526 lines
19 KiB
Bash
Executable file
526 lines
19 KiB
Bash
Executable file
#!/bin/sh
|
|
set -e
|
|
|
|
TESTDIR="$(readlink -f "$(dirname "$0")")"
|
|
. "$TESTDIR/framework"
|
|
|
|
setupenvironment
|
|
configarchitecture "i386"
|
|
|
|
export APT_DONT_SIGN='Release.gpg'
|
|
buildaptarchive
|
|
setupflataptarchive
|
|
changetowebserver
|
|
|
|
prepare() {
|
|
local DATE="${2:-now}"
|
|
if [ "$DATE" = 'now' ]; then
|
|
if [ "$1" = "${PKGFILE}-new" ]; then
|
|
DATE='now - 1 day'
|
|
else
|
|
DATE='now - 7 day'
|
|
fi
|
|
fi
|
|
for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
|
|
touch -d 'now - 1 year' "$release"
|
|
done
|
|
aptget clean
|
|
cp "$1" aptarchive/Packages
|
|
find aptarchive -name 'Release' -delete
|
|
compressfile 'aptarchive/Packages' "$DATE"
|
|
generatereleasefiles "$DATE" 'now + 1 month'
|
|
}
|
|
|
|
installaptold() {
|
|
rm -rf rootdir/var/cache/apt/archives
|
|
testsuccessequal "Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
Need to get 3 B of archives.
|
|
After this operation, 5370 kB of additional disk space will be used.
|
|
Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3 [3 B]
|
|
Download complete and in download only mode" aptget install apt -dy
|
|
}
|
|
|
|
installaptnew() {
|
|
rm -rf rootdir/var/cache/apt/archives
|
|
testsuccessequal "Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
Need to get 3 B of archives.
|
|
After this operation, 5808 kB of additional disk space will be used.
|
|
Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1 [3 B]
|
|
Download complete and in download only mode" aptget install apt -dy
|
|
}
|
|
|
|
failaptold() {
|
|
testfailureequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
Need to get 3 B of archives.
|
|
After this operation, 5370 kB of additional disk space will be used.
|
|
WARNING: The following packages cannot be authenticated!
|
|
apt
|
|
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
|
|
}
|
|
|
|
failaptnew() {
|
|
testfailureequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
Need to get 3 B of archives.
|
|
After this operation, 5808 kB of additional disk space will be used.
|
|
WARNING: The following packages cannot be authenticated!
|
|
apt
|
|
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
|
|
}
|
|
|
|
# fake our downloadable file
|
|
echo -n 'apt' > aptarchive/apt.deb
|
|
|
|
PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
|
|
|
|
updatewithwarnings() {
|
|
testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
testsuccess grep -E "$1" rootdir/tmp/testwarning.output
|
|
}
|
|
|
|
foreachgpg() {
|
|
rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd
|
|
local sqv="true"
|
|
if [ "$1" = "--no-sqv" ]; then
|
|
local sqv=
|
|
shift
|
|
fi
|
|
if [ "$sqv" ]; then
|
|
"$@"
|
|
fi
|
|
for GPGV in "gpgv-sq" "gpgv-g10code"; do
|
|
msgmsg "Forcing $GPGV to be used"
|
|
echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd"
|
|
"$@"
|
|
done
|
|
}
|
|
|
|
runtest() {
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
if [ "$(id -u)" != '0' ]; then
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
|
|
chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
|
|
updatewithwarnings '^W: .* is not readable by user'
|
|
chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
fi
|
|
|
|
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}-new"
|
|
signreleasefiles 'Joe Sixpack'
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
msgmsg 'Cold archive signed by' 'Rex Expired'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
signreleasefiles 'Rex Expired'
|
|
updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
failaptold
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack,Marvin Paranoid'
|
|
successfulaptgetupdate 'NO_PUBKEY\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack,Rex Expired'
|
|
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
successfulaptgetupdate 'EXPKEYSIG\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by' 'Marvin Paranoid'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
failaptold
|
|
|
|
msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}-new"
|
|
signreleasefiles 'Joe Sixpack'
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
|
|
prepare "${PKGFILE}-new"
|
|
signreleasefiles 'Marvin Paranoid'
|
|
updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Good warm archive signed by' 'Rex Expired'
|
|
prepare "${PKGFILE}-new"
|
|
# Use a colon here to test weird filenames too
|
|
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg
|
|
signreleasefiles 'Rex Expired'
|
|
updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
rm rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg
|
|
|
|
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}-new"
|
|
signreleasefiles
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
|
|
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
|
|
updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
|
|
|
|
msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
|
|
prepare "${PKGFILE}"
|
|
signreleasefiles 'Marvin Paranoid'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by good keyrings' 'Marvin Paranoid, Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
local SIXPACK="$(readlink -f keys/joesixpack.pub)"
|
|
sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$MARVIN,$SIXPACK] #" rootdir/etc/apt/sources.list.d/*
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by good keyrings' 'Joe Sixpack, Marvin Paranoid'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
local SIXPACK="$(readlink -f keys/joesixpack.pub)"
|
|
sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$SIXPACK,$MARVIN] #" rootdir/etc/apt/sources.list.d/*
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
sed -i "s# \[signed-by=[^]]\+\] # #" rootdir/etc/apt/sources.list.d/*
|
|
|
|
local MARVIN="DE66AECA9151AFA1877EC31DE8525D47528144E2"
|
|
msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
|
|
updatewithwarnings '^W: .* (be verified because the public key is not available: .*|No good signature from required signer)'
|
|
|
|
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid,Joe Sixpack'
|
|
successfulaptgetupdate 'NoPubKey: GOODSIG\|DE66AECA9151AFA1877EC31DE8525D47528144E2'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
local SIXPACK="34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE"
|
|
msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
|
|
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
|
|
|
|
rm -rf rootdir/var/lib/apt/lists-bak
|
|
cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
|
|
prepare "${PKGFILE}-new"
|
|
signreleasefiles 'Joe Sixpack'
|
|
|
|
msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
sed -i "/^Valid-Until: / a\
|
|
Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
|
|
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${MARVIN} ${MARVIN}, \\
|
|
${SIXPACK}" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
|
|
local SEBASTIAN="648E6A33FDE5CB5BA2D896A3CA3E1DFF1E6BE149"
|
|
msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Sebastian Subkey'
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
if [ -z "$GPGV" ] && test -e "${METHODSDIR}/sqv"; then
|
|
msgmsg 'Warm archive with ahead-policy-rejected subkey signing' 'Sebastian Subkey'
|
|
cat > test-sequoia.config << EOF
|
|
[asymmetric_algorithms]
|
|
rsa3072 = $(date +%Y-%m-%d --date="now + 6 months")
|
|
EOF
|
|
APT_SEQUOIA_CRYPTO_POLICY=$PWD/test-sequoia.config updatewithwarnings "W: http://localhost:${APTHTTPPORT}/.*Release.*: Policy will reject signature within a year, see --audit for details"
|
|
fi
|
|
|
|
msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E"
|
|
# This is only supported for gpgv, so require an explicit gpgv command,
|
|
# otherwise the default verification backend may be sqv.
|
|
if [ "$GPGV" ]; then
|
|
msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
|
|
sed -i "/^Valid-Until: / a\
|
|
Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release
|
|
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
|
|
successfulaptgetupdate
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
installaptnew
|
|
fi
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
|
|
}
|
|
|
|
runtest2() {
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
successfulaptgetupdate
|
|
|
|
# New .deb but now an unsigned archive. For example MITM to circumvent
|
|
# package verification.
|
|
msgmsg 'Warm archive signed by' 'nobody'
|
|
prepare "${PKGFILE}-new"
|
|
find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
|
|
updatewithwarnings 'W: .* no longer signed.'
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
failaptnew
|
|
|
|
msgmsg 'Cold archive signed by' 'Empty signature'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
find aptarchive -name Release -exec touch {}.gpg \;
|
|
testfailuremsg "E: OpenPGP signature verification failed: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update -o Debug::gpgv=1
|
|
|
|
msgmsg 'Cold archive signed by' 'Unknown format signature'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \;
|
|
testfailuremsg "E: OpenPGP signature verification failed: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
|
|
|
|
find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
|
|
|
|
# Unsigned archive from the beginning must also be detected.
|
|
msgmsg 'Cold archive signed by' 'nobody'
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
updatewithwarnings 'W: .* is not signed.'
|
|
testsuccessequal "$(cat "${PKGFILE}-new")
|
|
" aptcache show apt
|
|
failaptnew
|
|
}
|
|
|
|
runtest3() {
|
|
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
|
|
msgmsg "Running base test with $1 digest"
|
|
runtest2
|
|
|
|
for DELETEFILE in 'InRelease' 'Release.gpg'; do
|
|
export APT_DONT_SIGN="$DELETEFILE"
|
|
msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
|
|
runtest
|
|
export APT_DONT_SIGN='Release.gpg'
|
|
done
|
|
}
|
|
|
|
# disable some protection by default and ensure we still do the verification
|
|
# correctly
|
|
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
|
|
Acquire::AllowInsecureRepositories "1";
|
|
Acquire::AllowDowngradeToInsecureRepositories "1";
|
|
EOF
|
|
# the hash marked as configurable in our gpgv method
|
|
export APT_TESTS_DIGEST_ALGO='SHA512'
|
|
|
|
successfulaptgetupdate() {
|
|
testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
if [ -n "$1" ]; then
|
|
cp rootdir/tmp/testsuccess.output aptupdate.output
|
|
testsuccess grep "$1" aptupdate.output
|
|
fi
|
|
}
|
|
foreachgpg runtest3 'Trusted'
|
|
|
|
successfulaptgetupdate() {
|
|
testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
if [ -n "$1" ]; then
|
|
testsuccess grep "$1" rootdir/tmp/testwarning.output
|
|
fi
|
|
testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output
|
|
}
|
|
foreachgpg --no-sqv runtest3 'Weak'
|
|
|
|
msgmsg "Running test with apt-untrusted digest"
|
|
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
|
|
runfailure() {
|
|
for DELETEFILE in 'InRelease' 'Release.gpg'; do
|
|
export APT_DONT_SIGN="$DELETEFILE"
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
testsuccess grep 'The following signatures were invalid\|MD5 is not considered secure' rootdir/tmp/testfailure.output
|
|
testnopackage 'apt'
|
|
testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
failaptold
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
|
|
testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
failaptold
|
|
sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
|
|
|
|
msgmsg 'Cold archive signed by' 'Marvin Paranoid'
|
|
prepare "${PKGFILE}"
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
|
|
testnopackage 'apt'
|
|
updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
|
|
testsuccessequal "$(cat "${PKGFILE}")
|
|
" aptcache show apt
|
|
failaptold
|
|
export APT_DONT_SIGN='Release.gpg'
|
|
done
|
|
}
|
|
foreachgpg --no-sqv runfailure
|