1 files changed, 52 insertions, 0 deletions

diff --git a/sys-apps/apk-tools/files/apk-tools-2.6.6-use-sha256-signature.patch b/sys-apps/apk-tools/files/apk-tools-2.6.6-use-sha256-signature.patch
new file mode 100644
index 000000000..e13f8b563
--- /dev/null
+++ b/sys-apps/apk-tools/files/apk-tools-2.6.6-use-sha256-signature.patch
@@ -0,0 +1,52 @@
+From 0984ca854ce4b9fddbf1dc7503058406ded6e2cc Mon Sep 17 00:00:00 2001
+From: Andrew Wilcox <AWilcox@Wilcox-Tech.com>
+Date: Sun, 18 Oct 2015 11:19:36 -0500
+Subject: [PATCH] package: use SHA256 for signature instead of SHA1
+
+---
+ src/apk_blob.h | 2 +-
+ src/package.c  | 8 ++------
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/apk_blob.h b/src/apk_blob.h
+index 2d2e30e..a879d27 100644
+--- a/src/apk_blob.h
++++ b/src/apk_blob.h
+@@ -41,7 +41,7 @@ extern apk_blob_t apk_null_blob;
+ 
+ /* Internal cointainer for MD5 or SHA1 */
+ struct apk_checksum {
+-	unsigned char data[20];
++	unsigned char data[40];
+ 	unsigned char type;
+ };
+ 
+diff --git a/src/package.c b/src/package.c
+index 24a4f94..14993b3 100644
+--- a/src/package.c
++++ b/src/package.c
+@@ -570,8 +570,7 @@ int apk_sign_ctx_process_file(struct apk_sign_ctx *ctx,
+ 	if (ctx->keys_fd < 0)
+ 		return 0;
+ 
+-	if (strncmp(&fi->name[6], "RSA.", 4) == 0 ||
+-	    strncmp(&fi->name[6], "DSA.", 4) == 0) {
++	if (strncmp(&fi->name[6], "RSA.", 4) == 0) {
+ 		int fd = openat(ctx->keys_fd, &fi->name[10], O_RDONLY|O_CLOEXEC);
+ 		BIO *bio;
+ 
+@@ -581,10 +580,7 @@ int apk_sign_ctx_process_file(struct apk_sign_ctx *ctx,
+ 		bio = BIO_new_fp(fdopen(fd, "r"), BIO_CLOSE);
+ 		ctx->signature.pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
+ 		if (ctx->signature.pkey != NULL) {
+-			if (fi->name[6] == 'R')
+-				ctx->md = EVP_sha1();
+-			else
+-				ctx->md = EVP_dss1();
++			ctx->md = EVP_sha256();
+ 		}
+ 		BIO_free(bio);
+ 	} else
+-- 
+2.7.0
+