If the package manager, apk-tools is missing, then:
- download a static binary and public keys
- verify the keys against embedded checksum
- verify the signature of the static binary against the downloaded keys
- use the verified static binary
Signed-off-by: Natanael Copa <nc...@alpinelinux.org>
Signed-off-by: Kaarle Ritvanen <kaarle.ritva...@datakunkku.fi>
---
Changes since v1:
- verify signature of static binary
templates/lxc-alpine.in | 56 +++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 54 insertions(+), 2 deletions(-)
diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 6180afd..cdf2743 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -1,10 +1,56 @@
#!/bin/sh
+key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4
alpine-de...@lists.alpinelinux.org-4a6a0840.rsa.pub
+2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab
alpine-de...@lists.alpinelinux.org-4d07755e.rsa.pub"
+
+get_static_apk () {
+ rootfs="$1"
+ echo "Using static apk from $repository/$apk_arch"
+ wget="wget -q -O - $repository/$apk_arch"
+
+ # parse APKINDEX to find the current versions
+ static_pkgs=$($wget/APKINDEX.tar.gz | \
+ tar -Oxz APKINDEX | \
+ awk -F: -v pkglist="alpine-keys:apk-tools-static" '
+ BEGIN { split(pkglist,pkg) }
+ $0 != "" { f[$1] = $2 }
+ $0 == "" { for (i in pkg)
+ if (pkg[i] == f["P"])
+ print(f["P"] "-" f["V"] ".apk") }')
+ [ "$static_pkgs" ] || return 1
+
+ mkdir -p "$rootfs" || return 1
+ for pkg in $static_pkgs; do
+ echo "Downloading $pkg"
+ $wget/$pkg | tar -xz -C "$rootfs"
+ done
+
+ # clean up .apk meta files
+ rm -f "$rootfs"/.[A-Z]*
+
+ # verify checksum of the key
+ keyname=$(echo $rootfs/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
+ checksum=$(echo "$key_sha256sums" | grep -w "$keyname")
+ if [ -z "$checksum" ]; then
+ echo "ERROR: checksum is missing for $keyname"
+ return 1
+ fi
+ (cd $rootfs/etc/apk/keys && echo "$checksum" | sha256sum -c -) || return 1
+
+ # verify the static apk binary signature
+ APK=$rootfs/sbin/apk.static
+ openssl dgst -verify $rootfs/etc/apk/keys/$keyname \
+ -signature "$APK.SIGN.RSA.$keyname" "$APK" || return 1
+}
+
install_alpine() {
rootfs="$1"
shift
mkdir -p "$rootfs"/etc/apk || return 1
- cp -r ${keys_dir:-/etc/apk/keys} "$rootfs"/etc/apk/
+ : ${keys_dir:=/etc/apk/keys}
+ if ! [ -d "$rootfs"/etc/apk/keys ] && [ -d "$keys_dir" ]; then
+ cp -r "$keys_dir" "$rootfs"/etc/apk/keys
+ fi
if [ -n "$repository" ]; then
echo "$repository" > "$rootfs"/etc/apk/repositories
else
@@ -14,7 +60,7 @@ install_alpine() {
if [ -n "$apk_arch" ]; then
opt_arch="--arch $apk_arch"
fi
- ${APK:-apk} add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
+ $APK add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
}
configure_alpine() {
@@ -167,6 +213,7 @@ optarg_check() {
}
default_path=@LXCPATH@
+arch=$(uname -m)
while [ $# -gt 0 ]; do
opt="$1"
@@ -243,6 +290,11 @@ case "$arch" in
*) die "unsupported architecture: $arch";;
esac
+: ${APK:=apk}
+if ! which $APK >/dev/null; then
+ get_static_apk "$rootfs" || die "Failed to download a valid static apk"
+fi
+
install_alpine "$rootfs" "$@" || die "Failed to install rootfs for $name"
configure_alpine "$rootfs" "$name" || die "Failed to configure $name"
copy_configuration "$path" "$rootfs" "$name"
--
1.8.3
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
