Merge pull request #68 from kunkku/fix-apk-static

lxc-alpine: Improve integrity checking of static package manager
2024-12-21 22:10:13 +00:00 · 2024-12-10 10:54:48 -05:00 · 2024-12-10 10:54:48 -05:00 · da14466ce0
commit da14466ce0
parent 26b4468b26 f78b226009
1 changed files with 22 additions and 8 deletions
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@ -203,6 +203,10 @@ fetch_apk_keys() {
 	cd - >/dev/null
 }

+find_keyfile() {
+	ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
+}
+
 fetch_apk_static() {
 	local dest="$1"
 	local arch="$2"
@ -219,17 +223,27 @@ fetch_apk_static() {
 	fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \
 		| tar -xz -C "$dest" sbin/  # --extract --gzip --directory

-	[ -s "$dest/sbin/apk.static" ] || die 2 'apk.static not found'
+	local apk=$dest/sbin/apk.static
+	[ -s "$apk" ] || die 2 'apk.static not found'

-	local keyname=$(echo "$dest"/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
-	openssl dgst -sha1 \
-		-verify "$APK_KEYS_DIR/$keyname" \
-		-signature "$dest/sbin/apk.static.SIGN.RSA.$keyname" \
-		"$dest/sbin/apk.static" \
-		|| die 2 'Signature verification for apk.static failed'
+	local sigprefix=$apk.SIGN.RSA.sha256
+	local algorithm=sha256
+	if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
+		sigprefix=${sigprefix%.*}
+		algorithm=sha1
+	fi
+	local keyfile=$(find_keyfile "$sigprefix")
+	if ! openssl dgst -$algorithm \
+		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
+		-signature "$keyfile" \
+		"$apk"; then
+
+		rm -f "$apk"
+		die 2 'Signature verification for apk.static failed'
+	fi

 	# Note: apk doesn't return 0 for --version
-	local out="$("$dest"/sbin/apk.static --version)"
+	local out=$("$apk" --version)
 	echo "$out"

 	[ "${out%% *}" = 'apk-tools' ] || die 3 'apk.static --version failed'