Closed ChrisJBurns closed 1 year ago
This is indicative that the underlying apk has changed and does not reflect the one in the index. When you make changes to an apk, you should increase the epoch value so a new package is indexed.
@kaniini So I've completely removed the folder where the apk's are being created including deleting the APKINDEX.json
and APKINDEX.tar.gz
, then regenerated them with docker run --privileged --rm -v "${PWD}":/work cgr.dev/chainguard/melange:latest build melange.yaml --signing-key melange.rsa
, then rerun the docker container where I am adding the local file server as the APK repository, and when I run apk update
it still fails with UNTRUSTED error
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
fetch http://host.docker.internal:9999/hello-c/packages/x86_64/APKINDEX.tar.gz
WARNING: updating and opening http://host.docker.internal:9999/hello-c/packages: UNTRUSTED signature
v3.18.2-575-g02de16b1332 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
v3.18.2-587-g045c1850e7f [https://dl-cdn.alpinelinux.org/alpine/v3.18/community]
2 unavailable, 0 stale; 20070 distinct packages available
Is worth mentioning I built the new APK with an epoch of 1691406087
, it's been added to the name of the apk itself, so it didn't really seem to make much difference.
Not sure if I'm doing something obviously wrong, but I've built an
apk
package using the following example: https://github.com/ChrisJBurns/building-oci-images-with-melange-and-apko/tree/main/images/hello-cTo cut a long story short, it builds the
apk
fine, I can then use build the OCI image withapko
and run it with no problems.I wanted to see if I could get it to work and install the
apk
package into a Docker image using a simple Go app that simply acts as as a file server to serve thehello
package. Using the following DockerfileI can built a Docker image, run the image, and run
apk update --allow-untrusted
and it updates the default Alpine repositories as well as my local@personal
one, which is basically my simple dummy APK repo (Go app running a FileServer). I can then runapk add hello@personal --allow-untrusted
with no issues, it installs thehello
package and I can run it and it will output the text that I expect.The problem for me is when I try to remove the
--allow-untrusted
flag. Even if I put the public key that I used to sign the package itself into the/etc/apk/keys/
directory, and then runapk add hello@personal
I get the following:Also confusingly, if I was to rename the key from
/etc/apk/keys/cburns@host.docker.internal-7db90524.rsa.pub
to/etc/apk/keys/melange.rsa.pub
I get the same error but instead ofUNTRUSTED Signature
, I getBAD Signature
.Is this something that someone else has run into before? I can't see anything mentioning either error in any issues, so maybe I'm just doing something obviously wrong.