Verifying APK Signatures on Non-Alpine System
#1
Mon, 2016-01-18 16:40
joejob
-
- Offline
- 2 years 2 months ago
- 2016-01-18
I'm having a problem verifying the signature of an APK on a non-Alpine system. As part of a bootstraping process I wish to verify that the alpine-keys package is signed with a known key, but I'm unable to produce the data.tar from the APK such that it can be verified with the signature included in the APK. I believe my crypto is correct because for the apk-tools-static APK, where the binary is signed independently of the data.tar section, the verification succeeds. Thus, my problem is extracting the correct parts of the tar in the correct order. Any hints? :-)
I guess if you can not running
apk-static verifyat bootstraping, have to following package format and write some code to do that (declare: I'm new Alpine user)http://wiki.alpinelinux.org/wiki/Alpine_package_format
Maybe you can use a different approach, take a look at https://github.com/lxc/lxc/blob/master/templates/lxc-alpine.in#L185-L191 for inspiration.
tl;dr fetch keys from http://alpinelinux.org/keys and verify checksums against locally provided checksums.
I am very new user of alpinelinux. I have serious problem. I am not able to download *.ASC file in "download section".
The checksums are O.K. But I want to verify signature. I use Firefox always the latest versions.
I have find these links, when I click on *.ASC files in "download sections"
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/alpine/alpine/v3.3/releases/x86_64/alpine-extended-3.3.3-x86_64.iso.asc
http://dl-3.alpinelinux.org/alpine/v3.3/releases/armhf/alpine-rpi-3.3.3-armhf.rpi.tar.gz.asc
http://dl-3.alpinelinux.org/alpine/v3.3/releases/armhf/alpine-uboot-3.3.3-armhf.tar.gz.asc
Kindly please repair it.