mirror of
https://github.com/lxc/lxc-templates.git
synced 2024-12-21 22:10:13 +00:00
lxc-alpine: use SHA256 signature if available
to verify apk.static Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
This commit is contained in:
parent
4908667cc3
commit
f78b226009
@ -203,6 +203,10 @@ fetch_apk_keys() {
|
||||
cd - >/dev/null
|
||||
}
|
||||
|
||||
find_keyfile() {
|
||||
ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
|
||||
}
|
||||
|
||||
fetch_apk_static() {
|
||||
local dest="$1"
|
||||
local arch="$2"
|
||||
@ -222,10 +226,15 @@ fetch_apk_static() {
|
||||
local apk=$dest/sbin/apk.static
|
||||
[ -s "$apk" ] || die 2 'apk.static not found'
|
||||
|
||||
local sigprefix=$apk.SIGN.RSA.
|
||||
local keyfile=$(ls -1 "$sigprefix"alpine-*.pub 2>/dev/null | head -n 1)
|
||||
if ! openssl dgst -sha1 \
|
||||
-verify "$APK_KEYS_DIR/${keyfile#$sigprefix}" \
|
||||
local sigprefix=$apk.SIGN.RSA.sha256
|
||||
local algorithm=sha256
|
||||
if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
|
||||
sigprefix=${sigprefix%.*}
|
||||
algorithm=sha1
|
||||
fi
|
||||
local keyfile=$(find_keyfile "$sigprefix")
|
||||
if ! openssl dgst -$algorithm \
|
||||
-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
|
||||
-signature "$keyfile" \
|
||||
"$apk"; then
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user