1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
#!/usr/bin/python3
import contextlib
import errno
import itertools
import os
import shutil
import sys
import tempfile
import time
import unittest
from http.server import HTTPServer
from http.server import SimpleHTTPRequestHandler as HTTPRequestHandler
import apt_pkg
import testcommon
import apt.auth
WHEEZY_KEYID = "8B48AD6246925553"
WHEEZY_KEYDATE = "1335553717"
WHEEZY_KEY = """-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38
cA3kK1iB5XYElbZ5b/x3vWiufHK2semOpn5MG2GRJUwmKxZbt3HLZiHtAadkby2l
rnMxeIzfxcTxloxsQ02TMRalq89Xvy6P7lgedcW5ujcMR6JbE6uL1c/jNlkIPNuN
9paZsNJWXnZ03R+NrAJLjOPUZKZRPYgIwEci2sVNA/autsJL+HuW6X8PfldvMe5h
SdWelOoXMsZMX04JP8Efq8a09yIgKBfuXjoHJbtK0rTr9tjFKt/VM6MejLdJf4Dl
r6Zhx2ygmjcvj+FlWFoxDlPHdqfZ6mGsKR4eWDRu3bZtalDNvhZKvecwf0KaAWVU
M+GxkR+Ol3TsQ0tLbjbwZhWMioipR8Lsp6kZ1tLUjM0aOR3Mw/csyFJYKFiCo3GR
QSGY0++cDrfhQRwOJ9s2eeGGS1/I95vJZA5zZnx1ksnO0W2fHVBavICR821EBAEZ
slLzr+IOrbB16YE/aN2iA9nTcQVk69XeEh5gaeiCZ7JhA2nkAg8a/H1r4BVBC/cL
egzhUvP90kk94MmL1D2gY6UlyK4yTnHgVfjsQw6u2sPDlramyXBZehnKabIndM1P
368IbW8GTNo0gNwg/oC/vENwYnAuX+S96/O/1XfQoBNr+epTVdS4VQHICQARAQAB
tEhEZWJpYW4gQXJjaGl2ZSBBdXRvbWF0aWMgU2lnbmluZyBLZXkgKDcuMC93aGVl
enkpIDxmdHBtYXN0ZXJAZGViaWFuLm9yZz6JAj4EEwEIACgFAk+a7rUCGwMFCQ8J
nAAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEItIrWJGklVTdQEQAMLCmMQr
7SxFULYgprbr5eO6uAs/8nkIBhJBzUnenOUnwsOR3Io9/sHc8Cq/xv1DTsY5G5Qj
ojywslbeF44TxBZ0j3UwPU437bfNs7yTRkgPVhHK/rZ9ApbnZdCmud+BUkDOChLV
8fzCZ17Pa5eMr5E4WI0bLM5AA3vVFLBgHFqJUgE7mSn95vA1S881/xOQ4lT1WHfa
O9K96X6ekn2zpPu/G8aq+oDyVGfo1AKQCPBJ3OCX0WB3GNWbcCb850gy9vtKlWDu
yAh1a9Cl5OPHlYqz8q+Hqj4ZeRgJiDgCgm8YAlKEooEG/vJzswaY+C3nz6uNfBeq
60QhPfgaO8qGlriChGAFqzD68ZQ53NApJw/OuwV2p5CgnkyGAVGZ1WuYcXz/wHyU
awnXq3Bf69RJssbab6SqptJyYuiY8T/2vWRgQxej18KAZ0v1Vr/MC1azp6TWgfSl
s2fvGvPf9vEbKyBR3YFa5msRKGpRauv4wWmcLfZ+jMLbSAWBfILPK+fGLtRGz4AX
hRht9rX7c4neQvlBNDDgR3tuaE3s0B1B6gTcvq7EhuuP4pAzkBLhpuzolvw+ZFOV
5mElfScYi8QbQgT9t2XjUDU1oz1ewviNhynpsxh51t5qxP5ETDGKvEx7RMv4S08p
5VGG4Y+kjcsQWfAdVAGuLqWOI0sGzUzKYZppiEYEExECAAYFAk+a8vAACgkQcV7W
oH57isk7FACcCIOIMr39LUSv16Ec9V102uheqlsAnRqdAADYF7iJIrfqyb72s/54
3JFaiQJGBBMBCAAwBQJPmvMiBxpzdHJpbmchGmh0dHA6Ly9ncGcuZ2FubmVmZi5k
ZS9wb2xpY3kudHh0AAoJENsWz1uxJSXEhEYP/in+rib86H2vPG+ALZ35o4eh1+9P
KLtUwgHB3Wr/rmPuPY5uB02H/p3PxgJHXUXUPAleN6uajZvReO1wWLTYspPAK8ZF
6p52vuyHgOZl+VmGkLgYKOG/cckqQqTTaHwQj0O8pllJjOJYVdt5iWAHkf1N1UAA
nXC2GdxV+ZVGvZjjCDL8WFWCfoY4HznslcEHQKxg7vzZvVMTjY6L+8NmWkVoD4JL
kYtQOrId1wWYInJiQRtilyn7n9mJ+rTBSETB9Evs3x+zmNa3ntY1/U8XINgxVA5U
GYyUfUug2DjZ90LfXyZUOXVLE5yM1x7oOpyg/1mMtl5xkmuqJHOTeVEjQBYfMRHi
sS4ainR5AoD1Z5KV4S0opt198LDMXGLNjUdJEG24QEK5tfgTFRgFRJYiufxDelI3
Aq5uGVRrBJygjwaQiJLUVlMqBGHJi++zeWr767pHVWB1XqdmPRvvOqH2v/ez4bSW
zIkUDTr947qmjyAqNNmCv/jgV5viqbj5LNslBkFg8OS+6O7na2gU5ldXfBoC0nso
3pdsCuOYUIrHyP/GjT1gvG0m+jZ/15bvoWvUv4Buh+3gYVyLwrgbq7UISRfwQEah
yzIrO5MvgS0MTIlOgO7Lxog2XMEkQ1ZCbLu5Rvm/8LC0UlSxW9aOIKBSC3hi7U8E
BuA24Mv5Iz7QvO+giQEcBBABAgAGBQJPmwDBAAoJEF7K+wCjrkSkkq8H/3M/M+Xb
vI0cY3MOkFMtyG7xmxPcny1/arnQDvjvpv1BhRBnVTstMxHWzAFQf3M8KttARWo4
C6U5Cbc0Jx6avqXZwop91a8tQORErC9Kcrr27FJfNAOP5AVzXAofpZyXvouFYBig
ikHdRJlFrn9rydvK9Z5vg63ZzsRB7hTtHi/j1o7d0IpVmR2iTnbWGiUxpnRdLhEF
AnUU+TDFVg6EoJ6aeKsLa43UPHizq12WZPd72cJNSLMk/u+UZvg4sa7pOrkJNYN1
jL7BSphwKCuA8vBc2lLO14uYDO8LHjd4opatMWCEEvnJQS98JytIkYcwJhJ/IgCz
tqAUo44SUcOodNGJAhwEEAECAAYFAk+bA/IACgkQvDciUsoc+WRWgA/9FYi1aqas
fJyRV4pfe90KhJ4uOO17ivnjULIDU4QFSdJpkCPznxadlDeyRbX/FhVu3RMzldIu
ZVly+VPqWwubudj9SVnqJxGkua2kEz8u3X96zif+nSB4wQuWLi4GOG9AYTnuNnZI
hO4RctYpEi9duBsPeewNi2zjUe8akhJacMhJflbW/XGsRf4goeL3WrB+k5DiDphm
nw2dge96uhZhM+Ih4hSoD9d+YLZbTqXX4L93jELE72UF4qnrZjYJtx8TSto9W2bj
sGFmpUB41viFtdnABLv5MhMsvlM37w8HTbKzzCYImgzBJNZ8Wr+VAeeQ/uB+izVv
Ls6aVKcwH2r8D+MMvh5d160lAJSUDXvZ0kdzawtBMzaNOIEYuQqoQxQGXvSAMRDV
2xFEn/XRT4iRl1stLvX86SMpLksbBfxZnrV9Q+OfTpar5O21sb1dpkgfWoF6W0kc
rjuAAsI3EbMuX3eK8r5SjWCLfIaU9ton+CdeJjJipEsEox7Rlq075t+6S4LL4wqq
dJPX4Rcuwx4LPXi9NKZAuQHisp1nuVV4luXttMdYfFq5QtokhjUaedAOORDy4gsC
mAMyLWgU/2r0grK7+AVLfn1p9wFb9FoBGFILcjVMAiY3OE5tNVPay9wGoD6n/h0O
cteh2rBrB7kEpXjRqasNfRl8vvlz7nWhTIKJAhwEEAEIAAYFAk+bAq8ACgkQEbTl
/xWw/YKuew/9Fub3t/nejgJ5KkjhfFppQQkE1yg2VJP3cbnrrhrAYZX6E6jN7dAI
MlpKqm4YR6FFe5bkra61TeXd2CI5E/MDdW4Q+AD66tA0xKRm5RzVuPvWoR9vyCx/
fPlRuVZptwczeV5bKTFyflICV3Z/R5llq2aT6M+MZdBL4AHs5yuspkYa5f8EESi6
pTJW0sXacjRSZyznQOZ2fMKn0LZnefSWjWoAB252hS27WW9kwpniJhUOzrrLuAWF
wnv6jfahNH14BCbNB7Q0DhcCeYnFocRv/NH8oipTrwfJ+IIMDDOcJvCbgv23w9DJ
Ynv2BaaJrbk04jux71vhaZUC0xTkE/b+rNZGnPaFnjqWBGN3s+RVZ0SHMQUzdl73
dH3lL98mULzmf1uD7fPIrF/EYrSvFcsV7mnpFmHOd3ApY6QugmakQOLVaIpi18N4
hJoEPBwSQ91eriieobRhjGs7LRnfmvkuQIlsQx82eycd1IV6Gp2cqzAb1qPzcaYh
TskU93Mj9OwmlqETB9FH7w7OvumQUjhHQCASeCGDeFJacZkwohWcxWkB0DUPWGgh
jnsiInTBzE/+nFsUthVlkh0Bki0BLy3gOUAgldvq3apw73OCsxjd2ORdGpFvvU2v
Xzogb+aanfTVniIfYDaJ3KHq+rF5WiVogJrK3TxsyuTAh3jFjEKNjVqJAhwEEAEI
AAYFAk+bo7wACgkQwktlomcsixJuOg/+PZqllY05fJhC5F8UzGpHDIsrokHNAc4L
xMgcudYoMwsK3NDxfXdKhfBgQqAsToSNpSYE4eNFcUF8yetdJbgoCWJOBIP1LCiy
dKXpH5mKy1PCQ+2FBb1mtKiGl1nIu1hgOx29R2ATGGSpGwbgm1Q8+cpM/nRVv7Hl
5e6uPZWkAu0MBUL9RbVSMQRpK6DUCKhLX4Loc3OS4rNjQkGnWyPtqlmU4bmRZ3R2
INaONb4tnLkjdBhAqhgaMneEGt07nI2GBaVhdTKoI2/aDBADhuSkHomD/euiDLAF
/gqvG6ir6akBaKiaZlDyFSAdI62gQ4DZqZF0ddGcyUfyWCgAIWxBLf6RX7yDsu5L
uCT7ppkogHYpxjGdRlUhu9tBukZNqN1BEDbywUu2oHus+XjCr+AKThY2eglRTiVw
SUo6KX8xBmRoo1W32pk5t9I8uMWMVc3cVh4QhqlKmcjtTJkRIVCNCXZl5JN2Uw8q
uP6thFNCsJx6g8UwaHRXJZNKyANfe8CFGuNO0/9i8sMP/lRxmhxb5+CgZQKmCBjq
eL/TOavRJVXbilVsU4j9OFlqx9ptGHfPlfjnIq2Bf9VWJQyS6E64ecqaqc+yqaVf
hd0FMz9hq067VITuG50JeVnmSJK/EVjSgMvxWlSNinMgUjNetrkQTO9OQ0caAGFq
DHcut3Yey8o=
=id4q
-----END PGP PUBLIC KEY BLOCK-----"""
def normalize_key(keystr):
"""Remove the Version: header from a key block"""
lines = keystr.split("\n")
if lines[1].startswith("Version:"):
return lines[:1] + lines[2:]
return lines
class TestAuthKeys(testcommon.TestCase):
"""Test handling of keys for signed repositories."""
def setUp(self):
testcommon.TestCase.setUp(self)
self.tmpdir = tempfile.mkdtemp()
self.addCleanup(shutil.rmtree, self.tmpdir)
apt_pkg.config.set("Dir", self.tmpdir)
apt_pkg.config.set("Dir::Bin::Apt-key", "fakeroot-apt-key")
apt_pkg.config.set("Dir::Etc", "etc/apt/")
trustedparts_dir = apt_pkg.config.find_dir("Dir::Etc::Trustedparts")
confparts_dir = apt_pkg.config.find_dir("Dir::Etc::parts")
self.assertTrue(trustedparts_dir.startswith(self.tmpdir))
os.makedirs(trustedparts_dir)
os.makedirs(confparts_dir)
shutil.copy("fakeroot-apt-key", self.tmpdir)
@contextlib.contextmanager
def _discard_stderr(self):
stderr_fd = sys.stderr.fileno()
stderr_save = os.dup(stderr_fd)
try:
devnull = os.open("/dev/null", os.O_WRONLY)
try:
os.dup2(devnull, stderr_fd)
yield
finally:
os.close(devnull)
finally:
os.dup2(stderr_save, stderr_fd)
os.close(stderr_save)
def testAddAndExportKey(self):
"""Add an example key."""
apt.auth.add_key(WHEEZY_KEY)
# Strip the headers from the keys to avoid test errors because
# the exported key used a differenct GnuPG version than the
# original example key
self.assertEqual(
normalize_key(apt.auth.export_key(WHEEZY_KEYID)), normalize_key(WHEEZY_KEY)
)
def testAddAndListKey(self):
"""Add an example key and test if it is correctly returned by
list_keys()
"""
apt.auth.add_key(WHEEZY_KEY)
ret = apt.auth.list_keys()
self.assertEqual(len(ret), 1)
key = ret[0]
self.assertEqual(
key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>",
)
self.assertEqual(key.keyid, WHEEZY_KEYID)
self.assertEqual(key.date, WHEEZY_KEYDATE)
def testAddKeyFromFile(self):
"""Test adding a key from file."""
keyfd, keyname = tempfile.mkstemp()
self.addCleanup(os.close, keyfd)
os.write(keyfd, WHEEZY_KEY.encode("UTF-8"))
apt.auth.add_key_from_file(keyname)
ret = apt.auth.list_keys()
self.assertEqual(len(ret), 1)
key = ret[0]
self.assertEqual(
key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>",
)
self.assertEqual(key.keyid, WHEEZY_KEYID)
self.assertEqual(key.date, WHEEZY_KEYDATE)
def test_add_key_from_keyserver_too_short(self):
"""Ensure that short keyids are not imported"""
with self.assertRaises(apt.auth.AptKeyIDTooShortError):
apt.auth.add_key_from_keyserver(WHEEZY_KEYID, "hkp://localhost:19191")
with self.assertRaises(apt.auth.AptKeyIDTooShortError):
apt.auth.add_key_from_keyserver(
"0101010178F7FE5C3E65D8AF8B48AD624692555", "hkp://localhost:19191"
)
with self.assertRaises(apt.auth.AptKeyIDTooShortError):
apt.auth.add_key_from_keyserver(
"0x0101010178F7FE5C3E65D8AF8B48AD624692555", "hkp://localhost:19191"
)
with self.assertRaises(apt.auth.AptKeyIDTooShortError):
apt.auth.add_key_from_keyserver(
"0101 0101 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 555",
"hkp://localhost:19191",
)
def test_add_key_from_server_mitm(self):
"""Verify that the key fingerprint is verified after download"""
self._start_keyserver()
self.addCleanup(self._stop_keyserver)
with self.assertRaises(apt.auth.AptKeyError) as cm:
with self._discard_stderr():
apt.auth.add_key_from_keyserver(
"0101010178F7FE5C3E65D8AF8B48AD6246925553",
"hkp://localhost:%d" % self.keyserver_port,
)
self.assertTrue(
str(cm.exception).startswith(
"recv from 'hkp://localhost:%d' failed for '%s'"
% (self.keyserver_port, "0101010178F7FE5C3E65D8AF8B48AD6246925553")
),
cm.exception,
)
def testAddKeyFromServer(self):
"""Install a GnuPG key from a remote server."""
self._start_keyserver()
self.addCleanup(self._stop_keyserver)
with self._discard_stderr():
apt.auth.add_key_from_keyserver(
"0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553",
"hkp://localhost:%d" % self.keyserver_port,
)
ret = apt.auth.list_keys()
self.assertEqual(len(ret), 1)
key = ret[0]
self.assertEqual(
key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>",
)
self.assertEqual(key.keyid, WHEEZY_KEYID)
self.assertEqual(key.date, WHEEZY_KEYDATE)
def _start_keyserver(self):
"""Start a fake keyserver on http://localhost:19191
If port 19191 is unavailable, try successive ports until one is.
Store the port actually in use in self.keyserver_port.
Thanks pitti.
"""
dir = tempfile.mkdtemp()
self.addCleanup(shutil.rmtree, dir)
os.mkdir(os.path.join(dir, "pks"))
with open(os.path.join(dir, "pks", "lookup"), "w") as key_file:
key_file.write(WHEEZY_KEY)
keyserver_pipe = os.pipe()
self.keyserver_pid = os.fork()
if self.keyserver_pid == 0:
os.close(keyserver_pipe[0])
# quiesce server log
os.dup2(os.open("/dev/null", os.O_WRONLY), sys.stderr.fileno())
os.chdir(dir)
for port in itertools.count(19191):
try:
httpd = HTTPServer(("localhost", port), HTTPRequestHandler)
break
except OSError as e:
if e.errno != errno.EADDRINUSE:
raise
keyserver_write = os.fdopen(keyserver_pipe[1], "w")
print(port, file=keyserver_write)
keyserver_write.close()
httpd.serve_forever()
os._exit(0)
os.close(keyserver_pipe[1])
keyserver_read = os.fdopen(keyserver_pipe[0])
self.keyserver_port = int(keyserver_read.readline())
keyserver_read.close()
# temporarily disable proxy, as gnupg does not get along with that
# (LP #789049)
self.orig_proxy = os.environ.get("http_proxy")
try:
del os.environ["http_proxy"]
except KeyError:
pass
# wait a bit until server is ready
time.sleep(0.5)
def _stop_keyserver(self):
"""Stop fake keyserver"""
assert self.keyserver_pid
os.kill(self.keyserver_pid, 15)
os.wait()
# restore proxy
if self.orig_proxy is not None:
os.environ["http_proxy"] = self.orig_proxy
if __name__ == "__main__":
unittest.main()
|