For discussion of Alpine Linux development and developer support

2 2

[alpine-devel] APK Packages Missing Signatures

Ladar Levison
Details
Message ID
<d193c627-9999-7297-3983-1a148356783c@lavabit.com>
Sender timestamp
1528163611
DKIM signature
missing
Download raw message
It seems several packages have made it out to the mirrors without
signatures. It doesn't appear to be every package. The following are the
ones I know about:

ERROR: busybox-1.27.2-r10: UNTRUSTED signature
ERROR: ssl_client-1.27.2-r10: UNTRUSTED signature
ERROR: busybox-suid-1.27.2-r10: UNTRUSTED signature

And if you run:

curl --silent
https://dl-3.alpinelinux.org/alpine/v3.7/main/x86_64/busybox-1.27.2-r10.apk
| gunzip | tar --list

Note lack of an SIGN.RSA file. (I'm assuming that is the file which is
supposed to hold the signature.)

L~





---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20180607132308.787c5417@ncopa-desktop.copa.dup.pw>
In-Reply-To
<d193c627-9999-7297-3983-1a148356783c@lavabit.com> (view parent)
Sender timestamp
1528370588
DKIM signature
missing
Download raw message
On Mon, 4 Jun 2018 20:53:31 -0500
Ladar Levison <ladar@lavabit.com> wrote:

> It seems several packages have made it out to the mirrors without
> signatures. It doesn't appear to be every package. The following are the
> ones I know about:
> 
> ERROR: busybox-1.27.2-r10: UNTRUSTED signature
> ERROR: ssl_client-1.27.2-r10: UNTRUSTED signature
> ERROR: busybox-suid-1.27.2-r10: UNTRUSTED signature

This should be fixed now. Thanks for the report.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Ladar Levison
Details
Message ID
<f03b22bc-d521-7d1d-f701-be2efab94fef@lavabit.com>
In-Reply-To
<20180607132308.787c5417@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1528452220
DKIM signature
missing
Download raw message
On 06/07/2018 06:23 AM, Natanael Copa wrote:
> On Mon, 4 Jun 2018 20:53:31 -0500
> Ladar Levison <ladar@lavabit.com> wrote:
>
>> It seems several packages have made it out to the mirrors without
>> signatures. It doesn't appear to be every package. The following are the
>> ones I know about:
>>
>> ERROR: busybox-1.27.2-r10: UNTRUSTED signature
>> ERROR: ssl_client-1.27.2-r10: UNTRUSTED signature
>> ERROR: busybox-suid-1.27.2-r10: UNTRUSTED signature
> This should be fixed now. Thanks for the report.

Fix confirmed. The box building robots are once again happy. Thank you.

L~




---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---