1
0
mirror of https://github.com/lxc/lxc-templates.git synced 2024-12-22 14:30:31 +00:00

Compare commits

...

5 Commits

Author SHA1 Message Date
Stéphane Graber
da14466ce0
Merge pull request #68 from kunkku/fix-apk-static
lxc-alpine: Improve integrity checking of static package manager
2024-12-10 10:54:48 -05:00
Kaarle Ritvanen
f78b226009 lxc-alpine: use SHA256 signature if available
to verify apk.static

Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
2024-12-10 17:19:27 +02:00
Kaarle Ritvanen
4908667cc3 lxc-alpine: remove unverified apk.static
to prevent its execution on the next run

Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
2024-12-10 17:19:27 +02:00
Kaarle Ritvanen
7ff9ef0c48 lxc-alpine: more specific SHA1 sig file match
that avoids matching the SHA256 file

Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
2024-12-10 17:19:27 +02:00
Kaarle Ritvanen
7c3b65b0ef lxc-alpine: variable for apk.static path
Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
2024-12-10 17:19:27 +02:00

View File

@ -203,6 +203,10 @@ fetch_apk_keys() {
cd - >/dev/null
}
find_keyfile() {
ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
}
fetch_apk_static() {
local dest="$1"
local arch="$2"
@ -219,17 +223,27 @@ fetch_apk_static() {
fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \
| tar -xz -C "$dest" sbin/ # --extract --gzip --directory
[ -s "$dest/sbin/apk.static" ] || die 2 'apk.static not found'
local apk=$dest/sbin/apk.static
[ -s "$apk" ] || die 2 'apk.static not found'
local keyname=$(echo "$dest"/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
openssl dgst -sha1 \
-verify "$APK_KEYS_DIR/$keyname" \
-signature "$dest/sbin/apk.static.SIGN.RSA.$keyname" \
"$dest/sbin/apk.static" \
|| die 2 'Signature verification for apk.static failed'
local sigprefix=$apk.SIGN.RSA.sha256
local algorithm=sha256
if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
sigprefix=${sigprefix%.*}
algorithm=sha1
fi
local keyfile=$(find_keyfile "$sigprefix")
if ! openssl dgst -$algorithm \
-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
-signature "$keyfile" \
"$apk"; then
rm -f "$apk"
die 2 'Signature verification for apk.static failed'
fi
# Note: apk doesn't return 0 for --version
local out="$("$dest"/sbin/apk.static --version)"
local out=$("$apk" --version)
echo "$out"
[ "${out%% *}" = 'apk-tools' ] || die 3 'apk.static --version failed'