diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:00:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:00:48 +0000 |
commit | 851b6a097165af4d51c0db01b5e05256e5006896 (patch) | |
tree | 5f7c388ec894a7806c49a99f3bdb605d0b299a7c /test/integration/test-releasefile-date-older | |
parent | Initial commit. (diff) | |
download | apt-upstream.tar.xz apt-upstream.zip |
Adding upstream version 2.6.1.upstream/2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/integration/test-releasefile-date-older')
-rwxr-xr-x | test/integration/test-releasefile-date-older | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older new file mode 100755 index 0000000..81c71ea --- /dev/null +++ b/test/integration/test-releasefile-date-older @@ -0,0 +1,132 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'i386' + +insertpackage 'wheezy' 'apt' 'all' '0.8.15' + +setupaptarchive --no-update + +# we don't complain as the server could have just sent a 'Hit' here and this +# 'downgrade attack' is usually performed by out-of-sync mirrors. Valid-Until +# catches the 'real' downgrade attacks (expect that it finds stale mirrors). +# Scaring users with an error here serves hence no point. + +msgmsg 'InRelease file is silently rejected if' 'new Date is before old Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" + +msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='Release.gpg' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +export APT_DONT_SIGN='InRelease' +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +find aptarchive -name 'InRelease' -delete +testsuccess aptget update +export APT_DONT_SIGN='Release.gpg' +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Release file has' 'no Date and no Valid-Until field' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testwarning aptget update +listcurrentlistsdirectory > listsdir.lst +# have no effect as Date is unknown +testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30)) +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testwarning aptget update -o Acquire::Max-ValidTime=1 +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +sed -i '/^Codename: / a\ +Another-Field: yes' $(find aptarchive/ -name 'Release') +touch -d 'now + 1 day' $(find aptarchive/ -name 'Release') +signreleasefiles "${2:-Joe Sixpack}" +testwarning aptget update +testsuccess cmp $(find aptarchive/ -name 'InRelease') $(find rootdir/var/lib/apt/ -name '*_InRelease') + +msgmsg 'Release file has' 'no Date field, but Valid-Until expired' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now - 2 days' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailure aptget update +listcurrentlistsdirectory > listsdir.lst +# have no effect as Date is unknown +testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30)) +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testfailure aptget update -o Acquire::Max-ValidTime=1 +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" + +msgmsg 'Release file has' 'no Date field, but Valid-Until is good' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 2 days' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testwarning aptget update + +# the repo is now signed by unknown key, but marked as trusted +rm -rf rootdir/etc/apt/trusted.gpg.d +sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/* + +msgmsg 'Forgot to disable in follow-up' 'Check-Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now + 3 days' 'now + 7 days' +signreleasefiles +testfailure aptget update +testwarning aptget update -o Acquire::Check-Date=no +listcurrentlistsdirectory > listsdir.lst +generatereleasefiles 'now + 5 days' 'now + 13 days' +signreleasefiles +testfailure aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testwarning aptget update -o Acquire::Check-Date=no +testsuccess cmp "$(find aptarchive/ -name 'InRelease')" "$(find rootdir/var/lib/apt/ -name '*_Release')" + +msgmsg 'Force-Trusted InRelease file is silently ignored' 'new Date is before old Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testwarning aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testwarning aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" |