I am periodically getting BAD SIGNATURE errors from apk when installing
packages.
I'm not sure what makes the errors start or stop, however I am able to
download and verify the package with curl and apk verify it while still
getting the error from apk add.
I can also download the index with curl and it looks alright after
unpacking though I don't know how to verify it.
I do know that neither the index nor package change when the BAD SIGNATURE
errors start or stop.
Is there any way to get debugging or trace output from APK that might shed
some light?
This seems to be a common issue just looking at Google results, I see it
reported frequently, but the issues are always closed with no resolution
because it is not possible to reproduce the issue at will.
I've seen this happen before if the connection times out -- a zero-length
or truncated package will result in a signature error. While technically
accurate, I can imagine a more helpful message for these cases :)
--Reid
On Thu, Jun 11, 2020 at 11:24 AM CJ Ess <zxcvbn4038@gmail.com> wrote:
> I am periodically getting BAD SIGNATURE errors from apk when installing> packages.>> I'm not sure what makes the errors start or stop, however I am able to> download and verify the package with curl and apk verify it while still> getting the error from apk add.>> I can also download the index with curl and it looks alright after> unpacking though I don't know how to verify it.>> I do know that neither the index nor package change when the BAD SIGNATURE> errors start or stop.>> Is there any way to get debugging or trace output from APK that might shed> some light?>> This seems to be a common issue just looking at Google results, I see it> reported frequently, but the issues are always closed with no resolution> because it is not possible to reproduce the issue at will.>>
On Thu, Jun 11, 2020 at 11:24:12AM -0400, CJ Ess wrote:
> I am periodically getting BAD SIGNATURE errors from apk when installing> packages.> > I'm not sure what makes the errors start or stop, however I am able to> download and verify the package with curl and apk verify it while still> getting the error from apk add.> > I can also download the index with curl and it looks alright after> unpacking though I don't know how to verify it.> > I do know that neither the index nor package change when the BAD SIGNATURE> errors start or stop.> > Is there any way to get debugging or trace output from APK that might shed> some light?> > This seems to be a common issue just looking at Google results, I see it> reported frequently, but the issues are always closed with no resolution> because it is not possible to reproduce the issue at will.
One cause of these issues could be due to our CDN caching packages that
have been rebuilt.
This can for example happen when a package is reverted and gets the same
name as a previously built-package. The CDN then gives you the
previously cached version which has a different hash.
This can also happen for /latest-stable/ when a new version is
released.
However, these occurences should be rare, not happening on a regular
basis. If it happens more often, it would be good to know whether this
is intermittent (one time it fails, next time it succeeds), indicating
network issues, or if it's a specific package where happens.
Kevin