Difference between revisions of "Apkindex format"

From Alpine Linux
Jump to: navigation, search
(note about who the doc is intended for)
m
Line 6: Line 6:
 
The APKINDEX.tar.gz is created by concatenating 2 other tar.gz files, signature.tar.gz and APKINDEX.unsigned.tar.gz.
 
The APKINDEX.tar.gz is created by concatenating 2 other tar.gz files, signature.tar.gz and APKINDEX.unsigned.tar.gz.
  
cat signature.tar.gz APKINDEX.unsigned.tar.gz > APKINDEX.tar.gz
+
{{Cmd|cat signature.tar.gz APKINDEX.unsigned.tar.gz > APKINDEX.tar.gz}}
  
 
=== Creating signature.tar.gz ===
 
=== Creating signature.tar.gz ===
 
First we create a signature file for APKINDEX.unsigned.tar.gz, using our [[Creating_keys_for_package_signing|private key]].
 
First we create a signature file for APKINDEX.unsigned.tar.gz, using our [[Creating_keys_for_package_signing|private key]].
openssl dgst -sha1 -sign ''privatekeyfile'' -out .SIGN.RSA.''nameofpublickey'' APKINDEX.unsigned.tar.gz
+
{{Cmd|openssl dgst -sha1 -sign ''privatekeyfile'' -out .SIGN.RSA.''nameofpublickey'' APKINDEX.unsigned.tar.gz}}
  
 
Then we put this in a tar file, without the ''end-of-tar'' record at the end of the file. This is because we will concatenate this tar archive with the index tar archive.
 
Then we put this in a tar file, without the ''end-of-tar'' record at the end of the file. This is because we will concatenate this tar archive with the index tar archive.
 +
 
  tar -c .SIGN.RSA.''nameofpublickey'' | abuild-tar --cut | gzip -9 > signature.tar.gz
 
  tar -c .SIGN.RSA.''nameofpublickey'' | abuild-tar --cut | gzip -9 > signature.tar.gz
  
Line 20: Line 21:
 
The APKINDEX.unsigned.tar.gz is an old 1.9 style index file in a tar archive. This is created with:
 
The APKINDEX.unsigned.tar.gz is an old 1.9 style index file in a tar archive. This is created with:
  
<pre>apk index -o APKINDEX.unsigned.tar.gz *.apk</pre>
+
{{Cmd|apk index -o APKINDEX.unsigned.tar.gz *.apk}}

Revision as of 02:31, 24 June 2011

The APKINDEX.tar.gz format

From apk-tools-2.0_pre15 there was added support for package signing. The caused the index format to chage, as it needs to contain a signature for the repository. This document explains how the new index works and how it is created. This is intended to be a reference for abuild developers. Other developers should use the tools provided from abuild.

Creating APKINDEX.tar.gz

The APKINDEX.tar.gz is created by concatenating 2 other tar.gz files, signature.tar.gz and APKINDEX.unsigned.tar.gz.

cat signature.tar.gz APKINDEX.unsigned.tar.gz > APKINDEX.tar.gz

Creating signature.tar.gz

First we create a signature file for APKINDEX.unsigned.tar.gz, using our private key.

openssl dgst -sha1 -sign privatekeyfile -out .SIGN.RSA.nameofpublickey APKINDEX.unsigned.tar.gz

Then we put this in a tar file, without the end-of-tar record at the end of the file. This is because we will concatenate this tar archive with the index tar archive.

tar -c .SIGN.RSA.nameofpublickey | abuild-tar --cut | gzip -9 > signature.tar.gz

The name of public key should be the email address of the developer.

Creating APKINDEX.unsigned.tar.gz

The APKINDEX.unsigned.tar.gz is an old 1.9 style index file in a tar archive. This is created with:

apk index -o APKINDEX.unsigned.tar.gz *.apk