search

chainguard-dev / melange

build APKs from source code
Apache License 2.0
425 stars 108 forks source link

`UNTRUSTED Signature` when installing package with apk #656

Closed ChrisJBurns closed 1 year ago

ChrisJBurns commented 1 year ago

Added a comment in https://github.com/chainguard-dev/melange/issues/591 but didn't get a response so assumed a new issue was required.

Context

I am building a simple file server in Go that is able to act as a APK repository when I can access inside a Docker container. I am creating an apk with Melange (successfully), I am then running the Docker container and can install the apk (pointing to the local Go program running on my host) - however I can only install it when I provide --allow-untrusted.

Steps

I am able to build an apk fine with Melange using the following:

package:
  name: hello
  version: 1.0.0
  description: "a hello world program"
  epoch: 1691406087
  target-architecture:
    - x86_64
  copyright:
    - paths:
      - "*"
      attestation: |
        This program is in the public domain.
      license: CC-PDDC
  dependencies:
    runtime:

environment:
  contents:
    repositories:
      - https://dl-cdn.alpinelinux.org/alpine/edge/main
    packages:
      - alpine-baselayout-data
      - busybox
      - build-base
      - scanelf
      - ssl_client
      - ca-certificates-bundle

pipeline:
  - uses: autoconf/make
  - uses: autoconf/make-install
  - uses: strip

I am creating an image with the local packages folder that contains the apk added to the apk repositories:

FROM alpine
COPY files/hello-c/melange.rsa.pub /etc/apk/keys/.SIGN.RSA.melange.rsa.pub
RUN echo "@personal http://host.docker.internal:9999/hello-c/packages" | tee -a /etc/apk/repositories

However when I run the Docker image, and perform a apk update I get the following error.

/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
fetch http://host.docker.internal:9999/hello-c/packages/x86_64/APKINDEX.tar.gz
WARNING: updating and opening http://host.docker.internal:9999/hello-c/packages: UNTRUSTED signature
v3.18.3-142-g22deefdcc73 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
v3.18.3-143-gb6caa842e6b [https://dl-cdn.alpinelinux.org/alpine/v3.18/community]
2 unavailable, 0 stale; 20070 distinct packages available

I also get the same error when I try installing the hello package via apk add hello@personal.

I can verify that the key has been added to /etc/apk/keys:

/ # ls -al /etc/apk/keys
total 36
drwxr-xr-x    1 root     root          4096 Aug  5 18:52 .
drwxr-xr-x    1 root     root          4096 Jun 14 15:03 ..
-rw-r--r--    1 root     root           800 Aug  5 17:17 .SIGN.RSA.melange.rsa.pub
-rw-r--r--    1 root     root           451 Oct 18  2021 alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
-rw-r--r--    1 root     root           451 Oct 18  2021 alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
-rw-r--r--    1 root     root           451 Oct 18  2021 alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
-rw-r--r--    1 root     root           800 Oct 18  2021 alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
-rw-r--r--    1 root     root           800 Oct 18  2021 alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub

I'm not entirely sure why it is complaining about an untrusted signature as I trust that Melange is indeed signing the apk and the public key exists in the /etc/apk/keys directory.

debasishbsws commented 1 year ago

It seems the problem you are having is because you are renaming the public key from melange.rsa.pub to .SIGN.RSA.melange.rsa.pub

This should work ⬇️

FROM alpine
COPY files/hello-c/melange.rsa.pub /etc/apk/keys/melange.rsa.pub
RUN echo "@personal http://host.docker.internal:9999/hello-c/packages" | tee -a /etc/apk/repositories

This issue has nothing to do with melange, it happens in across alpine.

Though for SSL or others the filename of the key doesn't matter only the content is important, here for some reason the name is also important.

For example, if you rename one of the pre-existing keys in apline:

cd /etc/apk/keys/
mv alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub a.rsa.pub
mv alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub b.rsa.pub
mv alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub c.rsa.pub
...
...

and try to apk update or add a package from alpine repo it gives the same UNTRUSTED signature error.

# apk add wget
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: UNTRUSTED signature
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: UNTRUSTED signature
ERROR: unable to select packages:
  wget (no such package):
    required by: world[wget]
ChrisJBurns commented 1 year ago

Interesting. I renamed the key because it was originally melange.rsa.pub and I saw a bit on the Alpine spec about it needing to be a certain name. However, I have just altered the Dockerfile so that the melange key file name doesn't change and can confirm things work as expected and I get no UNTRUSTED signature errors.

What makes it more weird is that changed the key file name because I had errors before, although at this point I'll have to factor it down to the fact that I've made quite a few changes and tweaks in several places that maybe clouding the waters. Either way, I've got something to work and I can close this issue!

Thanks @debasishbsws