lock: populate auto-discovered keys into the json lock file (#1985)

- **Commit claude code**
  

- **Export ParseAlpineVersion, instead of wrapping it**
  

- **Ignore missing alpine keys when offline**
  

- **Add new lock test with alpine discovery keys**


- **lock: Perform chainguard-style key discovery**


- **Ensure stable lock output**

Populate auto-discovered keys into the expanded lock file. This helps
with subsequent offline builds, plugging into existing (fixed up)
caching mechanism which appears to fix all offline building issues for
me on the rules_apko side.

I think this will correctly support multi-arch builds, with per-arch
keys, with auto-discovered keys, actually offline for the first time
properly.

Author: xnox

internal/cli/lock.go

@@ -18,16 +18,20 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"net/http"
 	"os"
 	"path/filepath"
 	"slices"
+	"sort"
 	"strings"
+	"time"
 
 	"github.com/spf13/cobra"
 
 	"github.com/chainguard-dev/clog"
 
 	"chainguard.dev/apko/pkg/apk/apk"
+	"chainguard.dev/apko/pkg/apk/auth"
 	apkfs "chainguard.dev/apko/pkg/apk/fs"
 	"chainguard.dev/apko/pkg/build"
 	"chainguard.dev/apko/pkg/build/types"
@@ -169,6 +173,10 @@ func LockCmd(ctx context.Context, output string, archs []types.Architecture, opt
 		})
 	}
 
+	// Discover and add auto-discovered keys from repositories
+	discoveredKeys := discoverKeysForLock(ctx, ic, archs)
+	lock.Contents.Keyrings = append(lock.Contents.Keyrings, discoveredKeys...)
+
 	// TODO: If the archs can't agree on package versions (e.g., arm builds are ahead of x86) then we should fail instead of producing inconsistent locks.
 	for _, arch := range archs {
 		log := log.With("arch", arch.ToAPK())
@@ -236,6 +244,12 @@ func LockCmd(ctx context.Context, output string, archs []types.Architecture, opt
 			lock.Contents.Repositories = append(lock.Contents.Repositories, repoLock)
 		}
 	}
+
+	// Sort keyrings by name for reproducible lock files
+	sort.Slice(lock.Contents.Keyrings, func(i, j int) bool {
+		return lock.Contents.Keyrings[i].Name < lock.Contents.Keyrings[j].Name
+	})
+
 	return lock.SaveToFile(output)
 }
 
@@ -262,3 +276,94 @@ func stripURLScheme(url string) string {
 		"http://",
 	)
 }
+
+// discoverKeysForLock discovers keys from repositories and returns them as LockKeyring entries
+func discoverKeysForLock(ctx context.Context, ic *types.ImageConfiguration, archs []types.Architecture) []pkglock.LockKeyring {
+	log := clog.FromContext(ctx)
+
+	// Collect all unique repositories
+	repoSet := make(map[string]struct{})
+	for _, repo := range ic.Contents.BuildRepositories {
+		repoSet[repo] = struct{}{}
+	}
+	for _, repo := range ic.Contents.RuntimeOnlyRepositories {
+		repoSet[repo] = struct{}{}
+	}
+	for _, repo := range ic.Contents.Repositories {
+		repoSet[repo] = struct{}{}
+	}
+
+	// Map to track discovered keys by URL to avoid duplicates
+	discoveredKeyMap := make(map[string]pkglock.LockKeyring)
+
+	// Fetch Alpine releases once (cached by HTTP client)
+	client := &http.Client{}
+	var alpineReleases *apk.Releases
+
+	// Discover keys for each repository and architecture
+	for repo := range repoSet {
+		// Try Alpine-style key discovery
+		if ver, ok := apk.ParseAlpineVersion(repo); ok {
+			// Fetch releases.json if not already fetched
+			if alpineReleases == nil {
+				releases, err := apk.FetchAlpineReleases(ctx, client)
+				if err != nil {
+					log.Warnf("Failed to fetch Alpine releases: %v", err)
+					continue
+				}
+				alpineReleases = releases
+			}
+
+			branch := alpineReleases.GetReleaseBranch(ver)
+			if branch == nil {
+				log.Debugf("Alpine version %s not found in releases", ver)
+				continue
+			}
+
+			// Get keys for each architecture
+			for _, arch := range archs {
+				log.Debugf("Discovering Alpine keys for %s (version %s, arch %s)", repo, ver, arch.ToAPK())
+				urls := branch.KeysFor(arch.ToAPK(), time.Now())
+				if len(urls) == 0 {
+					log.Debugf("No keys found for arch %s and version %s", arch.ToAPK(), ver)
+					continue
+				}
+
+				// Add discovered key URLs to the map
+				for _, u := range urls {
+					discoveredKeyMap[u] = pkglock.LockKeyring{
+						Name: stripURLScheme(u),
+						URL:  u,
+					}
+				}
+			}
+		}
+
+		// Try Chainguard-style key discovery
+		log.Debugf("Attempting Chainguard-style key discovery for %s", repo)
+		keys, err := apk.DiscoverKeys(ctx, client, auth.DefaultAuthenticators, repo)
+		if err != nil {
+			log.Debugf("Chainguard-style key discovery failed for %s: %v", repo, err)
+		} else if len(keys) > 0 {
+			log.Debugf("Discovered %d Chainguard-style keys for %s", len(keys), repo)
+			// For each JWKS key, emit a URL: repository + "/" + KeyID
+			repoBase := strings.TrimSuffix(repo, "/")
+			for _, key := range keys {
+				keyURL := repoBase + "/" + key.ID
+				discoveredKeyMap[keyURL] = pkglock.LockKeyring{
+					Name: stripURLScheme(keyURL),
+					URL:  keyURL,
+				}
+			}
+		}
+	}
+
+	// Convert map to slice
+	discoveredKeys := make([]pkglock.LockKeyring, 0, len(discoveredKeyMap))
+	for _, key := range discoveredKeyMap {
+		discoveredKeys = append(discoveredKeys, key)
+	}
+
+	log.Infof("Discovered %d auto-discovered keys", len(discoveredKeys))
+	return discoveredKeys
+}

internal/cli/lock_test.go

@@ -33,25 +33,38 @@ func TestLock(t *testing.T) {
 	ctx := context.Background()
 	tmp := t.TempDir()
 
-	golden := filepath.Join("testdata", "apko.lock.json")
-
-	config := "apko.yaml"
-	archs := types.ParseArchitectures([]string{"amd64", "arm64"})
-	opts := []build.Option{build.WithConfig(config, []string{"testdata"})}
-	outputPath := filepath.Join(tmp, "apko.lock.json")
-
-	err := cli.LockCmd(ctx, outputPath, archs, opts)
-	require.NoError(t, err)
-
-	want, err := os.ReadFile(golden)
-	require.NoError(t, err)
-	got, err := os.ReadFile(outputPath)
-	require.NoError(t, err)
-
-	if !bytes.Equal(want, got) {
-		if diff := cmp.Diff(want, got); diff != "" {
-			t.Errorf("Mismatched lock files: (-%q +%q):\n%s", golden, outputPath, diff)
-		}
+	tests := []struct {
+		basename string
+	}{
+		{
+			basename: "apko",
+		}, {
+			basename: "apko-discover",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.basename, func(t *testing.T) {
+			golden := filepath.Join("testdata", tt.basename+".lock.json")
+
+			config := tt.basename + ".yaml"
+			archs := types.ParseArchitectures([]string{"amd64", "arm64"})
+			opts := []build.Option{build.WithConfig(config, []string{"testdata"})}
+			outputPath := filepath.Join(tmp, tt.basename+".lock.json")
+
+			err := cli.LockCmd(ctx, outputPath, archs, opts)
+			require.NoError(t, err)
+
+			want, err := os.ReadFile(golden)
+			require.NoError(t, err)
+			got, err := os.ReadFile(outputPath)
+			require.NoError(t, err)
+
+			if !bytes.Equal(want, got) {
+				if diff := cmp.Diff(want, got); diff != "" {
+					t.Errorf("Mismatched lock files: (-%q +%q):\n%s", golden, outputPath, diff)
+				}
+			}
+		})
 	}
 }
 

internal/cli/testdata/apko-discover.lock.json

@@ -0,0 +1,147 @@
+{
+  "version": "v1",
+  "config": {
+    "name": "apko-discover.yaml",
+    "checksum": "sha256-D1mtHLoTBln0iH+VqWZMIPQOScXMWprVolB2sihPWAk="
+  },
+  "contents": {
+    "keyring": [
+      {
+        "name": "./testdata/melange.rsa.pub",
+        "url": "./testdata/melange.rsa.pub"
+      },
+      {
+        "name": "alpinelinux.org/keys/alpine-devel%40lists.alpinelinux.org-6165ee59.rsa.pub",
+        "url": "https://alpinelinux.org/keys/alpine-devel%40lists.alpinelinux.org-6165ee59.rsa.pub"
+      },
+      {
+        "name": "alpinelinux.org/keys/alpine-devel%40lists.alpinelinux.org-616ae350.rsa.pub",
+        "url": "https://alpinelinux.org/keys/alpine-devel%40lists.alpinelinux.org-616ae350.rsa.pub"
+      },
+      {
+        "name": "apk.cgr.dev/chainguard/chainguard-6ea100e7571978828f8455393090cc468e1f22dfc771ad2d26df14e52b73c37f.rsa.pub",
+        "url": "https://apk.cgr.dev/chainguard/chainguard-6ea100e7571978828f8455393090cc468e1f22dfc771ad2d26df14e52b73c37f.rsa.pub"
+      },
+      {
+        "name": "apk.cgr.dev/chainguard/chainguard-7fb528a64a862d44bbea6069093f1fec29fa864ba7e9754828eeceed3f487239.rsa.pub",
+        "url": "https://apk.cgr.dev/chainguard/chainguard-7fb528a64a862d44bbea6069093f1fec29fa864ba7e9754828eeceed3f487239.rsa.pub"
+      },
+      {
+        "name": "apk.cgr.dev/chainguard/chainguard-a87b67b52e9fa08414a5535a99adc7b66643536ccd52f4da66057b67adf21363.rsa.pub",
+        "url": "https://apk.cgr.dev/chainguard/chainguard-a87b67b52e9fa08414a5535a99adc7b66643536ccd52f4da66057b67adf21363.rsa.pub"
+      }
+    ],
+    "build_repositories": [],
+    "runtime_repositories": [],
+    "repositories": [
+      {
+        "name": "dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64",
+        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz",
+        "architecture": "x86_64"
+      },
+      {
+        "name": "apk.cgr.dev/chainguard/x86_64",
+        "url": "https://apk.cgr.dev/chainguard/x86_64/APKINDEX.tar.gz",
+        "architecture": "x86_64"
+      },
+      {
+        "name": "./testdata/packages/x86_64",
+        "url": "./testdata/packages/x86_64/APKINDEX.tar.gz",
+        "architecture": "x86_64"
+      },
+      {
+        "name": "dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64",
+        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz",
+        "architecture": "aarch64"
+      },
+      {
+        "name": "apk.cgr.dev/chainguard/aarch64",
+        "url": "https://apk.cgr.dev/chainguard/aarch64/APKINDEX.tar.gz",
+        "architecture": "aarch64"
+      },
+      {
+        "name": "./testdata/packages/aarch64",
+        "url": "./testdata/packages/aarch64/APKINDEX.tar.gz",
+        "architecture": "aarch64"
+      }
+    ],
+    "packages": [
+      {
+        "name": "pretend-baselayout",
+        "url": "./testdata/packages/x86_64/pretend-baselayout-1.0.0-r0.apk",
+        "version": "1.0.0-r0",
+        "architecture": "x86_64",
+        "signature": {
+          "range": "bytes=0-648",
+          "checksum": "sha1-V+Htugmm+Ru2ogsWm7VgD4A1DsQ="
+        },
+        "control": {
+          "range": "bytes=649-1562",
+          "checksum": "sha1-DRtLIHolxOMB++9L4ZjkeUFaKYc="
+        },
+        "data": {
+          "range": "bytes=1563-2767",
+          "checksum": "sha256-dZB1iTdQ2sfndKG6Ohf5VwWFjqz6kjSzZbqYU17BSRM="
+        },
+        "checksum": "Q1DRtLIHolxOMB++9L4ZjkeUFaKYc="
+      },
+      {
+        "name": "replayout",
+        "url": "./testdata/packages/x86_64/replayout-1.0.0-r0.apk",
+        "version": "1.0.0-r0",
+        "architecture": "x86_64",
+        "signature": {
+          "range": "bytes=0-647",
+          "checksum": "sha1-ZrPCeQ4XeDjZSQw+IhJ4g4BcUlo="
+        },
+        "control": {
+          "range": "bytes=648-1589",
+          "checksum": "sha1-IvTcfj6zzLipr9akZ+YRTIyQCr8="
+        },
+        "data": {
+          "range": "bytes=1590-2786",
+          "checksum": "sha256-IIzbGjwv4H9h6N1bEbF8p4cqkV0Ex54sXEsvf6txnEo="
+        },
+        "checksum": "Q1IvTcfj6zzLipr9akZ+YRTIyQCr8="
+      },
+      {
+        "name": "pretend-baselayout",
+        "url": "./testdata/packages/aarch64/pretend-baselayout-1.0.0-r0.apk",
+        "version": "1.0.0-r0",
+        "architecture": "aarch64",
+        "signature": {
+          "range": "bytes=0-644",
+          "checksum": "sha1-n9SJ91H1UwE+mkVVCifh6ziTwbc="
+        },
+        "control": {
+          "range": "bytes=645-1555",
+          "checksum": "sha1-URAMn9SfiCvjs6C812GovkgRgVo="
+        },
+        "data": {
+          "range": "bytes=1556-2762",
+          "checksum": "sha256-igCqZKcxRp6yHq2IlyozkM68Z6v9PMr/PDAIuSh2W3A="
+        },
+        "checksum": "Q1URAMn9SfiCvjs6C812GovkgRgVo="
+      },
+      {
+        "name": "replayout",
+        "url": "./testdata/packages/aarch64/replayout-1.0.0-r0.apk",
+        "version": "1.0.0-r0",
+        "architecture": "aarch64",
+        "signature": {
+          "range": "bytes=0-646",
+          "checksum": "sha1-1ifrimC4bUlo4O6aCGXcjOKAcTo="
+        },
+        "control": {
+          "range": "bytes=647-1586",
+          "checksum": "sha1-SWYSZF3dGLrN8kebGjOBfDH6vG4="
+        },
+        "data": {
+          "range": "bytes=1587-2787",
+          "checksum": "sha256-U85iWddHApXsVosa4S0srhkr3SSlzuoBrEpZg5f1irQ="
+        },
+        "checksum": "Q1SWYSZF3dGLrN8kebGjOBfDH6vG4="
+      }
+    ]
+  }
+}

internal/cli/testdata/apko-discover.yaml

@@ -0,0 +1,16 @@
+contents:
+  keyring:
+    - ./testdata/melange.rsa.pub
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.22/main
+    - https://apk.cgr.dev/chainguard
+    - ./testdata/packages
+  packages:
+    - replayout
+
+entrypoint:
+  command: /bin/sh -l
+
+archs:
+- x86_64
+- aarch64