templates/lxc-alpine.in

@@ -203,10 +203,6 @@ fetch_apk_keys() {
 	cd - >/dev/null
 }
 
-find_keyfile() {
-	ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
-}
-
 fetch_apk_static() {
 	local dest="$1"
 	local arch="$2"
@@ -223,27 +219,17 @@ fetch_apk_static() {
 	fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \
 		| tar -xz -C "$dest" sbin/  # --extract --gzip --directory
 
-	local apk=$dest/sbin/apk.static
-	[ -s "$apk" ] || die 2 'apk.static not found'
+	[ -s "$dest/sbin/apk.static" ] || die 2 'apk.static not found'
 
-	local sigprefix=$apk.SIGN.RSA.sha256
-	local algorithm=sha256
-	if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
-		sigprefix=${sigprefix%.*}
-		algorithm=sha1
-	fi
-	local keyfile=$(find_keyfile "$sigprefix")
-	if ! openssl dgst -$algorithm \
-		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
-		-signature "$keyfile" \
-		"$apk"; then
-
-		rm -f "$apk"
-		die 2 'Signature verification for apk.static failed'
-	fi
+	local keyname=$(echo "$dest"/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
+	openssl dgst -sha1 \
+		-verify "$APK_KEYS_DIR/$keyname" \
+		-signature "$dest/sbin/apk.static.SIGN.RSA.$keyname" \
+		"$dest/sbin/apk.static" \
+		|| die 2 'Signature verification for apk.static failed'
 
 	# Note: apk doesn't return 0 for --version
-	local out=$("$apk" --version)
+	local out="$("$dest"/sbin/apk.static --version)"
 	echo "$out"
 
 	[ "${out%% *}" = 'apk-tools' ] || die 3 'apk.static --version failed'