search

goreleaser / nfpm

nFPM is Not FPM - a simple deb, rpm, apk, ipk, and arch linux packager written in Go
https://nfpm.goreleaser.com/
MIT License
2.15k stars 157 forks source link

[apk] Cannot sign package #799

Closed cnt0 closed 6 months ago

cnt0 commented 6 months ago

What happened?

Hello. I'm trying to sign an apk package with key generated by abuild-keygen, which is a standard tool for alpine linux distribution.

It fails with the following message:

signing error: parse PKCS1 private key: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

How can we reproduce this?

  1. generate a keypair using the following command: $ abuild-keygen -a -i, it'll be saved to ~/.abuild and /etc/apk/keys
  2. add signature information to nfpm.yaml (the exact key name will indeed be different): 
    apk:
signature:
key_file: /home/user/.abuild/user@email.com-xxxxxxxx.rsa
key_name: user@email.com-xxxxxxxx
  3. try generating a package: 
    $ nfpm pkg --packager apk --target package.apk

expected result: apk successfully generated

actual result: the aforementioned message

signing error: parse PKCS1 private key: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

this issue can be solved by manually converting the key to required PKCS1 format: openssl -in key.pkcs8 -out key.pkcs1 -traditional, but still, I believe the default can be changed.

nfpm version

GitVersion:    2.35.3
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
BuiltBy:       unknown
GoVersion:     go1.22.1
Compiler:      gc
ModuleSum:     unknown
Platform:      linux/amd64

Search

Code of Conduct

Additional context

openssl version, just in case:

$ openssl version
OpenSSL 3.1.5 30 Jan 2024 (Library: OpenSSL 3.1.5 30 Jan 2024)

Also, I verified that the key generated by abuild-keygen is indeed a PEM-encoded RSA-4096 private key.

abuild-keygen version: abuild-keygen 3.12.0-r4

caarlos0 commented 6 months ago

good find!

if anyone wants to PR this, please feel free to :)

cnt0 commented 6 months ago

I'll make a PR in case of successful time allocation, which is non-deterministic :/

Also, I'd like to mention that apk-tools developers are currently cooking some completely new binary format for their packages, with sha512 signatures and the like (apk v3, the current one is apk v2), so this will require more work in the future

caarlos0 commented 6 months ago

ahh, good to know!