[Bug]: Bad signature error

[wadakatu]

Bug report

Hi.

I have been implementing a Docker build process, which involves downloading an APK file for the Datadog PHP tracer and installing it using apk add. Here is the Dockerfile:

FROM php:8.1-fpm-alpine

RUN curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk
RUN rm datadog-php-tracer.apk

This process worked flawlessly until this week. However, today I encountered an error during the APK installation part:

#21 1.592 (1/1) Installing datadog-php-tracer (0.86.3)
#21 2.406 ERROR: datadog-php-tracer-0.86.3: BAD signature
#21 2.456 1 error; 483 MiB in 144 packages
#21 ERROR: process "/bin/sh -c curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk --allow-untrusted" did not complete successfully: exit code: 1

I tried several different versions (0.86.3, 0.87.0, 0.87.2) with the same outcome and none of them worked. As you are not familiar with the specifics of apk, you are unsure of the exact problem or solution.

Could you please provide any advice on how to resolve this issue?
Thank you.

PHP version

8.1.28

Tracer or profiler version

0.86.3

Installed extensions

No response

Output of phpinfo()

No response

Upgrading from

No response

[PROFeNoM]

Hey @wadakatu 👋

Local APKs must be installed with the --allow-untrusted flag. I tried running the following Dockerfile, and it worked :-)

FROM php:8.1-fpm-alpine

RUN curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk --allow-untrusted
RUN rm datadog-php-tracer.apk

[wadakatu]

@PROFeNoM

Thank you for your reply.
I thought that using the --allow-untrusted flag might lead to security issues, so I was hesitant to use it.

I would like to know why the --allow-untrusted flag is necessary. Has there been a recent change to the requirements for datadog-php-tracer, or is there another reason? It was working without the '--allow-untrusted' flag until last week, and I am curious about this sudden change.

[PROFeNoM]

@wadakatu

I would like to know why the --allow-untrusted flag is necessary.

Disclaimer: I am no Alpine expert 😃

Our packaging logic wasn't changed. However, considering that the alpine image was last pushed two days ago, something may have changed on their side.

With that said, the usage of --allow-untrusted was the publicly documented way of installing the apk package. Moreover, we use this flag in our test suite, and it has always been so.

To be totally honest with you, I'm even a tad surprised it was working without the flag before 🤔

I hope it helped 🙏

[wadakatu]

@PROFeNoM

Thank you for your response :)

I attempted to use the --allow-untrusted option, but it was unfortunately unsuccessful.
Here is the Dockerfile snippet where I encountered the issue:

FROM php:8.1-fpm-alpine

RUN apk upgrade

RUN curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk --allow-untrusted
RUN rm datadog-php-tracer.apk

Presumably, adding apk upgrade seemed to cause the problem, as it worked fine without that step.
I suspect the issue might be related to an update in apk-tools as part of the apk upgrade.

However, I am not an expert in Alpine Linux either, so I will post a new issue in the Alpine Linux repository and wait for feedback there.
I do not believe this issue is related to Datadog, thus I will close this issue here.

Thank you for your excellent support.

[wadakatu]

@PROFeNoM

Hi.

I kept investigating about this issue and I am 98% certain that the issue is related to apk-tools.
Yesterday, I attempted to install the Datadog package using apk-tools v2.14.3, but encountered a bad signature error. However, today, I successfully installed the Datadog package using apk-tools v2.14.4 without any issues. It seems that there was an initial attempt to tighten the package installation process which resulted in the bad signature error, but this restriction was subsequently relaxed.

Additionally, I was able to successfully install datadog-php-tracer with apk-tools v2.14.4. However, I received the following warning message from apk-tools while installing datadog package:

WARNING: Support for packages without datahash will be dropped in apk-tools 3.

I assume that this warning suggests that Datadog's package should include a proper datahash to ensure compatibility with future releases of apk-tools v3.

Below are links to an issue and a pull request related to apk-tools that might be relevant to this problem:

Issue #11000 on GitLab
Related commit on GitLab

Hopes it helps.

[bwoebi]

Interesting; thanks for the pointers!
It seems like jordansissel/fpm#2059 is the github issue for us to follow then :-)