pmb.chroot.apk_static: use sha256 sig for verification (MR 2465)

Folks using pmb v2 on Fedora and other distros that disabled sha1 in openssl will need this in order to run pmb successfully. Backported from 7a299b3f

pmb.chroot.apk_static: use sha256 sig for verification (MR 2465)
5af1645b · Clayton Craft · a86b7a30 · 5af1645b · 5af1645b
Unverified Commit 5af1645b authored 6 months ago by Clayton Craft
--- a/pmb/chroot/apk_static.py
+++ b/pmb/chroot/apk_static.py
@@ -25,7 +25,7 @@ def read_signature_info(tar):
    :returns: (sigfilename, sigkey_path)
    """
    # Get signature filename and key
-    prefix = "sbin/apk.static.SIGN.RSA."
+    prefix = "sbin/apk.static.SIGN.RSA.sha256."
    sigfilename = None
    for filename in tar.getnames():
        if filename.startswith(prefix):
@@ -85,7 +85,7 @@ def verify_signature(args, files, sigkey_path):
    """
    logging.debug(f"Verify apk.static signature with {sigkey_path}")
    try:
-        pmb.helpers.run.user(args, ["openssl", "dgst", "-sha1", "-verify",
+        pmb.helpers.run.user(args, ["openssl", "dgst", "-sha256", "-verify",
                                    sigkey_path, "-signature", files[
                                        "sig"]["temp_path"],
                                    files["apk"]["temp_path"]])

--- a/test/test_apk_static.py
+++ b/test/test_apk_static.py
@@ -44,9 +44,9 @@ def test_read_signature_info(args):
    # Signature file with invalid name
    pmb.chroot.user(args, ["mkdir", "-p", tmp_path + "/sbin"])
    pmb.chroot.user(args, ["cp", "/etc/issue", tmp_path +
-                           "/sbin/apk.static.SIGN.RSA.invalid.pub"])
+                           "/sbin/apk.static.SIGN.RSA.sha256.invalid.pub"])
    pmb.chroot.user(args, ["tar", "-czf", tmp_path + "/invalid_sig.apk",
-                           "sbin/apk.static.SIGN.RSA.invalid.pub"],
+                           "sbin/apk.static.SIGN.RSA.sha256.invalid.pub"],
                    working_dir=tmp_path)
    with tarfile.open(tmp_path_outside + "/invalid_sig.apk", "r:gz") as tar:
        with pytest.raises(RuntimeError) as e:
@@ -56,9 +56,9 @@ def test_read_signature_info(args):
    # Signature file with realistic name
    path = glob.glob(pmb.config.apk_keys_path + "/*.pub")[0]
    name = os.path.basename(path)
-    path_archive = "sbin/apk.static.SIGN.RSA." + name
+    path_archive = "sbin/apk.static.SIGN.RSA.sha256." + name
    pmb.chroot.user(args, ["mv",
-                           f"{tmp_path}/sbin/apk.static.SIGN.RSA.invalid.pub",
+                           f"{tmp_path}/sbin/apk.static.SIGN.RSA.sha256.invalid.pub",
                           f"{tmp_path}/{path_archive}"])
    pmb.chroot.user(args, ["tar", "-czf", tmp_path + "/realistic_name_sig.apk",
                           path_archive], working_dir=tmp_path)