [arch:aarch64] [cmd:apk] [use-proot:false] [use-qemu:]     required by: bellsoft-java19-runtime-lite-19.0.1_p11-r0[java-common]

It seems that the system key files are ignored in case a custom key file is defined in the keyring attribute. These leads to the issue that main and community repositories are ignored due to untrusted keys.

I think the following lines cause this issue: https://github.com/chainguard-dev/apko/blob/30e7a8d4aa352b81b007a9a06f74861a6a3a80ef/pkg/apk/apk_implementation.go#L111-L116

I expected the additional keys to be appended to the system keys and not replacing them. Otherwise when I define a custom key, I would also have to add the keys for the common alpine repositories which is problematic as there are arch specific keys for them, so my apko file would not work for all archs anymore.

tommy1199 commented 1 year ago

Any suggestions how to solve this problem?

tommy1199 commented 1 year ago

As far as I have seen, this is fixed in the latest versions. So I close this ticket