Skip to content

failed to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub: #1944

Closed
#1949
Closed
failed to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub:#1944
#1949
@marcofranssen

Description

@marcofranssen
marcofranssen
opened on Nov 19, 2025

I'm using apko to build the base image for some of our dagger modules. Since yesterday we fail to update our base images with following error:

2025/11/19 09:55:44 WARN failed to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub: verify PKCS1v15 signature: crypto/rsa: verification error
index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys

See here our apko configuration file:

contents:
 repositories:
 - https://dl-cdn.alpinelinux.org/alpine/v3.22/main
 - https://dl-cdn.alpinelinux.org/alpine/v3.22/community
 packages:
 - alpine-baselayout
 - ca-certificates-bundle
 - alpine-keys
 - aws-cli
 - opentofu
archs: [x86_64, aarch64]
environment:
 PATH: /usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
entrypoint:
 command: tofu
cmd: version

To isolate the problem and make it reproduceable without involving Dagger I did following test.

$ docker run --rm -it cgr.dev/chainguard/wolfi-base

Then inside the container do following:

$ echo 'contents:
 repositories:
 - https://dl-cdn.alpinelinux.org/alpine/v3.22/main
 - https://dl-cdn.alpinelinux.org/alpine/v3.22/community
 packages:
 - alpine-baselayout
 - ca-certificates-bundle
 - alpine-keys
 - aws-cli
 - opentofu
archs: [x86_64, aarch64]
environment:
 PATH: /usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
entrypoint:
 command: tofu
cmd: version
' > apko.yaml
$ apk add --no-cache apko
$ apko build apko.yaml ttl.sh/stuff/test:latest .
2025/11/19 09:55:44 WARN failed to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub: verify PKCS1v15 signature: crypto/rsa: verification error
2025/11/19 09:55:44 WARN failed to verify signature for keyfile alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub: verify PKCS1v15 signature: crypto/rsa: verification error
Error: locking config: resolving apk packages: for arch "arm64": error getting repository indexes: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
for arch "amd64": getting indexes for "arm64" sibling: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
2025/11/19 09:55:44 INFO error during command execution: locking config: resolving apk packages: for arch "arm64": error getting repository indexes: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
for arch "amd64": getting indexes for "arm64" sibling: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys

It happens for aarch64 architectures. When removing aarch64 from the apko.yaml configuration it succeeds.

Potential thing that could have caused breaking it:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions