search

chainguard-dev / melange

build APKs from source code
Apache License 2.0
412 stars 95 forks source link

BAD Signature when Installing `apk` package #591

Closed ChrisJBurns closed 1 year ago

ChrisJBurns commented 1 year ago

Not sure if I'm doing something obviously wrong, but I've built an apk package using the following example: https://github.com/ChrisJBurns/building-oci-images-with-melange-and-apko/tree/main/images/hello-c

To cut a long story short, it builds the apk fine, I can then use build the OCI image with apko and run it with no problems.

I wanted to see if I could get it to work and install the apk package into a Docker image using a simple Go app that simply acts as as a file server to serve the hello package. Using the following Dockerfile

FROM alpine

COPY files/hello-c/melange.rsa.pub /etc/apk/keys/melange.rsa.pub
RUN echo "@personal http://host.docker.internal:9999/hello-c/packages" | tee -a /etc/apk/repositories

I can built a Docker image, run the image, and run apk update --allow-untrusted and it updates the default Alpine repositories as well as my local @personal one, which is basically my simple dummy APK repo (Go app running a FileServer). I can then run apk add hello@personal --allow-untrusted with no issues, it installs the hello package and I can run it and it will output the text that I expect.

The problem for me is when I try to remove the --allow-untrusted flag. Even if I put the public key that I used to sign the package itself into the /etc/apk/keys/ directory, and then run apk add hello@personal I get the following:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
fetch http://host.docker.internal:9999/hello-c/packages/x86_64/APKINDEX.tar.gz
WARNING: updating and opening http://host.docker.internal:9999/hello-c/packages: UNTRUSTED signature
WARNING: The repository tag for world dependency 'hello@personal' does not exist
ERROR: Not committing changes due to missing repository tags. Use --force-broken-world to override.

Also confusingly, if I was to rename the key from /etc/apk/keys/cburns@host.docker.internal-7db90524.rsa.pub to /etc/apk/keys/melange.rsa.pub I get the same error but instead of UNTRUSTED Signature, I get BAD Signature.

Is this something that someone else has run into before? I can't see anything mentioning either error in any issues, so maybe I'm just doing something obviously wrong.

kaniini commented 1 year ago

This is indicative that the underlying apk has changed and does not reflect the one in the index. When you make changes to an apk, you should increase the epoch value so a new package is indexed.

ChrisJBurns commented 1 year ago

@kaniini So I've completely removed the folder where the apk's are being created including deleting the APKINDEX.json and APKINDEX.tar.gz, then regenerated them with docker run --privileged --rm -v "${PWD}":/work cgr.dev/chainguard/melange:latest build melange.yaml --signing-key melange.rsa, then rerun the docker container where I am adding the local file server as the APK repository, and when I run apk update it still fails with UNTRUSTED error

/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
fetch http://host.docker.internal:9999/hello-c/packages/x86_64/APKINDEX.tar.gz
WARNING: updating and opening http://host.docker.internal:9999/hello-c/packages: UNTRUSTED signature
v3.18.2-575-g02de16b1332 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
v3.18.2-587-g045c1850e7f [https://dl-cdn.alpinelinux.org/alpine/v3.18/community]
2 unavailable, 0 stale; 20070 distinct packages available

Is worth mentioning I built the new APK with an epoch of 1691406087, it's been added to the name of the apk itself, so it didn't really seem to make much difference.