search

sgerrand / alpine-pkg-glibc

A glibc compatibility layer package for Alpine Linux
2.07k stars 280 forks source link

Signature is untrusted #21

Closed ssk2 closed 8 years ago

ssk2 commented 8 years ago

Copied and pasted the commands from the README into a Alpine Linux based container to see the following:

bash-4.3# apk --no-cache add ca-certificates
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
OK: 333 MiB in 83 packages
bash-4.3# wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub
bash-4.3# wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.23-r1/glibc-2.23-r1.apk
Connecting to github.com (192.30.252.130:443)
Connecting to github-cloud.s3.amazonaws.com (54.231.73.11:443)
glibc-2.23-r1.apk    100% |**********************************************************************************************************************************|  2874k  0:00:00 ETA
bash-4.3# apk add glibc-2.23-r1.apk
WARNING: Ignoring APKINDEX.5a59b88b.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.7c1f02d6.tar.gz: No such file or directory
ERROR: glibc-2.23-r1.apk: UNTRUSTED signature

The same goes for the -r2 .apk. I'd like to avoid using --allow-untrusted with apk - any idea why these packages are bust?

AVVS commented 8 years ago

pub key is incorrectly pasted:


-e -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8PPnzNQU/dK+C5PG5Fdh
FHDr8isnIzLrNISB3/DobVG700VYdd7q654etSmoB9PQjuUXLejBUN2CUx/8Gs1w
IFQ8xFa1pMRhwq6/ECUfkWFpKwzotTIaW4NkQ6pWrXoKTQF45741izERdvwE3bRZ
/OWLQwk+sXVLMAHMhXy4Ae2lN3jyaJTnUHtedI/rWrFnaLF9tOMwme9zRNd9OiHy
i9puDbNM7pqW1PzLaqSXhtZH2We6sxf1AQdY0OFIfC1PszefAjLCaAI1chuwLOwM
RY/n0wOS9GbdFqoxXEIQnKBgrOLfNrFAIvoVgL35zznI6JYWm/Cw6M603KTR+ldP
SQIDAQAB
-----END PUBLIC KEY-----
jordaaash commented 8 years ago

Yeah, I saw this in 3db7b4c4729f8128df99c9007a56a8f0d1e65955. This change also breaks https://github.com/frol/docker-alpine-glibc which relies on andyshinn.rsa.pub.

ssk2 commented 8 years ago

Workaround is to use the key provided for the release: https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.23-r2/sgerrand.rsa.pub

sgerrand commented 8 years ago

@ssk2 @jordansexton: Thanks for picking this up and apologies for being late to the party. 💝

dettmering commented 6 years ago

This issue is reappearing and breaks a Docker build: https://github.com/dettmering/hugo-build/blob/dc2c120180a4bef612ae26a483ca5c470ec7aeb0/Dockerfile

Can you please check if the SSH keys are out of date again?

Thank you!

springerigor commented 6 years ago

Hey @dettmering. The URL to the public key has changed:

Any previous reference to https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub should be updated with immediate effect to https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub.

More details https://github.com/sgerrand/alpine-pkg-glibc

Ansari-test commented 5 years ago

Hi,

I have executed these commands, but could not find where I can find gcc is placed. RUN apk --no-cache add ca-certificates wget RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk RUN apk add glibc-2.28-r0.apk

Could someone help me?

irsham commented 5 years ago

Hey @dettmering. The URL to the public key has changed:

Any previous reference to https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub should be updated with immediate effect to https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub.

More details https://github.com/sgerrand/alpine-pkg-glibc

used the same but still facing the issue