Description
I'm using apko to build the base image for some of our dagger modules. Since yesterday we fail to update our base images with following error:
2025/11/19 09:55:44 WARN failed to verify signature for keyfile [email protected]: verify PKCS1v15 signature: crypto/rsa: verification error
index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keysSee here our apko configuration file:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/v3.22/main
- https://dl-cdn.alpinelinux.org/alpine/v3.22/community
packages:
- alpine-baselayout
- ca-certificates-bundle
- alpine-keys
- aws-cli
- opentofu
archs: [x86_64, aarch64]
environment:
PATH: /usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
entrypoint:
command: tofu
cmd: versionTo isolate the problem and make it reproduceable without involving Dagger I did following test.
$ docker run --rm -it cgr.dev/chainguard/wolfi-baseThen inside the container do following:
$ echo 'contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/v3.22/main
- https://dl-cdn.alpinelinux.org/alpine/v3.22/community
packages:
- alpine-baselayout
- ca-certificates-bundle
- alpine-keys
- aws-cli
- opentofu
archs: [x86_64, aarch64]
environment:
PATH: /usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
entrypoint:
command: tofu
cmd: version
' > apko.yaml
$ apk add --no-cache apko
$ apko build apko.yaml ttl.sh/stuff/test:latest .
2025/11/19 09:55:44 WARN failed to verify signature for keyfile [email protected]: verify PKCS1v15 signature: crypto/rsa: verification error
2025/11/19 09:55:44 WARN failed to verify signature for keyfile [email protected]: verify PKCS1v15 signature: crypto/rsa: verification error
Error: locking config: resolving apk packages: for arch "arm64": error getting repository indexes: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
for arch "amd64": getting indexes for "arm64" sibling: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
2025/11/19 09:55:44 INFO error during command execution: locking config: resolving apk packages: for arch "arm64": error getting repository indexes: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keys
for arch "amd64": getting indexes for "arm64" sibling: reading index https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: parsing https://dl-cdn.alpinelinux.org/alpine/v3.22/main/aarch64/APKINDEX.tar.gz: signature verification failed for repository index, for all provided keysIt happens for aarch64 architectures. When removing aarch64 from the apko.yaml configuration it succeeds.
Potential thing that could have caused breaking it: