Closed ghost closed 6 years ago
:warning: The URL of the public signing key has changed! :warning:
Any previous reference to
https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub
should be updated with immediate effect tohttps://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
.
https://github.com/sgerrand/alpine-pkg-glibc/commit/6dffcfc309e3ef7ec9ba55aaf582ab2f202906bd
Unfortunately, https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub has a problem with availability or with cert https://github.com/sgerrand/alpine-pkg-glibc/issues/92:
$ date -u
Wed Aug 15 11:33:15 UTC 2018
$ curl -v -k https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub --connect-timeout 30
* About to connect() to alpine-pkgs.sgerrand.com port 443 (#0)
* Trying 69.163.161.90...
* Connection refused
* Failed connect to alpine-pkgs.sgerrand.com:443; Connection refused
* Closing connection 0
curl: (7) Failed connect to alpine-pkgs.sgerrand.com:443; Connection refused
The link is reachable (at this point in time), though the availability is a valid concern. Personally, I have decided to embed the key into my scripts.
Embedding isn't so bad. I was using the version in my scripts to calculate the download in a Dockerfile so that if it changes with the version for one reason or another it is one less thing to have to worry about.
If I need to abandon the version-specific one I guess I can do that.
Apologies for the delay in replying. The process of reissuing the SSL certificate for that domain had silently broken and I've updated it (as well as adding monitoring specifically for the SSL certificate expiry).
Personally, I have decided to embed the key into my scripts.
I strongly recommend that you don't do that. I've put work into making sure that the domain that hosts the public key will be highly available. Note that if the signing key does get rotated then any cached version will fail.
The release for 2.28-r0 (here) does not have the sgerrand.rsa.pub file published.