From nobody Fri Mar 29 00:48:49 2024 Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 505F6782BB8 for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 15:24:24 +0000 (UTC) Received: by mail-qv1-f53.google.com with SMTP id e20so2814102qvu.0 for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 08:24:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ukymi5kpkDUG9Q26fASmhBYz2Pf6uxqVzs96B35Wwug=; b=TkOl9n1NdskDZ6DafVqrgPt6eAZ7Q5gqmjyHR8s6RjO7tf8tS/k7+EoWaoOrxfDp0k UsV7qtfcvzYLQpcvuyjwCJS/XCVUg385SGrcrhgNi7AFKWD18qqg4iVgVYMrbFzQk9q0 lat9kcvnibLxuDSMS1XVjXSnZn8noe3w8PPzXf17H6K3OgAzmE3Gsby1E0aQlQjHt955 G7hytH7P2ClxDnW6v/geJH/Xjui5CHYJBNKH4y5E/6OwLbSyI2EDRQHtZVeTRxCD26gp q/zQXWIaIws60SPqk7gBznFLB9L/h+qkDY7H68BXoTdkT5KJHGJug5mTeTLcrNTq5TwF sdGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ukymi5kpkDUG9Q26fASmhBYz2Pf6uxqVzs96B35Wwug=; b=ngJ1grISZhHLzK+rQC7Um+f12TK29MmfGnZVhUlnCYYWVhGdv5bC3t5oysy0IE2efg x3yzwzYLs24M4kO/aGwII7gaHQrXKBkyFjlevsVya2iToRuW+N8DmPuvOPijuqZb9L1n ZpPrZKS5rKPkolwFGIMlqPnqG51t7yA7RN6L1J/Cc3k+kLBz4g+D4Q1jSbItfbjGXE2q U67y69yu6VkoJGOWicBJXgPzRWpzzdTRlbY1laLT36VfAwAqL0eqWCdQw0BK3bGEaPB2 EpiU+I+toOWB189t3MxgaJLpRjnBQsfEMcQmVgFBvDEnEoQf8/x1znDwFxaYkkV9pGGU 9m2w== X-Gm-Message-State: AOAM531FCn9lqQLFUseMKHGPH2y66xoavyVS/BY/9GEG3YblYupQxm2u A+jWnGjZknyulYYX1YtmY1bF7rizHZf5QmIVGdnEL6Xp X-Google-Smtp-Source: ABdhPJxqYsg7gSzlijo2kUC6hp4zvS7J8UFkLlP2kQmeuQgUzPTN7n7//RDV5V6ng8ZhcUzgBky37ilL5ymVbwRzmK4= X-Received: by 2002:a05:6214:144:: with SMTP id x4mr8021933qvs.229.1591889062923; Thu, 11 Jun 2020 08:24:22 -0700 (PDT) MIME-Version: 1.0 From: CJ Ess Date: Thu, 11 Jun 2020 11:24:12 -0400 Message-ID: Subject: Periodic BAD SIGNATURE issue To: ~alpine/apk-tools@lists.alpinelinux.org Content-Type: multipart/alternative; boundary="0000000000001e125905a7d08ef0" --0000000000001e125905a7d08ef0 Content-Type: text/plain; charset="UTF-8" I am periodically getting BAD SIGNATURE errors from apk when installing packages. I'm not sure what makes the errors start or stop, however I am able to download and verify the package with curl and apk verify it while still getting the error from apk add. I can also download the index with curl and it looks alright after unpacking though I don't know how to verify it. I do know that neither the index nor package change when the BAD SIGNATURE errors start or stop. Is there any way to get debugging or trace output from APK that might shed some light? This seems to be a common issue just looking at Google results, I see it reported frequently, but the issues are always closed with no resolution because it is not possible to reproduce the issue at will. --0000000000001e125905a7d08ef0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I am periodically getting BAD SIGNATURE errors from apk wh= en installing packages.

I'm not sure what makes the = errors start or stop, however I am able to download and verify the package = with curl and apk verify it while=C2=A0still getting the error from apk add= .

I can also download the index with curl and it l= ooks alright after unpacking though I don't know how to verify it.=C2= =A0

I do know that neither the index nor package c= hange when the BAD SIGNATURE errors start or stop.

Is there any way to get debugging or trace output from APK that might shed= some light?

This seems to be a common issue just = looking at Google results, I see it reported frequently, but the issues are= always closed with no resolution because it is not possible to reproduce t= he issue at will.

--0000000000001e125905a7d08ef0-- From nobody Fri Mar 29 00:48:49 2024 Received: from vps892.directvps.nl (ikke.info [178.21.113.177]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 1F602782BED for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 17:04:49 +0000 (UTC) Received: by vps892.directvps.nl (Postfix, from userid 1008) id 06EAD4400FC; Thu, 11 Jun 2020 19:04:49 +0200 (CEST) Date: Thu, 11 Jun 2020 19:04:48 +0200 From: Kevin Daudt To: CJ Ess Cc: ~alpine/apk-tools@lists.alpinelinux.org Subject: Re: Periodic BAD SIGNATURE issue Message-ID: <20200611170448.GA2182753@alpha> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Jun 11, 2020 at 11:24:12AM -0400, CJ Ess wrote: > I am periodically getting BAD SIGNATURE errors from apk when installing > packages. > > I'm not sure what makes the errors start or stop, however I am able to > download and verify the package with curl and apk verify it while still > getting the error from apk add. > > I can also download the index with curl and it looks alright after > unpacking though I don't know how to verify it. > > I do know that neither the index nor package change when the BAD SIGNATURE > errors start or stop. > > Is there any way to get debugging or trace output from APK that might shed > some light? > > This seems to be a common issue just looking at Google results, I see it > reported frequently, but the issues are always closed with no resolution > because it is not possible to reproduce the issue at will. One cause of these issues could be due to our CDN caching packages that have been rebuilt. This can for example happen when a package is reverted and gets the same name as a previously built-package. The CDN then gives you the previously cached version which has a different hash. This can also happen for /latest-stable/ when a new version is released. However, these occurences should be rare, not happening on a regular basis. If it happens more often, it would be good to know whether this is intermittent (one time it fails, next time it succeeds), indicating network issues, or if it's a specific package where happens. Kevin From nobody Fri Mar 29 00:48:49 2024 Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id DA132782C74 for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 15:58:54 +0000 (UTC) Received: by mail-lj1-f171.google.com with SMTP id q19so7554219lji.2 for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 11 Jun 2020 08:58:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3/mtxf5/XUgKvmt4ghmfJQWMW+D2GhOetr/DDALSpl4=; b=lt6iW6Da3NPkrpiJihM1G2GQ8aNrW2IabmwKUBMKipSD0SNhKaABfRNkD+WEOkoqrF d1Utt+iMSYzs9KKvYk5E+ZJ6grwkMkRcVFQhw1LJRnDPQL+FQu6W2PtXzZtF9cQTI2TB kui6In0kTHsY8NLcluRD/shztxYwuKTkiB6HBpuPOXmb0HJrG2au2t7lxUHOMuFyBNu9 pyxwt9U419yTsEJisJX3CMGGgNfQTWCQ4pIF5aF+8IVTHlxUNOFGx5DtytqRDadpMNHL lQS5cMxuAaj/dvd9FjOlR/g35GqVAyKVDkSaB6kwtLXCg96F0mcCblnUHXAjLGoDNhmY VBhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3/mtxf5/XUgKvmt4ghmfJQWMW+D2GhOetr/DDALSpl4=; b=bvg6BhLcyCli7gJIytWX2BsY2AYKer36U1WxMNeN2NVZzfNZXycGUgd4HoWt7v3n1A Ts/nJ2uOCxydH36reHQHaLUMjkc7Xbrb2aiitXIw883vhwilGeSQJ1Kapvgcz69qWraL 9CYlza1G+DTF2suUEpWgHezrfPDa3rljbKqOob5srf5/+DeN81ynj3ujdtouHQcypynD KdpPWCb2y46S/JpBNHQSqXDhx62OSPEj4MhVrpP1fljkl8cux6p8mLrCFvId81qOpi1r w4scNJ4472R3tORDKxHGmRlpOt9vPLcvHakWM5/dJFZD6JzKi3GO9L98VMCI8j7bOm4v xw9w== X-Gm-Message-State: AOAM531SIJhFSmzipJnAOOdhjbTQLZ9O0IE8bGV6KWrcACUINR3NsMZO fNXGDEr5ksG1lDvgNjrZaUiWI50ezUyMXER+70w= X-Google-Smtp-Source: ABdhPJz08Fx1QkS7c+/GoDWYIdUH3CzTsA4Owr02CaK7fN2Sm1ZgYG9sjc/u1AGyeUgqJhlUg4Og3Ku/37bSbLq+1nc= X-Received: by 2002:a2e:a495:: with SMTP id h21mr4829151lji.436.1591891133812; Thu, 11 Jun 2020 08:58:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Reid Rankin Date: Thu, 11 Jun 2020 11:58:42 -0400 Message-ID: Subject: Re: Periodic BAD SIGNATURE issue To: CJ Ess Cc: ~alpine/apk-tools@lists.alpinelinux.org Content-Type: multipart/alternative; boundary="0000000000008d53f805a7d1090c" --0000000000008d53f805a7d1090c Content-Type: text/plain; charset="UTF-8" I've seen this happen before if the connection times out -- a zero-length or truncated package will result in a signature error. While technically accurate, I can imagine a more helpful message for these cases :) --Reid On Thu, Jun 11, 2020 at 11:24 AM CJ Ess wrote: > I am periodically getting BAD SIGNATURE errors from apk when installing > packages. > > I'm not sure what makes the errors start or stop, however I am able to > download and verify the package with curl and apk verify it while still > getting the error from apk add. > > I can also download the index with curl and it looks alright after > unpacking though I don't know how to verify it. > > I do know that neither the index nor package change when the BAD SIGNATURE > errors start or stop. > > Is there any way to get debugging or trace output from APK that might shed > some light? > > This seems to be a common issue just looking at Google results, I see it > reported frequently, but the issues are always closed with no resolution > because it is not possible to reproduce the issue at will. > > --0000000000008d53f805a7d1090c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've seen this happen before if the connection t= imes out -- a zero-length or truncated package will result in a signature e= rror. While technically accurate, I can imagine a more helpful message for = these cases :)

--Reid

On Thu, Jun 11, 2020 at 11:24 AM CJ Ess <zxcvbn4038@gmail.com> wrote:
I am periodically getting BAD SIGNATURE errors from ap= k when installing packages.

I'm not sure what makes = the errors start or stop, however I am able to download and verify the pack= age with curl and apk verify it while=C2=A0still getting the error from apk= add.

I can also download the index with curl and = it looks alright after unpacking though I don't know how to verify it.= =C2=A0

I do know that neither the index nor packag= e change when the BAD SIGNATURE errors start or stop.

<= div>Is there any way to get debugging or trace output from APK that might s= hed some light?

This seems to be a common issue ju= st looking at Google results, I see it reported frequently, but the issues = are always closed with no resolution because it is not possible to reproduc= e the issue at will.

--0000000000008d53f805a7d1090c--