summaryrefslogtreecommitdiffstats
path: root/tests/verify.test
diff options
context:
space:
mode:
Diffstat (limited to 'tests/verify.test')
-rw-r--r--tests/verify.test437
1 files changed, 437 insertions, 0 deletions
diff --git a/tests/verify.test b/tests/verify.test
new file mode 100644
index 0000000..949e25d
--- /dev/null
+++ b/tests/verify.test
@@ -0,0 +1,437 @@
+set -u
+. "$TESTSDIR"/test.inc
+
+mkdir gpgtestdir
+chmod go-rwx gpgtestdir
+export GNUPGHOME="`pwd`/gpgtestdir"
+gpg --import $TESTSDIR/good.key $TESTSDIR/evil.key $TESTSDIR/expired.key $TESTSDIR/revoked.key $TESTSDIR/expiredwithsubkey-working.key $TESTSDIR/withsubkeys-works.key
+
+CURDATE="$(date +"%Y-%m-%d")"
+
+mkdir conf lists
+cat > conf/distributions <<CONFEND
+Codename: Test
+Architectures: source
+Components: everything
+Update: rule otherrule
+CONFEND
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 111
+Suite: test
+
+Name: rule
+From: commonbase
+
+Name: otherrule
+From: commonbase
+CONFEND
+
+testrun - -b . update Test 3<<EOF
+return 255
+stdout
+$(odb)
+stderr
+*=Error: Too short key id '111' in VerifyRelease condition '111'!
+-v0*=There have been errors!
+EOF
+
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 11111111 22222222
+Suite: test
+
+Name: rule
+From: commonbase
+
+Name: otherrule
+From: commonbase
+CONFEND
+
+testrun - -b . update Test 3<<EOF
+return 255
+stdout
+stderr
+*=Error: Space separated key-ids in VerifyRelease condition '11111111 22222222'!
+*=(Alternate keys can be separated with '|'. Do not put spaces in key-ids.)
+-v0*=There have been errors!
+EOF
+
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 11111111
+Suite: test
+
+Name: rule
+From: commonbase
+
+Name: otherrule
+From: commonbase
+CONFEND
+
+testrun - -b . update Test 3<<EOF
+return 249
+stdout
+stderr
+*=Error: unknown key '11111111'!
+-v0*=There have been errors!
+EOF
+
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 11111111
+
+Name: rule
+From: commonbase
+VerifyRelease: DC3C29B8|685AF714
+Suite: test
+
+Name: otherrule
+From: commonbase
+VerifyRelease: 685AF714|D04DD3D6
+Suite: test
+CONFEND
+
+mkdir test
+mkdir test/dists
+mkdir test/dists/test
+cat > test/dists/test/Release <<EOF
+Codename: test
+Components: everything
+Architectures: coal
+EOF
+
+gpg --list-secret-keys
+gpg --expert --sign --clearsign -u 60DDED5B -u D7A5D887 -u revoked@nowhere.tld --output test/dists/test/InRelease test/dists/test/Release
+gpg --expert --sign --clearsign -u 60DDED5B -u D7A5D887 -u good@nowhere.tld --output test/dists/test/InRelease.good test/dists/test/Release
+gpg --expert -a --sign --clearsign -u evil@nowhere.tld --output test/dists/test/InRelease.evil test/dists/test/Release
+
+rm -r gpgtestdir
+mkdir gpgtestdir
+chmod go-rwx gpgtestdir
+gpg --import $TESTSDIR/good.key $TESTSDIR/evil.key $TESTSDIR/expired.key $TESTSDIR/revoked.key $TESTSDIR/revoked.pkey $TESTSDIR/expiredwithsubkey.key $TESTSDIR/withsubkeys.key
+gpg --list-keys
+
+testrun - -b . update Test 3<<EOF
+return 255
+stderr
+*=VerifyRelease condition 'DC3C29B8|685AF714' lists revoked key '72F1D61F685AF714'.
+*=(To use it anyway, append it with a '!' to force usage).
+-v0*=There have been errors!
+stdout
+EOF
+
+sed -e 's/685AF714/&!/' -i conf/updates
+
+testrun - -b . update Test 3<<EOF
+return 255
+stderr
+*=VerifyRelease condition '685AF714!|D04DD3D6' lists expired key '894FA29DD04DD3D6'.
+*=(To use it anyway, append it with a '!' to force usage).
+-v0*=There have been errors!
+stdout
+EOF
+
+sed -e 's/D04DD3D6/&!/' -i conf/updates
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Not accepting valid signature in './lists/commonbase_test_InRelease' with REVOKED '12D6C95C8C737389EAAF535972F1D61F685AF714'
+*=(To ignore it append a ! to the key and run reprepro with --ignore=revokedkey)
+*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12D6C95C8C737389EAAF535972F1D61F685AF714' (signed ${CURDATE}): key revoced
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+testrun - --ignore=revokedkey -b . update Test 3<<EOF
+return 255
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=WARNING: valid signature in './lists/commonbase_test_InRelease' with revoked '12D6C95C8C737389EAAF535972F1D61F685AF714' is accepted as requested!
+*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
+-v0*=There have been errors!
+stdout
+EOF
+
+cp test/dists/test/InRelease.good test/dists/test/InRelease
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+# different order
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 11111111
+
+Name: rule
+From: commonbase
+VerifyRelease: 685AF714!|D04DD3D6!
+Suite: test
+
+Name: otherrule
+From: commonbase
+VerifyRelease: DC3C29B8|685AF714!
+Suite: test
+CONFEND
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+# now subkeys:
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: F62C6D3B
+
+Name: rule
+From: commonbase
+VerifyRelease: D7A5D887
+Suite: test
+
+Name: otherrule
+From: commonbase
+Suite: test
+CONFEND
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=ERROR: Condition 'F62C6D3B' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+sed -e 's/F62C6D3B/F62C6D3B+/' -i conf/updates
+
+testrun - -b . update Test 3<<EOF
+return 255
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
+-v0*=There have been errors!
+stdout
+EOF
+
+# now subkey of an expired key
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: 60DDED5B!
+
+Name: rule
+From: commonbase
+Suite: test
+
+Name: otherrule
+From: commonbase
+Suite: test
+CONFEND
+
+# gpgme no longer seems to distinguish expired and parent-expired:
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Not accepting valid signature in './lists/commonbase_test_InRelease' with EXPIRED 'DCAD3A286F5178E2F4B09330A573FEB160DDED5B'
+*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredkey)
+*=ERROR: Condition '60DDED5B!' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+# now listing the expired key, of which we use an non-expired subkey
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: A260449A!+
+
+Name: rule
+From: commonbase
+Suite: test
+
+Name: otherrule
+From: commonbase
+Suite: test
+CONFEND
+
+# gpgme no longer seems to distinguish expired and parent-expired:
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Not accepting valid signature in './lists/commonbase_test_InRelease' with EXPIRED 'DCAD3A286F5178E2F4B09330A573FEB160DDED5B'
+*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredkey)
+*=ERROR: Condition 'A260449A!+' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
+*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
+*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+# Now testing what happens when only signed with a totally different key:
+cp test/dists/test/InRelease.evil test/dists/test/InRelease
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=ERROR: Condition 'A260449A!+' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='FDC7D039CCC83CC4921112A09FA943670C672A4A' (signed ${CURDATE}): valid
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+# Now testing an expired signature:
+cat > conf/updates <<CONFEND
+Name: commonbase
+Method: file:$WORKDIR/test
+VerifyRelease: F62C6D3B+
+
+Name: rule
+From: commonbase
+VerifyRelease: F62C6D3B
+Suite: test
+
+Name: otherrule
+From: commonbase
+Suite: test
+CONFEND
+
+# expired signatures are not that easy to fake, so cat it:
+cat > test/dists/test/InRelease <<'EOF'
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Codename: test
+Components: everything
+Architectures: coal
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iKIEAQECAAwFAk+6EiEFgwABUYAACgkQFU9je/YsbTv4LgP8DkaRBhBG7+JDD1N1
+GANCsth4rzKDfpyMrttFjW6Ra9QegDdnHyLz09IL5Hyzmst4s8DQ69q2LyZaQt3+
+0C2OG9iQ2GjQt8xvppDufvymFpqTbqnGn/LeG6KjP542Su8XZxptFPT2DyPNCe0W
+Vz5f8yupwc67sAWj/qhmBEpZp9E=
+=025V
+-----END PGP SIGNATURE-----
+EOF
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Not accepting valid but EXPIRED signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B'
+*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredsignature)
+*=ERROR: Condition 'F62C6D3B+' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' (signed 2012-05-21): expired signature (since 2012-05-22)
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+testrun - --ignore=expiredsignature -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Not accepting valid but EXPIRED signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B'
+*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredsignature)
+*=ERROR: Condition 'F62C6D3B+' not fulfilled for './lists/commonbase_test_InRelease'.
+*=Signatures in './lists/commonbase_test_InRelease':
+*='2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' (signed 2012-05-21): expired signature (since 2012-05-22)
+*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+sed -e 's/F62C6D3B/&!/' -i conf/updates
+
+testrun - --ignore=expiredsignature -b . update Test 3<<EOF
+return 255
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=WARNING: valid but expired signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' is accepted as requested!
+*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
+-v0*=There have been errors!
+stdout
+EOF
+
+#empty file:
+cat > test/dists/test/InRelease <<EOF
+EOF
+
+testrun - -b . update Test 3<<EOF
+return 250
+stderr
+-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
+-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
+*=Error: Not enough signatures found for remote repository commonbase (file:$WORKDIR/test test)!
+-v0*=There have been errors!
+stdout
+EOF
+
+rm -rf db conf gpgtestdir gpgtestdir lists test
+
+testsuccess
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-04 20:00:47 +0000