search

goreleaser / nfpm

nFPM is Not FPM - a simple deb, rpm, apk, ipk, and arch linux packager written in Go
https://nfpm.goreleaser.com/
MIT License
2.09k stars 154 forks source link

[apk] Misleading documentation for apk.signature.key_name #806

Closed cnt0 closed 3 months ago

cnt0 commented 3 months ago

What happened?

The documentation says the following about this attribute:

# The name of the signing key. When verifying a package, the signature 
# is matched to the public key store in /etc/apk/keys/<key_name>.rsa.pub.
# If unset, it defaults to the maintainer email address.

However, this is incorrect. As evident from the code, nfpm will add the .rsa.pub extension in case of unset key_name only. apk, on its side, also doesn't add this extension when looking for the key. So this results in key lookup error in apk.

I believe we should add the .rsa.pub extension in the mentioned piece of code unconditionally, matching both the documentation and the already existing behavior in case of unset key_name.

How can we reproduce this?

prepare the signed apk package with config like

# ...
apk:
  signature:
    key_file: xxxx.rsa
    key_name: xxxx

omitting the .rsa.pub extension in key_name. Try installing this package with apk add.

nfpm version

the one from https://github.com/goreleaser/nfpm/pull/804 (so git main, essentially)

Search

Code of Conduct

Additional context

No response

caarlos0 commented 3 months ago

something like this: https://github.com/goreleaser/nfpm/pull/808 ?

cnt0 commented 3 months ago

yes, can confirm that #808 fixes the issue