PG-3192 [view on issue tracker]

Bug

FIX: Unsigned Alpine apk packages may have missing or incorrect checksum

1/2/2026 11:10:19 AM by Rich H

1/12/2026 10:05:53 AM

Example packages: - https://pkg.henderkes.com/85/-/packages/alpine/php-zts-zstd/0.15.2_85-r2 - https://pkg.henderkes.com/85/-/packages/alpine/php-zts-embed/8.5.1-r - https://pkg.henderkes.com/85/-/packages/alpine/php-zts-cli/8.5.1-r1 These packages seem to find 2 streams instead of 3, which means the control stream is not found. APK Tools can find the control stream. Here is the APK Tools source code for generating the hash of the control stream: https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/src/blob.c#L567 Just in case the line number is off, the method is named `apk_blob_pull_digest`