lloydpick lloydpick - 4 months ago 18
C Question

Alpine APK Package Repositories, how are the checksums calculated?

I'm trying to work out how the pull checksum for packages is calculated within Alpine APK package repositories. The documentation regarding the format is lacking in any detail.

When I run

apk index -o APKINDEX.unsigned.tar.gz *.apk
which generates the repository. When you extract the txt file from inside the gz, it contains the following...

C:Q17KXT6xFVWz4EZDIbkcvXQ/uz9ys=
P:redis-server
V:3.2.3-0
A:noarch
S:2784844
I:102400
T:An advanced key-value store
U:http://redis.io/
L:
D:linux-headers


I'm interested in how the very first line is generated. I've tried to read the actual source that's used to generate this, but I'm not a C programmer, so it's hard for me to comprehend as it jumps all over the place.

The two files mentioned in the documentation are database.c and package.c.

Incase this somewhat helps, the original APK file has these various hashes...

CRC32 = ac17ea88
MD5 = a035ecf940a67a6572ff40afad4f396a
SHA1 = eca5d3eb11555b3e0464321b91cbd743fbb3f72b
SHA256 = 24bc1f03409b0856d84758d6d44b2f04737bbc260815c525581258a5b4bf6df4

Lee Lee
Answer

So...

/* Internal cointainer for MD5 or SHA1 */
struct apk_checksum {
    unsigned char data[20];
    unsigned char type;
};

Basically take the C: value then chop off the Q from the front then base 64 decode. Chop off the last value (type which defaults to SHA1) then you have your sha1. This appears to be made of the CONTENTS of the package but that would take further looking into it.