From f78b22600971d9a7569a41c00be9ad4d998d1dc5 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Tue, 10 Dec 2024 16:04:39 +0200 Subject: [PATCH] lxc-alpine: use SHA256 signature if available to verify apk.static Signed-off-by: Kaarle Ritvanen --- templates/lxc-alpine.in | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 37f6248..b465ca6 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -203,6 +203,10 @@ fetch_apk_keys() { cd - >/dev/null } +find_keyfile() { + ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1 +} + fetch_apk_static() { local dest="$1" local arch="$2" @@ -222,10 +226,15 @@ fetch_apk_static() { local apk=$dest/sbin/apk.static [ -s "$apk" ] || die 2 'apk.static not found' - local sigprefix=$apk.SIGN.RSA. - local keyfile=$(ls -1 "$sigprefix"alpine-*.pub 2>/dev/null | head -n 1) - if ! openssl dgst -sha1 \ - -verify "$APK_KEYS_DIR/${keyfile#$sigprefix}" \ + local sigprefix=$apk.SIGN.RSA.sha256 + local algorithm=sha256 + if ! [ -s "$(find_keyfile "$sigprefix")" ]; then + sigprefix=${sigprefix%.*} + algorithm=sha1 + fi + local keyfile=$(find_keyfile "$sigprefix") + if ! openssl dgst -$algorithm \ + -verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \ -signature "$keyfile" \ "$apk"; then