lxc-alpine: use SHA256 signature if available

to verify apk.static

Signed-off-by: Kaarle Ritvanen <[email protected]>

templates/lxc-alpine.in

@@ -203,6 +203,10 @@ fetch_apk_keys() {
 	cd - >/dev/null
 }
 
+find_keyfile() {
+	ls -1 "$1".alpine-*.pub 2>/dev/null | head -n 1
+}
+
 fetch_apk_static() {
 	local dest="$1"
 	local arch="$2"
@@ -222,10 +226,15 @@ fetch_apk_static() {
 	local apk=$dest/sbin/apk.static
 	[ -s "$apk" ] || die 2 'apk.static not found'
 
-	local sigprefix=$apk.SIGN.RSA.
-	local keyfile=$(ls -1 "$sigprefix"alpine-*.pub 2>/dev/null | head -n 1)
-	if ! openssl dgst -sha1 \
-		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix}" \
+	local sigprefix=$apk.SIGN.RSA.sha256
+	local algorithm=sha256
+	if ! [ -s "$(find_keyfile "$sigprefix")" ]; then
+		sigprefix=${sigprefix%.*}
+		algorithm=sha1
+	fi
+	local keyfile=$(find_keyfile "$sigprefix")
+	if ! openssl dgst -$algorithm \
+		-verify "$APK_KEYS_DIR/${keyfile#$sigprefix.}" \
 		-signature "$keyfile" \
 		"$apk"; then