The APKINDEX.tar.gz format
From apk-tools-2.0_pre15 there was added support for package signing. This caused the index format to change, as it needs to contain a signature for the repository. This document explains how the new index works and how it is created. This is intended to be a reference for abuild developers. Other developers should use the tools provided from abuild.
The APKINDEX.tar.gz is created by concatenating 2 other tar.gz files, signature.tar.gz and APKINDEX.unsigned.tar.gz.
Creating signature.tar.gz Manually
First we create a signature file for APKINDEX.unsigned.tar.gz, using our private key.
Then we put this in a tar file, without the end-of-tar record at the end of the file. This is because we will concatenate this tar archive with the index tar archive.
tar -c .SIGN.RSA.nameofpublickey | abuild-tar --cut | gzip -9 > signature.tar.gz
The name of public key should be the email address of the developer.
The APKINDEX.unsigned.tar.gz is an old 1.9 style index file in a tar archive. This is created with:
Without a signature apk-tools will not trust the index file and will require the --allow-untrusted flag for all operations involving the index. To sign an index requires a key, if you don't already have a key the easiest way to generate one is to use the abuild-keygen command like so:
It will prompt you for a filename to save the keypair. Enter file in which to save the key. The standard practice for naming the key is to use your email address or the email address of a maintainer's mailing list as a prefix for the filename of the keypair followed by an alphanumeric suffix, which is generated by the abuild-keygen tool.
For this example, we will use firstname.lastname@example.org which will create the email@example.com and firstname.lastname@example.org keypair and copy the public key to /etc/apk/keys/. Make sure you keep a copy of your private key somewhere safe because you will need it if you add any packages to the repo in the future since you will need to re-sign the updated index.
Finally, sign the index. Ensure that you provide the full path to the private key or abuild-sign will not be able to find it.
For hosts to trust this index ensure that the public component of the key you generated exists in their /etc/apk/keys directory.