Apk UNTRUSTED signature errors when compiling latest snapshot

anon_openwrt · November 23, 2024, 2:37am

/openwrtbuilder/src/r4s/snapshot-src/staging_dir/host/bin/apk mkndx \
		--root /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src \
		--keys-dir /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src \
		--sign /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src/private-key.pem \
		--output packages.adb \
		*.apk; \
)
ERROR: apk-mbedtls-3.0.0_pre20241108-r2.apk: UNTRUSTED signature
ERROR: base-files-1633~487ca61f91.apk: UNTRUSTED signature
ERROR: base-files-1633~77cfe8fd15.apk: UNTRUSTED signature
ERROR: base-files-1637~22664498eb.apk: UNTRUSTED signature
ERROR: base-files-1637~7e287b563a.apk: UNTRUSTED signature
ERROR: dropbear-2024.85-r1.apk: UNTRUSTED signature
ERROR: dropbearconvert-2024.85-r1.apk: UNTRUSTED signature
ERROR: iperf3-3.17.1-r3.apk: UNTRUSTED signature
ERROR: kernel-6.6.60~83585006f1fa7ee866e627843af17cfe-r1.apk: UNTRUSTED signature
ERROR: kernel-6.6.61~83585006f1fa7ee866e627843af17cfe-r1.apk: UNTRUSTED signature
ERROR: kmod-3c59x-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-6lowpan-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-8139cp-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-8139too-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-9pnet-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-ac97-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-ag71xx-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-alx-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-aoe-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-arptables-6.6.60-r1.apk: UNTRUSTED signature
**snip**
ERROR: luci-theme-bootstrap-24.320.57985~1a4b6ad.apk: UNTRUSTED signature
ERROR: luci-theme-bootstrap-24.322.80622~a403707.apk: UNTRUSTED signature
ERROR: luci-theme-bootstrap-24.324.44605~b9496f2.apk: UNTRUSTED signature
ERROR: odhcp6c-2023.05.12~bcd28363-r20.apk: UNTRUSTED signature
ERROR: 955 errors, not creating index
make[2]: *** [package/Makefile:70: package/merge-index] Error 99

Should I add --allow-untrusted to that build command or is there an issue with the key provided in the repo?

hnyman · November 23, 2024, 6:33am

Are you really compiling from sources? (Or just using imagebuilder that uses buildbot .apks?)

If you are compiling from sources, a private build key should have been generated automatically into your buildroot.
And .apks compiled by you would be signed with that, and they would be later trusted as your key gets into the firmware image, too. The official OpenWrt key used by the buildbot should also be automatically in the image.

hnyman · November 23, 2024, 6:36am

It is also strange/wrong that there would be two different kernel versions visible at the same time. Especially that there would be same hash although version itself has changed.

Somehow this looks like semi-stale .APK repo and/or build system, where you see both new and old version at the same time.

slh · November 23, 2024, 6:43am

If you look at the discussions of (one of) the recent pull requests, there's an an open issue with (source-) package cleanup during the build process (_ vs - as version delimiter). intel-microcode is also s package prone to falling over this.

github.com/openwrt/openwrt

build: apk: Fix package cleaning

openwrt:main ← hauke:apt-opkg_package_files

opened 10:50PM - 19 Nov 24 UTC

hauke

+1 -1

Fix the regex for removing packages. APK uses a "-" between the package name and… the version. opkg used a "_" between them. This fixes removing package in build clean when using apk. This generates for example this file name: ``` /home/hauke/openwrt/openwrt/bin/packages/mips_24kc/base/libmbedtls21-3.6.2-r1.apk ``` In OPKG we used _ to seperate the package name and the version string. With apk we use a - and can not really say where the package name ends and where the version begins.