Keyring naming from server's returning `content-disposition: foo.pub` like artifactory
Closed this issue · 1 comments
When using server like artifactory, that maintains the .rsa.pub
keys on URL like:
https://artifactoryHostFoo/artifactory/api/security/keypair/public/repositories/development-alpine-virtual
We cannot use such keys using rules_apko
, at the resolved path is not *.pub
.
The URL returns:
< HTTP/2 200
< content-disposition: attachment; filename=alpine.rsa.pub
< content-type: application/jso
but it's too late in bazel's processing phases to interpret.
The download stores as the URL path:
rules_apko/apko/private/apk.bzl
Lines 149 to 152 in 1ca116a
So
rules_apko/apko/private/apk.bzl
Lines 127 to 130 in 1ca116a
*.pub
:
Solutions to consider:
-
Pass the downloaded file explicitly to APK_KEYRING_TMPL to avoid *.pub resolution.
-
State that downloading *.pub keys from the internet (likely from the same server as artifacts is not safe), as compromised server could serve both: compromised pub key and artifacts...
(it's not that bad as resolved json file contains the checksums of the files - including the pub.key - but it's easy to overlook).
But if that's the recommendation, we should add explicit support for "keyrings" attribute in theapko_image
rule.
This is now DONE.