GitLab

This particular portion of Feature #7103 is needed immediately to improve user experience in upcoming Alpine 3.6 release.

In order to verify integrity of files extracted from apks and uniquely identify specific versions of a file, the checksum stored in the pax header

68 APK-TOOLS.checksum.SHA1=

needs to be retrieved for each file in the apk tar archive. No standard tar tool can extract this information, and using an awk script results in unreasonably long runtimes for large packages such as ‘linux-grsec’, ‘linux-firmware’, etc.

apk already reads these headers, but there is currently no way to expose that information.

Proposed functionality is export of a manifest to stdout (or optionally file) containing one line per file (with optional comments), and each line having information to uniquely identify a file by arch, package name, and full package version.

Format currently in use in kerneltool/mkimage project is

printf 'apk:%s/%s-%s\t%s:$s\t%s' $arch $pkgname $pkgver $sumtype $sum $filename

where $sumtype is the lowercase name of the checksum function, such as ‘sha1’, ‘sha512’, or ‘md5’, which, when prepended to ‘sum’, yields the appropriate command to verify the sum (i.e. ‘sha1’ ->sha1sum)

(from redmine: issue id 7104, created on 2017-04-08)