The highest tagged major version is v2.

apkutils

package module

v1.0.0 Latest Latest Go to latest Published: Dec 19, 2024 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/csmith/apkutils

Links

Open Source Insights

README ¶

apkutils

apkutils contains utilities for operating on Alpine packages and package indices from Go.

Specifically it can:

Verify the public key signature in an APKINDEX.tar.gz bundle, then parse out the contents of the index. See examples/verify-and-parse-index.
Verify the public key signature in an APK file, and then verify the hash of the contents that is stored in the metadata, then return the content of the APK. See examples/verify-and-read-apk
Given the package information from an APKINDEX, recursively resolve dependencies of packages to generate a bill of materials/list of packages to install. See examples/flatten-dependencies

Contributions of further functions or enhancements are welcome!

Documentation ¶

Index ¶

func FlattenDependencies(packages map[string]*PackageInfo, names ...string) (map[string]*PackageInfo, error)
func ReadApkIndex(reader io.Reader, keyProvider KeyProvider) (map[string]*PackageInfo, error)
func ReadTarball(reader io.Reader, keyProvider KeyProvider) (*tar.Reader, error)
func Verify(reader io.Reader, keyProvider KeyProvider) error
type KeyProvider
- func NewFileSystemKeyProvider(fs fs.FS) KeyProvider
type PackageInfo

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FlattenDependencies ¶

func FlattenDependencies(packages map[string]*PackageInfo, names ...string) (map[string]*PackageInfo, error)

FlattenDependencies walks and flattens the package dependency tree, returning the named packages and all their transitive dependencies.

Ignores version constraints and conflicts.

func ReadApkIndex ¶

func ReadApkIndex(reader io.Reader, keyProvider KeyProvider) (map[string]*PackageInfo, error)

ReadApkIndex verifies the embedded signature in the file, then extracts and parses the APKINDEX contents.

func ReadTarball ¶

func ReadTarball(reader io.Reader, keyProvider KeyProvider) (*tar.Reader, error)

ReadTarball takes an Alpine APK, verifies the embedded signature using the public keys provided by the keyProvider, verifies the hash of the tarball, and returns a reader over the contents of the APK tarball.

func Verify ¶

func Verify(reader io.Reader, keyProvider KeyProvider) error

Verify checks the embedded signature within an alpine APK or APKINDEX file.

These files are concatenations of two or more gzip streams, the first of which contains a signature of the (compressed) second stream.

A valid signature is indicated by returning a nil error.

Types ¶

type KeyProvider ¶

type KeyProvider interface {
	Key(name string) (*rsa.PublicKey, error)
}

A KeyProvider supplies public keys for use in package verification

func NewFileSystemKeyProvider ¶

func NewFileSystemKeyProvider(fs fs.FS) KeyProvider

NewFileSystemKeyProvider creates a new KeyProvider that will load PEM encoded public keys from the root of the given filesystem.

No validation is performed on key names; the filesystem should be appropriately rooted to ensure only key material is accessible.

type PackageInfo ¶

type PackageInfo struct {
	Name         string
	Version      string
	Dependencies []string
	Provides     []string
}

PackageInfo describes a package available in a repository.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
examples
flatten-dependencies
verify-and-parse-index
verify-and-read-apk
keys

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL