CVE-2026-42576 apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast in the DiscoverKeys process. An attacker can cause the application to crash by providing a non-RSA key such as an EC key from a repository JWKS endpoint, which triggers a panic due to an unchecked type...

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast in the DiscoverKeys process. An attacker can cause the application to crash by providing a non-RSA key such as an EC key from a repository JWKS endpoint, which triggers a panic due to an unchecked type...

GHSA-M7HM-VM4X-28JF apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g. EC, the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK...