Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[apk] Cannot sign package #799

Closed
2 tasks done
cnt0 opened this issue Mar 16, 2024 · 3 comments · Fixed by #804
Closed
2 tasks done

[apk] Cannot sign package #799

cnt0 opened this issue Mar 16, 2024 · 3 comments · Fixed by #804
Assignees
@caarlos0
Labels
bug Something isn't working

Comments

@cnt0
Copy link
Contributor

cnt0 commented Mar 16, 2024
edited

What happened?

Hello. I'm trying to sign an apk package with key generated by abuild-keygen, which is a standard tool for alpine linux distribution.

It fails with the following message:

signing error: parse PKCS1 private key: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

How can we reproduce this?

  1. generate a keypair using the following command: $ abuild-keygen -a -i, it'll be saved to ~/.abuild and /etc/apk/keys
  2. add signature information to nfpm.yaml (the exact key name will indeed be different):
apk:
  signature:
    key_file: /home/user/.abuild/user@email.com-xxxxxxxx.rsa
    key_name: user@email.com-xxxxxxxx
  1. try generating a package:
$ nfpm pkg --packager apk --target package.apk

expected result: apk successfully generated

actual result: the aforementioned message

signing error: parse PKCS1 private key: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

this issue can be solved by manually converting the key to required PKCS1 format: openssl -in key.pkcs8 -out key.pkcs1 -traditional, but still, I believe the default can be changed.

nfpm version

GitVersion:    2.35.3
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
BuiltBy:       unknown
GoVersion:     go1.22.1
Compiler:      gc
ModuleSum:     unknown
Platform:      linux/amd64

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

openssl version, just in case:

$ openssl version
OpenSSL 3.1.5 30 Jan 2024 (Library: OpenSSL 3.1.5 30 Jan 2024)

Also, I verified that the key generated by abuild-keygen is indeed a PEM-encoded RSA-4096 private key.

abuild-keygen version: abuild-keygen 3.12.0-r4
@cnt0 cnt0 added the bug Something isn't working label Mar 16, 2024
@caarlos0
Copy link
Member

good find!

if anyone wants to PR this, please feel free to :)

@cnt0
Copy link
Contributor Author

cnt0 commented Mar 17, 2024

I'll make a PR in case of successful time allocation, which is non-deterministic :/

Also, I'd like to mention that apk-tools developers are currently cooking some completely new binary format for their packages, with sha512 signatures and the like (apk v3, the current one is apk v2), so this will require more work in the future

@caarlos0
Copy link
Member

ahh, good to know!

cnt0 added a commit to cnt0/nfpm that referenced this issue Mar 26, 2024
@cnt0
support PKCS8 keys for APK signing
15c0ea9 
Call correct parsing function for given RSA key depending on its PEM
header. So we can use both PKCS1 and PKCS8 keys to sign APK files.

Fixes goreleaser#799
@cnt0 cnt0 mentioned this issue Mar 26, 2024
Merged
caarlos0 pushed a commit that referenced this issue Mar 27, 2024
@cnt0
feat: support PKCS8 keys for APK signing (#804)
1667ef9 
* support PKCS8 keys for APK signing

Call correct parsing function for given RSA key depending on its PEM
header. So we can use both PKCS1 and PKCS8 keys to sign APK files.

Fixes #799

* fix golangci-lint warnings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@caarlos0 caarlos0

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support PKCS8 keys for APK signing cnt0/nfpm
2 participants
@caarlos0 @cnt0