Using pull-through cache for longer alpine package retention
kolloch opened this issue · comments
Context:
- Alpine main/community: We are using alpine (not wolfi).
- Checked-in lockfiles: In our repository, we check in the lock files to get reproducible lock files.
Sample apko.yaml:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/v3.19/main
- https://dl-cdn.alpinelinux.org/alpine/v3.19/community
packages:
- alpine-base
- java-cacerts
archs:
- amd64
- arm64
This works well BUT in alpine old package files are apparently quickly deleted when not referenced by the index anymore. That makes our builds often fail even only a few hours/days after the last update.
To work around this, we tried to use a pull through cache:
https://jfrog.com/help/r/jfrog-artifactory-documentation/alpine-linux-repositories
In our first tries, we hard-coded our credentials into the repositories URLs in the apko.yaml file.
We got this error:
Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub; tried all other keys as well
2024/05/28 14:25:08 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub; tried all other keys as well
I assume the logic that automagically loads the correct keys for the standard URLs doesn't trigger here?
Anyways, we can then add the keyring files individually:
keyring:
- https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
- https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
- https://alpinelinux.org/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub
But it doesn't work for all keys?
Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub; tried all other keys as well
2024/05/28 14:26:58 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub; tried all other keys as well