Verifying APK Signatures on Non-Alpine System

4 posts / 0 new
Last post
#1 Mon, 2016-01-18 16:40
joejob
  • joejob's picture
  • Offline
  • Last seen: 2 years 2 months ago
  • Joined: 2016-01-18

I'm having a problem verifying the signature of an APK on a non-Alpine system. As part of a bootstraping process I wish to verify that the alpine-keys package is signed with a known key, but I'm unable to produce the data.tar from the APK such that it can be verified with the signature included in the APK. I believe my crypto is correct because for the apk-tools-static APK, where the binary is signed independently of the data.tar section, the verification succeeds. Thus, my problem is extracting the correct parts of the tar in the correct order. Any hints? :-)

Sun, 2016-02-14 03:32
Eric-Guo
  • Eric-Guo's picture
  • Offline
  • Last seen: 2 years 3 weeks ago
  • Joined: 2016-02-13

I guess if you can not running apk-static verify at bootstraping, have to following package format and write some code to do that (declare: I'm new Alpine user)

http://wiki.alpinelinux.org/wiki/Alpine_package_format

Mon, 2016-03-28 23:39
jirutka
  • jirutka's picture
  • Offline
  • Last seen: 2 years 3 days ago
  • Joined: 2016-03-28

Maybe you can use a different approach, take a look at https://github.com/lxc/lxc/blob/master/templates/lxc-alpine.in#L185-L191 for inspiration.
tl;dr fetch keys from http://alpinelinux.org/keys and verify checksums against locally provided checksums.

Tue, 2016-03-29 14:51
Roob
  • Roob's picture
  • Offline
  • Last seen: 2 years 2 days ago
  • Joined: 2016-03-29

I am very new user of alpinelinux. I have serious problem. I am not able to download *.ASC file in "download section".
The checksums are O.K. But I want to verify signature. I use Firefox always the latest versions.
I have find these links, when I click on *.ASC files in "download sections"
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/alpine/alpine/v3.3/releases/x86_64/alpine-extended-3.3.3-x86_64.iso.asc
http://dl-3.alpinelinux.org/alpine/v3.3/releases/armhf/alpine-rpi-3.3.3-armhf.rpi.tar.gz.asc
http://dl-3.alpinelinux.org/alpine/v3.3/releases/armhf/alpine-uboot-3.3.3-armhf.tar.gz.asc
Kindly please repair it.

Log in or register to post comments