Received: from vps892.directvps.nl (ikke.info [178.21.113.177])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 1F602782BED
	for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 17:04:49 +0000 (UTC)
Received: by vps892.directvps.nl (Postfix, from userid 1008)
	id 06EAD4400FC; Thu, 11 Jun 2020 19:04:49 +0200 (CEST)
Date: Thu, 11 Jun 2020 19:04:48 +0200
From: Kevin Daudt <kdaudt@alpinelinux.org>
To: CJ Ess <zxcvbn4038@gmail.com>
Cc: ~alpine/apk-tools@lists.alpinelinux.org
Subject: Re: Periodic BAD SIGNATURE issue
Message-ID: <20200611170448.GA2182753@alpha>
References: <CA+p3Eyz2i9UjqhOaDrwCDupby8FrKiYL19_3sFrzER-19aoBGg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+p3Eyz2i9UjqhOaDrwCDupby8FrKiYL19_3sFrzER-19aoBGg@mail.gmail.com>

On Thu, Jun 11, 2020 at 11:24:12AM -0400, CJ Ess wrote:
> I am periodically getting BAD SIGNATURE errors from apk when installing
> packages.
> 
> I'm not sure what makes the errors start or stop, however I am able to
> download and verify the package with curl and apk verify it while still
> getting the error from apk add.
> 
> I can also download the index with curl and it looks alright after
> unpacking though I don't know how to verify it.
> 
> I do know that neither the index nor package change when the BAD SIGNATURE
> errors start or stop.
> 
> Is there any way to get debugging or trace output from APK that might shed
> some light?
> 
> This seems to be a common issue just looking at Google results, I see it
> reported frequently, but the issues are always closed with no resolution
> because it is not possible to reproduce the issue at will.

One cause of these issues could be due to our CDN caching packages that
have been rebuilt.

This can for example happen when a package is reverted and gets the same
name as a previously built-package. The CDN then gives you the
previously cached version which has a different hash.

This can also happen for /latest-stable/ when a new version is
released.

However, these occurences should be rare, not happening on a regular
basis. If it happens more often, it would be good to know whether this
is intermittent (one time it fails, next time it succeeds), indicating
network issues, or if it's a specific package where happens.

Kevin