hans-lammda
commented
1 year ago Two issues in the current implementation.
- Add public key in /etc/apk/keys.
- Adjust directory structure
$ podman run -i -t -v "$(CWD)/tool/pki:/etc/apk/keys" -v "$(CWD)/product/apk.fx/:/download" alpine_sandbox_base_os:3.16.1
All public repo keys from Alpines repositories could be removed and replaced by the public signing key generated by openssl.
ls /etc/apk/keys/
iafw.rsa.pub
/ # apk add openssl-dbg .. (1/1) Installing openssl-dbg (1.1.1v-r0) OK: 21 MiB in 26 packages
$(CWD)/product/apk.fx/ └── v3.16 ├── community └── main └── x86_64 ├── agetty-openrc-0.44.10-r7.apk ├── alpine-baselayout-3.2.0-r23.apk ├── alpine-baselayout-data-3.2.0-r23.apk ├── alpine-conf-3.14.6-r1.apk ├── APKINDEX.tar.gz
In the current implementation there is some code that allows import of keys. It is not completed.
Command that generates and install keys
abuild-keygen -a -n -q -i
Shell script that wraps openssl
/usr/bin/abuild-keygen
Rule that generates keys externally, and then integrates with Alpine.
keygen: mkdir -p $(CWD)/tool/pki openssl genrsa -out $(CWD)/tool/pki/iafw.rsa 1024 openssl rsa -in $(CWD)/tool/pki/iafw.rsa -pubout > $(CWD)/tool/pki/iafw.rsa.pub chmod 755 -R $(CWD)/tool/pki