Key handling is ~backwards

[jonjohnsonjr]

There are a couple places that we write keys to etc/apk/keys in the image filesystem.

InitDB does some "magic" key discovery for alpine and chainguard keys for our build repositories.

InitKeyring writes any key files present in the image config or passed in as "extra" keys via flags/options.

Later, in GetRepositoryIndexes, we read all the keys from etc/apk/keys and pass them through into our index parsing code in order to validate signatures.

We have a concept of RuntimeOnlyRepositories and BuildRepositories.

We're currently writing keys for build-time repositories to etc/apk/keys and not writing the runtime only repository keys.

This is kind of backwards! We don't want build-time only keys in the image, and we do want runtime-only keys in the image.

I think this happened because we don't pass around keys anywhere, we just write to the image FS and read from the image FS. Ideally, we'd have some kind of keyring we pass around at build time, and we only write runtime repository keys to etc/apk/keys.

[aryasoni98]

@jonjohnsonjr I came across this issue and would love to contribute could you please assign it to me?