[subset of #7103] Extract manifest of pax checksum headers vs. files for apks to stdout. (#7104) · Issues · alpine / apk-tools

[subset of #7103] Extract manifest of pax checksum headers vs. files for apks to stdout.

This particular portion of Feature #7103 is needed immediately to improve user experience in upcoming Alpine 3.6 release.

In order to verify integrity of files extracted from apks and uniquely identify specific versions of a file, the checksum stored in the pax header

68 APK-TOOLS.checksum.SHA1=

needs to be retrieved for each file in the apk tar archive. No standard tar tool can extract this information, and using an awk script results in unreasonably long runtimes for large packages such as ‘linux-grsec’, ‘linux-firmware’, etc.

apk already reads these headers, but there is currently no way to expose that information.

Proposed functionality is export of a manifest to stdout (or optionally file) containing one line per file (with optional comments), and each line having information to uniquely identify a file by arch, package name, and full package version.

Format currently in use in kerneltool/mkimage project is

printf 'apk:%s/%s-%s\t%s:$s\t%s' $arch $pkgname $pkgver $sumtype $sum $filename

where $sumtype is the lowercase name of the checksum function, such as ‘sha1’, ‘sha512’, or ‘md5’, which, when prepended to ‘sum’, yields the appropriate command to verify the sum (i.e. ‘sha1’ ->sha1sum)

(from redmine: issue id 7104, created on 2017-04-08)

This particular portion of Feature \#7103 is needed immediately to
improve user experience in upcoming Alpine 3.6 release.

In order to verify integrity of files extracted from apks and uniquely
identify specific versions of a file, the checksum stored in the pax
header

68 APK-TOOLS.checksum.SHA1=

needs to be retrieved for each file in the apk tar archive. No standard
tar tool can extract this information, and using an awk script results
in unreasonably long runtimes for large packages such as ‘linux-grsec’,
‘linux-firmware’, etc.

apk already reads these headers, but there is currently no way to expose
that information.

Proposed functionality is export of a manifest to stdout (or optionally
file) containing one line per file (with optional comments), and each
line having information to uniquely identify a file by arch, package
name, and full package version.

Format currently in use in kerneltool/mkimage project is

printf 'apk:%s/%s-%s\t%s:$s\t%s' $arch $pkgname $pkgver $sumtype $sum $filename

where $sumtype is the lowercase name of the checksum function, such as
‘sha1’, ‘sha512’, or ‘md5’, which, when prepended to ‘sum’, yields the
appropriate command to verify the sum (i.e. ‘sha1’ ->sha1sum)

*(from redmine: issue id 7104, created on 2017-04-08)*

Discussion
Designs