[Bug]: Bad signature error about dd-trace-php HOT 6 CLOSED

@wadakatu

I would like to know why the --allow-untrusted flag is necessary.

Disclaimer: I am no Alpine expert 😃

Our packaging logic wasn't changed. However, considering that the alpine image was last pushed two days ago, something may have changed on their side.

With that said, the usage of --allow-untrusted was the publicly documented way of installing the apk package. Moreover, we use this flag in our test suite, and it has always been so.

To be totally honest with you, I'm even a tad surprised it was working without the flag before 🤔

I hope it helped 🙏

from dd-trace-php.

Interesting; thanks for the pointers!
It seems like jordansissel/fpm#2059 is the github issue for us to follow then :-)

from dd-trace-php.

Hey @wadakatu 👋

Local APKs must be installed with the --allow-untrusted flag. I tried running the following Dockerfile, and it worked :-)

FROM php:8.1-fpm-alpine

RUN curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk --allow-untrusted
RUN rm datadog-php-tracer.apk

from dd-trace-php.

@PROFeNoM

Thank you for your reply.
I thought that using the --allow-untrusted flag might lead to security issues, so I was hesitant to use it.

I would like to know why the --allow-untrusted flag is necessary. Has there been a recent change to the requirements for datadog-php-tracer, or is there another reason? It was working without the '--allow-untrusted' flag until last week, and I am curious about this sudden change.

from dd-trace-php.

@PROFeNoM

Thank you for your response :)

I attempted to use the --allow-untrusted option, but it was unfortunately unsuccessful.
Here is the Dockerfile snippet where I encountered the issue:

FROM php:8.1-fpm-alpine

RUN apk upgrade

RUN curl -Lo datadog-php-tracer.apk https://github.com/DataDog/dd-trace-php/releases/download/0.86.3/datadog-php-tracer_0.86.3_x86_64.apk && apk add datadog-php-tracer.apk --allow-untrusted
RUN rm datadog-php-tracer.apk

Presumably, adding apk upgrade seemed to cause the problem, as it worked fine without that step.
I suspect the issue might be related to an update in apk-tools as part of the apk upgrade.

However, I am not an expert in Alpine Linux either, so I will post a new issue in the Alpine Linux repository and wait for feedback there.
I do not believe this issue is related to Datadog, thus I will close this issue here.

Thank you for your excellent support.

from dd-trace-php.

@PROFeNoM

Hi.

I kept investigating about this issue and I am 98% certain that the issue is related to apk-tools.
Yesterday, I attempted to install the Datadog package using apk-tools v2.14.3, but encountered a bad signature error. However, today, I successfully installed the Datadog package using apk-tools v2.14.4 without any issues. It seems that there was an initial attempt to tighten the package installation process which resulted in the bad signature error, but this restriction was subsequently relaxed.

Additionally, I was able to successfully install datadog-php-tracer with apk-tools v2.14.4. However, I received the following warning message from apk-tools while installing datadog package:

WARNING: Support for packages without datahash will be dropped in apk-tools 3.

I assume that this warning suggests that Datadog's package should include a proper datahash to ensure compatibility with future releases of apk-tools v3.

Below are links to an issue and a pull request related to apk-tools that might be relevant to this problem:

Issue #11000 on GitLab
Related commit on GitLab

Hopes it helps.

from dd-trace-php.