This repository was archived by the owner on Feb 24, 2020. It is now read-only.
This repository was archived by the owner on Feb 24, 2020. It is now read-only.
rkt fetch: can fetch incorrect signature #1982
Description
In the following log, I run an image with these dependencies:
aci.gonyeo.com/blog --> aci.gonyeo.com/nginx --> aci.gonyeo.com/alpine
It fetches and correctly verifies the first two ACIs. The third image, aci.gonyeo.com/alpine, fails verification because for some reason rkt fetches the signature for aci.gonyeo.com/nginx.
derek@haruko ~> sudo rkt fetch aci.gonyeo.com/blog
rkt: searching for app image aci.gonyeo.com/blog
rkt: remote fetching from URL "https://aci.gonyeo.com/blog-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/blog"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B DB93 8D6A 284F 420B 2594
subkey fingerprint: 818A 735C A7D6 60F5 F113 8ED8 29A7 820C 14D5 7505
Derek Gonyeo (ACI signing key) <[email protected]>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/blog-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 275 KB/275 KB
rkt: signature verified:
Derek Gonyeo (ACI signing key) <[email protected]>
rkt: searching for app image aci.gonyeo.com/nginx
rkt: remote fetching from URL "https://aci.gonyeo.com/nginx-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/nginx"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B DB93 8D6A 284F 420B 2594
subkey fingerprint: 818A 735C A7D6 60F5 F113 8ED8 29A7 820C 14D5 7505
Derek Gonyeo (ACI signing key) <[email protected]>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/nginx-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 1.3 MB/1.3 MB
rkt: signature verified:
Derek Gonyeo (ACI signing key) <[email protected]>
rkt: searching for app image aci.gonyeo.com/alpine
rkt: remote fetching from URL "https://aci.gonyeo.com/alpine-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/alpine"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B DB93 8D6A 284F 420B 2594
subkey fingerprint: 818A 735C A7D6 60F5 F113 8ED8 29A7 820C 14D5 7505
Derek Gonyeo (ACI signing key) <[email protected]>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/nginx-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 2.49 MB/2.49 MB
openpgp: invalid signature: hash tag doesn't match