Keyring naming from server's returning `content-disposition: foo.pub` like artifactory

When using server like artifactory, that maintains the .rsa.pub keys on URL like:

https://artifactoryHostFoo/artifactory/api/security/keypair/public/repositories/development-alpine-virtual

We cannot use such keys using rules_apko, at the resolved path is not *.pub.

The URL returns:

< HTTP/2 200
< content-disposition: attachment; filename=alpine.rsa.pub
< content-type: application/jso

but it's too late in bazel's processing phases to interpret.

The download stores as the URL path:

rules_apko/apko/private/apk.bzl

Lines 149 to 152 in 1ca116a

    
           rctx.download( 
        
               url = [rctx.attr.url], 
        
               output = "{}/{}".format(repo, path), 
        
           )

So

rules_apko/apko/private/apk.bzl

Lines 127 to 130 in 1ca116a

    
           filegroup( 
        
               name = "keyring",  
        
               srcs = glob(["**/*.pub"]), 
        
               visibility = ["//visibility:public"]

does not matches it with *.pub:

Solutions to consider:

Pass the downloaded file explicitly to APK_KEYRING_TMPL to avoid *.pub resolution.
State that downloading *.pub keys from the internet (likely from the same server as artifacts is not safe), as compromised server could serve both: compromised pub key and artifacts...
(it's not that bad as resolved json file contains the checksums of the files - including the pub.key - but it's easy to overlook).
But if that's the recommendation, we should add explicit support for "keyrings" attribute in the apko_image rule.

This is now DONE.

	rctx.download(
	url = [rctx.attr.url],
	output = "{}/{}".format(repo, path),
	)

	filegroup(
	name = "keyring",
	srcs = glob(["*/.pub"]),
	visibility = ["//visibility:public"]