-
-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alpine 3.13 requires file checksums embedded in the apk #288
Comments
In alpine v3.13 they changed the warning about needing embedded checksums to an error. I am having a hard time figuring out how to store this info properly as I cannot find it documented anywhere. @tcurdt or @bhamail Do either of you know how I would go about embedding the checksums so we do not have any errors on 3.13 of alpine? |
I am not quite sure I fully understand. Is this about checksums? or signing? (I assume signing) |
It is about the file checksums. In alpine 3.13 installing an apk without embedded checksums throws an error. |
@djgilcrease would be great if you could post the output. |
Because both my original code and the version in https://github.com/goreleaser/nfpm/blob/master/apk/apk.go#L320 |
support for packages without embedded checksums will be dropped in apk-tools 3. |
We are creating an embedded checksum (or rather hash). That's why this issue needs more details to help. |
I don't have any additional information but I just want to comment that currently the signature is performed over the SHA1 hash of the control file. This in turn means that the signature only "protects" the package contents via the datahash in the control file. No matter what needs to be fixed for this issue, we should keep that in mind, so we don't accidentally degrade the level of security that is expected from the signature (for example if the control file is signed but the datahash is moved elsewhere and thus isn't implicitly signed anymore). |
From my build log, no signing, just regular apk packaging with v2.2.3. (Tell me if the log is too long so I can put it in a gist.)
|
Odd. I downloaded version 2.2.3 and could not yet find that error message in the code https://git.alpinelinux.org/apk-tools/tag/?h=v2.2.3 |
Found it 2.12.1 in |
(ok, this comment crossed your comment.) |
Maybe totally irrelevant, but I created a packaged with fpm and it did not have this issue. fpm's implementation is here. |
Looking at that and this https://github.com/alpinelinux/apk-tools/blob/18b0b45b5b4e8d7be19afa1492c32abb75b9da4a/src/apk_io.h#L39 it seems like use a custom extension to the tar format. |
This can probably be fixed by adding the appropriate |
It may be easier to track the function that abuild command uses (tarhdr_checksum). abuild is the tool that Alpine uses in their howtos of how to create packages: https://github.com/alpinelinux/abuild/blob/bda277481130c1fe5040e5e0f726d118524a6ca2/abuild-tar.c#L94 |
Well, we need both :) For now I was just wondering where they put the checksum. Because I didn't see anything else but the |
I tried switching to the PAX tar format and adding the records, but I am getting an error var supportedChecksumHash = map[crypto.Hash]string{
crypto.MD5: "MD5",
crypto.SHA1: "SHA1",
crypto.SHA256: "SHA256",
crypto.SHA512: "SHA512",
}
func writeFile(tw *tar.Writer, header *tar.Header, file io.Reader, doHash bool) error {
//header.Format = tar.FormatUSTAR
header.Format = tar.FormatPAX
header.ChangeTime = time.Time{}
header.AccessTime = time.Time{}
header.PAXRecords = make(map[string]string)
if doHash {
for hasher, name := range supportedChecksumHash {
if !hasher.Available() {
continue
}
hash := hasher.New()
_, err := io.Copy(hash, file)
if err != nil {
return err
}
header.PAXRecords[fmt.Sprintf("APK-TOOLS.checksum.%s", name)] = fmt.Sprintf("%x", hash.Sum(nil))
fmt.Printf("APK-TOOLS.checksum.%s = %x\n", name, hash.Sum(nil))
}
}
err := tw.WriteHeader(header)
if err != nil {
println("THIS IS WHERE IT ERRORS!")
return err
}
_, err = io.Copy(tw, file)
if err != nil {
return err
}
return nil
} APK-TOOLS.checksum.MD5 = 14a7f05778753dec84782c623292a5f2
APK-TOOLS.checksum.SHA1 = da39a3ee5e6b4b0d3255bfef95601890afd80709
APK-TOOLS.checksum.SHA256 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APK-TOOLS.checksum.SHA512 = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e Digging into this more |
I think the best approach is probably to reverse engineer an official package and compare. |
90% sure I have it now, just finishing some local acceptance testing to verify. The issue with my code in #288 (comment) was it was reading from the ioReader many times, so the actual file contents were not being written :p |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
The root cause for 284 was an update to alpine 3.13 which causes the apks built with nfpm to fail since we are not embedding the file checksums in the apk.
I am currently researching where and how to embed these values, but so far have had no luck in finding where this is documented.
The text was updated successfully, but these errors were encountered: