apk-tools 2.14.3 fails to install package with untrusted signature
We have an automated build system that as part of its processes produces an alpine images. Part of this process includes the installation of an alpine linux package built with fpm. On the alpine 3.17 and alpine 3.18 images it started to fail. It complains about a BAD Signature
localhost:~# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
v3.18.6-164-g2a32b8b9735 [http://dl-cdn.alpinelinux.org/alpine/v3.18/main]
v3.18.6-164-g2a32b8b9735 [http://dl-cdn.alpinelinux.org/alpine/v3.18/community]
OK: 20085 distinct packages available
localhost:~# apk upgrade apk-tools
(1/1) Upgrading apk-tools (2.14.0-r2 -> 2.14.3-r1)
Executing busybox-1.36.1-r5.trigger
OK: 119 MiB in 155 packages
localhost:~# apk add one-context-6.8.1-r1.apk
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
ERROR: one-context-6.8.1-r1.apk: UNTRUSTED signature
localhost:~# apk add --allow-untrusted one-context-6.8.1-r1.apk
(1/1) Replacing one-context (6.8.1-r1 -> 6.8.1-r1)
ERROR: one-context-6.8.1-r1: BAD signature
1 error; 119 MiB in 155 packages
This only started happening somewhat recently on March. Previously we didn't have an errors when installing said package.
localhost:~# apk add one-context-6.8.1-r1.apk
ERROR: one-context-6.8.1-r1.apk: UNTRUSTED signature
localhost:~# apk add --allow-untrusted one-context-6.8.1-r1.apk
(1/1) Replacing one-context (6.8.1-r1 -> 6.8.1-r1)
Executing one-context-6.8.1-r1.post-upgrade
WARNING: Run update-conf to process any updated one-context files in /etc!
Executing busybox-1.36.1-r5.trigger
Executing eudev-3.2.11-r8.trigger
OK: 119 MiB in 155 packages
localhost:~# ^C
localhost:~# apk info apk-tools
apk-tools-2.14.0-r2 description:
Alpine Package Keeper - package manager for alpine
apk-tools-2.14.0-r2 webpage:
https://gitlab.alpinelinux.org/alpine/apk-tools
apk-tools-2.14.0-r2 installed size:
304 KiB
apk-tools-2.14.3-r1 description:
Alpine Package Keeper - package manager for alpine
apk-tools-2.14.3-r1 webpage:
https://gitlab.alpinelinux.org/alpine/apk-tools
apk-tools-2.14.3-r1 installed size:
296 KiB
We tried the alpine linux 3.18 image that we have published previously as the result of a previous release and narrowed it down to an issue with a recent apk-tool update. With apk-tools 2.10 the package can be installed with --allow-untrusted
with no issues.
Is there a way to install the package as it stands ? We tried --force
to no avail. We don't have a problem with 3.16, only 3.17 and 3.18.