<27cd1427-a758-cb73-321d-62352c30397c@gmail.com>
Hello! I have a public key https://kamcuk.gitlab.io/yio/alpine/x86_64/kamilcukrowski@gmail.com.rsa.pub that I (hopefully) used to sign my repository at https://kamcuk.gitlab.io/yio/alpine/x86_64/ . However upon installation using that repo and key I get `BAD signature` error from alpine. How do I add the public key to the list of trusted keys? Why the signature is BAD? I have my own rsa key, so I followed some online site on how to convert it to RSA key. I generate private rsa key from my gpg key with: gpg --export-secret-keys CC36098A43EBF7B5 | openpgp2ssh CC36098A43EBF7B5 > /kamilcukrowski@gmail.com.rsa This generates `-----BEGIN RSA PRIVATE KEY-----` file. I have then signed the repo with like: abuild-sign -k /kamilcukrowski@gmail.com.rsa /home/builder/packages/*/*/APKINDEX.tar.gz And then generated public key with: openssl rsa -in /kamilcukrowski@gmail.com.rsa -pubout -out /kamilcukrowski@gmail.com.rsa.pub I confirmed with `openssl rsa -pubin -modulus -noout -in /kamilcukrowski@gmail.com.rsa.pub` and `openssl rsa -noout -modulus -in /kamilcukrowski@gmail.com.rsa` that modulus of keys matches. Then these files are uploaded to gitlab pages and then I guess I should be able to install it: # add public key, repo to apk and then apk add the package $ docker run --rm alpine sh -xc 'wget https://kamcuk.gitlab.io/yio/alpine/x86_64/kamilcukrowski@gmail.com.rsa.pub -O /etc/apk/keys/kamilcukrowski@gmail.com.rsa.pub ; echo 'https://kamcuk.gitlab.io/yio/alpine/' >> /etc/apk/repositories ; apk add yio' + wget https://kamcuk.gitlab.io/yio/alpine/x86_64/kamilcukrowski@gmail.com.rsa.pub -O /etc/apk/keys/kamilcukrowski@gmail.com.rsa.pub Connecting to kamcuk.gitlab.io (35.185.44.232:443) saving to '/etc/apk/keys/kamilcukrowski@gmail.com.rsa.pub' kamilcukrowski@gmail 100% |********************************| 800 0:00:00 ETA '/etc/apk/keys/kamilcukrowski@gmail.com.rsa.pub' saved + echo https://kamcuk.gitlab.io/yio/alpine/ + apk add yio fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz fetch https://kamcuk.gitlab.io/yio/alpine/x86_64/APKINDEX.tar.gz ERROR: https://kamcuk.gitlab.io/yio/alpine/: BAD signature WARNING: Ignoring APKINDEX.f89d10e2.tar.gz: No such file or directory ERROR: unsatisfiable constraints: yio (missing): required by: world[yio] But I get `BAD signature` and also `No such file or directory`. I tried finding something in `apk` sources in https://github.com/alpinelinux/apk-tools , but I do not know what is wrong, the signing process in https://github.com/alpinelinux/abuild/blob/master/abuild-sign.in is pretty straightforward. When I unpack the generated `APKINDEX.tar.gz` there is a `.SIGN.APK.kamilcukrowski@gmail.com.rsa.pub` file inside it. Can I somehow "manually" confirm that the APKINDEX has been correctly signed? Do I also need to sign packages, or just APKINDEX? Thank you.