bug: update-ca-certificates no longer found since v6.4.0 #628

New issue

Closed

opened 2025-07-01 09:27:21 +00:00 by viceice · 8 comments

viceice commented 2025-07-01 09:27:21 +00:00

Owner

Copy link

Can you reproduce the bug on the Forgejo test instance?

No

Description

The update-ca-certificates executable is no longer preinstalled on the image which i would consider a breaking change.

looks like it#s caused by alpine v1.21 or v1.22 update

• #591
• #616

Forgejo Version

unrelated

Runner Version

6.4.0

How are you running Forgejo?

unrelated

How are you running the Runner?

from docker image

Logs

No response

Workflow file

No response

### Can you reproduce the bug on the Forgejo test instance? No ### Description The `update-ca-certificates` executable is no longer preinstalled on the image which i would consider a breaking change. looks like it#s caused by alpine v1.21 or v1.22 update - https://code.forgejo.org/forgejo/runner/pulls/591 - https://code.forgejo.org/forgejo/runner/pulls/616 ### Forgejo Version unrelated ### Runner Version 6.4.0 ### How are you running Forgejo? unrelated ### How are you running the Runner? from docker image ### Logs _No response_ ### Workflow file _No response_

viceice added the

Kind/Bug

label 2025-07-01 09:27:21 +00:00

earl-warren commented 2025-07-01 09:29:59 +00:00

Contributor

Copy link

earl-warren:~$ docker run --rm data.forgejo.org/oci/alpine:3.21 which update-ca-certificates || echo not found
not found
earl-warren:~$ docker run --rm data.forgejo.org/oci/alpine:3.22 which update-ca-certificates || echo not found
not found

```sh earl-warren:~$ docker run --rm data.forgejo.org/oci/alpine:3.21 which update-ca-certificates || echo not found not found earl-warren:~$ docker run --rm data.forgejo.org/oci/alpine:3.22 which update-ca-certificates || echo not found not found ```

earl-warren commented 2025-07-01 09:32:24 +00:00

Contributor

Copy link

earl-warren:~$ docker run --rm data.forgejo.org/forgejo/runner:6.4.0 which update-ca-certificates || echo not found
not found
earl-warren:~$ docker run --rm data.forgejo.org/forgejo/runner:6.3.1 which update-ca-certificates || echo not found
/usr/sbin/update-ca-certificates

```sh earl-warren:~$ docker run --rm data.forgejo.org/forgejo/runner:6.4.0 which update-ca-certificates || echo not found not found earl-warren:~$ docker run --rm data.forgejo.org/forgejo/runner:6.3.1 which update-ca-certificates || echo not found /usr/sbin/update-ca-certificates ```

earl-warren commented 2025-07-01 09:35:49 +00:00

Contributor

Copy link

earl-warren:~$ docker run -ti --rm data.forgejo.org/oci/alpine:3.20 sh
/ # apk add --no-cache git bash
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
(1/17) Installing ncurses-terminfo-base (6.4_p20240420-r2)
(2/17) Installing libncursesw (6.4_p20240420-r2)
(3/17) Installing readline (8.2.10-r0)
(4/17) Installing bash (5.2.26-r0)
Executing bash-5.2.26-r0.post-install
(5/17) Installing ca-certificates (20241121-r1)
(6/17) Installing brotli-libs (1.1.0-r2)
(7/17) Installing c-ares (1.33.1-r0)
(8/17) Installing libunistring (1.2-r0)
(9/17) Installing libidn2 (2.3.7-r0)
(10/17) Installing nghttp2-libs (1.62.1-r0)
(11/17) Installing libpsl (0.21.5-r1)
(12/17) Installing zstd-libs (1.5.6-r0)
(13/17) Installing libcurl (8.12.1-r0)
(14/17) Installing libexpat (2.7.0-r0)
(15/17) Installing pcre2 (10.43-r0)
(16/17) Installing git (2.45.3-r0)
(17/17) Installing git-init-template (2.45.3-r0)
Executing busybox-1.36.1-r29.trigger
Executing ca-certificates-20241121-r1.trigger
OK: 22 MiB in 31 packages
/ # which update-ca-certificates
/usr/sbin/update-ca-certificates
/ # 

```sh earl-warren:~$ docker run -ti --rm data.forgejo.org/oci/alpine:3.20 sh / # apk add --no-cache git bash fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz (1/17) Installing ncurses-terminfo-base (6.4_p20240420-r2) (2/17) Installing libncursesw (6.4_p20240420-r2) (3/17) Installing readline (8.2.10-r0) (4/17) Installing bash (5.2.26-r0) Executing bash-5.2.26-r0.post-install (5/17) Installing ca-certificates (20241121-r1) (6/17) Installing brotli-libs (1.1.0-r2) (7/17) Installing c-ares (1.33.1-r0) (8/17) Installing libunistring (1.2-r0) (9/17) Installing libidn2 (2.3.7-r0) (10/17) Installing nghttp2-libs (1.62.1-r0) (11/17) Installing libpsl (0.21.5-r1) (12/17) Installing zstd-libs (1.5.6-r0) (13/17) Installing libcurl (8.12.1-r0) (14/17) Installing libexpat (2.7.0-r0) (15/17) Installing pcre2 (10.43-r0) (16/17) Installing git (2.45.3-r0) (17/17) Installing git-init-template (2.45.3-r0) Executing busybox-1.36.1-r29.trigger Executing ca-certificates-20241121-r1.trigger OK: 22 MiB in 31 packages / # which update-ca-certificates /usr/sbin/update-ca-certificates / # ```

earl-warren commented 2025-07-01 09:39:39 +00:00

Contributor

Copy link

So, indeed, v6.3.1 had ca-certificates indirectly installed by apk add git bash in alpine:3.20 but it no longer is true for alpine:3.22 which is what v6.4.0 uses.

While it would be possible to add ca-certificates to the image, I'm not sure I get why it is a breaking change. How is it not an internal detail?

So, indeed, v6.3.1 had `ca-certificates` indirectly installed by `apk add git bash` in alpine:3.20 but it no longer is true for alpine:3.22 which is what v6.4.0 uses. While it would be possible to add `ca-certificates` to the image, I'm not sure I get why it is a breaking change. How is it not an internal detail?

viceice commented 2025-07-01 09:49:13 +00:00

Author

Owner

Copy link

i think the problem can be missing ca-certificates, so some remotes won't be trusted? 🤔

i think the problem can be missing `ca-certificates`, so some remotes won't be trusted? 🤔

viceice commented 2025-07-01 09:59:10 +00:00

Author

Owner

Copy link

ok, in alpine v3.20 libcurl depends on the ca-certificates package, in v3.21 it only depends on ca-certificates-bundle, so only the bundled certificate is installed.

So it's a kind of detail and only breaking for users which try to add their own root certificates for internal use.

• https://pkgs.alpinelinux.org/package/v3.20/main/x86_64/libcurl
• https://pkgs.alpinelinux.org/package/v3.21/main/x86_64/libcurl

ok, in alpine v3.20 `libcurl` depends on the `ca-certificates` package, in v3.21 it only depends on `ca-certificates-bundle`, so only the bundled certificate is installed. So it's a kind of detail and only breaking for users which try to add their own root certificates for internal use. - https://pkgs.alpinelinux.org/package/v3.20/main/x86_64/libcurl - https://pkgs.alpinelinux.org/package/v3.21/main/x86_64/libcurl

viceice closed this issue 2025-07-01 09:59:10 +00:00

viceice commented 2025-07-01 10:01:11 +00:00

Author

Owner

Copy link

manual adding the required package now

https://github.com/visualon/docker-images/pull/3600/files

manual adding the required package now https://github.com/visualon/docker-images/pull/3600/files

👍 1

viceice commented 2025-07-01 10:08:08 +00:00

Author

Owner

Copy link

For reference:

• https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/69012/diffs
• https://gitlab.alpinelinux.org/alpine/aports/-/issues/16264
• https://gitlab.alpinelinux.org/alpine/aports/-/issues/16980

For reference: - https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/69012/diffs - https://gitlab.alpinelinux.org/alpine/aports/-/issues/16264 - https://gitlab.alpinelinux.org/alpine/aports/-/issues/16980

earl-warren referenced this issue from a commit 2025-07-28 17:10:27 +00:00

Fixes #598 (#628)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/forgejo-lxc-13.x

chore/testing-trixie

chore/testing-bookworm

expand-reusable-workflows-working-branch

feat-default_actions_url-on-step

2023-05-22-main-before-force-push

2023-04-30-main-before-force-push

v12.6.4

v12.6.3

v12.6.2

v12.6.1

v12.6.0

v12.5.3

v12.5.2

v12.5.1

v12.5.0

v12.4.0

v12.3.1

v12.3.0

v12.2.0

v12.1.2

v12.1.1

v12.1.0

v12.0.1

v12.0.0

v11.3.1

v11.3.0

v11.2.0

v11.1.2

v11.1.1

v11.1.0

v11.0.0

v10.0.1

v10.0.0

v9.1.1

v9.1.0

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.0.1

v8.0.0

v7.0.0

v6.4.0

v6.3.1

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.0

v6.0.1

v6.0.0

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.0.1

v4.0.0

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.5.0

v2.4.0

v2.3.0

v2.2.0

v2.1.0

v2.0.4

v2.0.3

v2.0.2

v1.5.0

v2.0.1

v2.0.0

v1.8.1

v1.8.0

v1.7.0

v1.6.0

v1.4.3

v1.4.2

v1.4.1

v1.3.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v0.0.1

v1.0.1

v1.0.0

Labels

Clear labels   

FreeBSD

  

Kind/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Chore

It is no fun but it needs to be done, this is a chore.

  

Kind/DependencyUpdate

for pull requests that are created by renovate when updating a dependency

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

  

Windows

Windows ports is an independent project, see https://github.com/Crown0815/Forgejo-runner-windows-builder

  

linux-powerpc64le

powerpc64le

  

linux-riscv64

  

linux-s390x

  

run-end-to-end-tests

Run https://code.forgejo.org/forgejo/end-to-end with a runner compiled from this pull request

  

run-forgejo-tests

Run https://codeberg.org/forgejo/forgejo tests importing the runner from this pull request

No labels

FreeBSD

Kind/Breaking

Kind/Bug

Kind/Chore

Kind/DependencyUpdate

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Windows

linux-powerpc64le

linux-riscv64

linux-s390x

run-end-to-end-tests

run-forgejo-tests

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo/runner#628

No description provided.