Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpine unable to install local .apk file #689

Open
xua3 opened this issue Jun 27, 2023 · 2 comments
Open

Alpine unable to install local .apk file #689

xua3 opened this issue Jun 27, 2023 · 2 comments
Labels
bug

Comments

@xua3
Copy link

xua3 commented Jun 27, 2023

Install Temurin following Instructions on the website for Alpine Linux.

apk add works fine

/ # apk add temurin-17-jdk
(1/8) Installing java-common (0.5-r0)
(2/8) Installing libffi (3.4.4-r2)
(3/8) Installing p11-kit (0.24.1-r2)
(4/8) Installing libtasn1 (4.19.0-r1)
(5/8) Installing p11-kit-trust (0.24.1-r2)
(6/8) Installing ca-certificates (20230506-r0)
(7/8) Installing java-cacerts (1.0-r1)
(8/8) Installing temurin-17-jdk (17.0.7_p7-r0)
Executing busybox-1.36.1-r0.trigger
Executing java-common-0.5-r0.trigger
Executing ca-certificates-20230506-r0.trigger
OK: 270 MiB in 23 packages

But it doesn't work if I download the .apk file to the local directory and install it

~ # apk fetch temurin-17-jdk
Downloading temurin-17-jdk-17.0.7_p7-r0
~ # ls
temurin-17-jdk-17.0.7_p7-r0.apk
~ # apk add temurin-17-jdk-17.0.7_p7-r0.apk
ERROR: temurin-17-jdk-17.0.7_p7-r0.apk: UNTRUSTED signature

It looks like the .apk file can't be verified

~ # apk verify temurin-17-jdk-17.0.7_p7-r0.apk
temurin-17-jdk-17.0.7_p7-r0.apk: 0 - UNTRUSTED
@karianna karianna added the bug label Jun 30, 2023
@karianna
Copy link
Contributor

karianna commented Jul 3, 2023

From @steelhead31

_It appears all of our Alpine APKs going back several releases are not signed, Im just looking into the code to see if we currently sign it( and it isnt working.. ) or whether we release them unsigned.... this error can be worked around by adding the --allow-untrusted switch (e.g.. apk add ./temurin-17-jdk-17.0.7_p7-r0.apk --allow-untrusted )

I've figured it out, its an alpine oddity, Im fairly certain now our Alpine APKs are being signed, and signatures are verified when installing from the online repo, not when manually installing from an APK.. Im still digging, but this appears to be the case..

local apk's have to be installed with the --allow-untrusted switch

Thats how the packaging test for alpine passes in the Jenkins workflow too, I've unpacked the APK and can verify its signed that way, but having done some digging, I cant find an easy way to do the same on the command line.._

@karianna added: Thanks for checking! Sounds like either Alpine has some sort of a missing feature gap (perhaps there's a check from an online APK repo vs local) or we are missing something else that we weren't aware of. I'll update the ticket and see if the OP knows anything more

@xua3
Copy link
Author

xua3 commented Jul 4, 2023

I downloaded an package from Alpine repository, and tested it. It can be installed without any problem.

~ # apk fetch nano
Downloading nano-7.2-r1
~ # ls
nano-7.2-r1.apk
~ # apk add nano-7.2-r1.apk
(1/3) Installing ncurses-terminfo-base (6.4_p20230506-r0)
(2/3) Installing libncursesw (6.4_p20230506-r0)
(3/3) Installing nano (7.2-r1)
Executing busybox-1.36.1-r0.trigger
OK: 8 MiB in 18 packages

So I unpacked nano-7.2-r1.apk and temurin-17-jdk-17.0.7_p7-r0.apk to see if I can find something useful.

~ # tar xvf nano-7.2-r1.apk
.SIGN.RSA.alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
.PKGINFO
etc/
etc/nanorc
usr/
usr/bin/
usr/bin/nano
usr/bin/rnano

~ # tar xvf temurin-17-jdk-17.0.7_p7-r0.apk
.SIGN.RSA.private.rsa.pub
.PKGINFO
usr/
usr/lib/
usr/lib/jvm/
usr/lib/jvm/java-17-temurin/
usr/lib/jvm/java-17-temurin/NOTICE
usr/lib/jvm/java-17-temurin/bin/
usr/lib/jvm/java-17-temurin/bin/jar
...

Here are keys I have.

~ # ls /etc/apk/keys/
adoptium.rsa.pub
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub

I guess .SIGN.RSA.alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub matches alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub. But .SIGN.RSA.private.rsa.pub didn't match any keys I have.

So I changed filename of the Adoptium key.

mv /etc/apk/keys/adoptium.rsa.pub /etc/apk/keys/private.rsa.pub

Now I can install local APK file without any errors.

~ # apk add temurin-17-jdk-17.0.7_p7-r0.apk
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/8) Installing java-common (0.5-r0)
(2/8) Installing libffi (3.4.4-r2)
(3/8) Installing p11-kit (0.24.1-r2)
(4/8) Installing libtasn1 (4.19.0-r1)
(5/8) Installing p11-kit-trust (0.24.1-r2)
(6/8) Installing ca-certificates (20230506-r0)
(7/8) Installing java-cacerts (1.0-r1)
(8/8) Installing temurin-17-jdk (17.0.7_p7-r0)
Executing busybox-1.36.1-r0.trigger
Executing java-common-0.5-r0.trigger
Executing ca-certificates-20230506-r0.trigger
OK: 271 MiB in 26 packages

But when I do apk update now, there's a warning.

~ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
fetch https://packages.adoptium.net/artifactory/apk/alpine/main/x86_64/APKINDEX.tar.gz
WARNING: updating and opening https://packages.adoptium.net/artifactory/apk/alpine/main: UNTRUSTED signature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karianna @xua3