apko does not follow content-disposition headers when fetching key files

[fluix-dev]

Forgejo/Gitea allows creating an Alpine package registry and hosts the repository key at:

https://forgejo.example.com/api/packages/{owner}/alpine/key

with the actual name in the content-disposition header, e.g.:

content-disposition: attachment; filename="test@5c6bb80ae094a76863d00718d8ff0fc208ae441d0e3e302d29d185b929eea22c.rsa.pub"; filename*=UTF-8''test@5c6bb80ae094a76863d00718d8ff0fc208ae441d0e3e302d29d185b929eea22c.rsa.pub

However, apko writes it to a file based on a call to filepath.Base on the URL, i.e. key:

apko/pkg/apk/apk/implementation.go

Line 599 in 74e6408

if err := a.fs.WriteFile(filepath.Join("etc", "apk", "keys", filepath.Base(element)), data,

This leads to this warning and error when actually trying to verify signatures:

2026/05/30 21:59:44 WARN skipping signature .SIGN.RSA.test@5c6bb80ae094a76863d00718d8ff0fc208ae441d0e3e302d29d185b929eea22c.rsa.pub due to missing keyfile: test@5c6bb80ae094a76863d00718d8ff0fc208ae441d0e3e302d29d185b929eea22c.rsa.pub

Error: locking config: resolving apk packages: for arch "amd64": error getting repository indexes: reading index https://forgejo.internal.fluix.one/api/packages/steven/alpine/v3.23/main/x86_64/APKINDEX.tar.gz: parsing https://forgejo.internal.fluix.one/api/packages/steven/alpine/v3.23/main/x86_64/APKINDEX.tar.gz: no signature with known key (one of: [alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub key]) found in repository index

Note they "key" entry in "one of: [alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub key]" instead of the actual name.

Solution

Perhaps we just remove the common writing code and handle things separately depending on file/request scheme?