aports/main/lxc-templates-legacy/0006-lxc-alpine-use-SHA256-signature-if-available.patch

From e0b1809005c083ef1a2ce2351f488cfa1bf11cb1 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kunkku@alpinelinux.org>
Date: Tue, 10 Dec 2024 16:04:39 +0200
Subject: [PATCH 06/11] lxc-alpine: use SHA256 signature if available

to verify apk.static

Signed-off-by: Kaarle Ritvanen <kunkku@alpinelinux.org>
---
 templates/lxc-alpine.in | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 37f6248..b465ca6 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -203,6 +203,10 @@ fetch_apk_keys() {
 	cd - >/dev/null
 }
 
+find_keyfile() {
+	ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
+}
+
 fetch_apk_static() {
 	local dest="$1"
 	local arch="$2"
@@ -222,10 +226,15 @@ fetch_apk_static() {
 	local apk=$dest/sbin/apk.static
 	[ -s "$apk" ] || die 2 'apk.static not found'
 
-	local sigprefix=$apk.SIGN.RSA.
-	local keyfile=$(ls -1 "$sigprefix"alpine-*.pub 2>/dev/null | head -n 1)
-	if ! openssl dgst -sha1 \
-		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix}" \
+	local sigprefix=$apk.SIGN.RSA.sha256
+	local algorithm=sha256
+	if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
+		sigprefix=${sigprefix%.*}
+		algorithm=sha1
+	fi
+	local keyfile=$(find_keyfile "$sigprefix")
+	if ! openssl dgst -$algorithm \
+		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
 		-signature "$keyfile" \
 		"$apk"; then
 
-- 
2.47.1