search

sgerrand / alpine-pkg-glibc

A glibc compatibility layer package for Alpine Linux
2.05k stars 280 forks source link

UNTRUSTED signature #100

Closed momenso closed 5 years ago

momenso commented 5 years ago

Unstrusted signature despite applying the "new" signature:

How to reproduce:

$ apk --no-cache add ca-certificates
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
OK: 111 MiB in 66 packages
$ wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand/sgerrand.rsa.pub
$ wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk
Connecting to github.com (192.30.253.112:443)
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (52.216.85.211:443)
glibc-2.28-r0.apk    100% |*******************************|  2219k  0:00:00 ETA

$ apk add glibc-2.28-r0.apk
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: glibc-2.28-r0.apk: UNTRUSTED signature
momenso commented 5 years ago

My mistake, the pub key URL was wrong. Using https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub, instead of https://alpine-pkgs.sgerrand.com/sgerrand/sgerrand.rsa.pub solves that.