summaryrefslogtreecommitdiffstats
path: root/test/integration/test-releasefile-date-older
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration/test-releasefile-date-older')
-rwxr-xr-xtest/integration/test-releasefile-date-older132
1 files changed, 132 insertions, 0 deletions
diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older
new file mode 100755
index 0000000..81c71ea
--- /dev/null
+++ b/test/integration/test-releasefile-date-older
@@ -0,0 +1,132 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'i386'
+
+insertpackage 'wheezy' 'apt' 'all' '0.8.15'
+
+setupaptarchive --no-update
+
+# we don't complain as the server could have just sent a 'Hit' here and this
+# 'downgrade attack' is usually performed by out-of-sync mirrors. Valid-Until
+# catches the 'real' downgrade attacks (expect that it finds stale mirrors).
+# Scaring users with an error here serves hence no point.
+
+msgmsg 'InRelease file is silently rejected if' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date'
+export APT_DONT_SIGN='InRelease'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+unset APT_DONT_SIGN
+
+msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date'
+export APT_DONT_SIGN='Release.gpg'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testsuccess aptget update
+export APT_DONT_SIGN='InRelease'
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+unset APT_DONT_SIGN
+
+msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date'
+export APT_DONT_SIGN='InRelease'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+find aptarchive -name 'InRelease' -delete
+testsuccess aptget update
+export APT_DONT_SIGN='Release.gpg'
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+unset APT_DONT_SIGN
+
+msgmsg 'Release file has' 'no Date and no Valid-Until field'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testwarning aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+sed -i '/^Codename: / a\
+Another-Field: yes' $(find aptarchive/ -name 'Release')
+touch -d 'now + 1 day' $(find aptarchive/ -name 'Release')
+signreleasefiles "${2:-Joe Sixpack}"
+testwarning aptget update
+testsuccess cmp $(find aptarchive/ -name 'InRelease') $(find rootdir/var/lib/apt/ -name '*_InRelease')
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until expired'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now - 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testfailure aptget update
+listcurrentlistsdirectory > listsdir.lst
+# have no effect as Date is unknown
+testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30))
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testfailure aptget update -o Acquire::Max-ValidTime=1
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release file has' 'no Date field, but Valid-Until is good'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 2 days'
+sed -i '/^Date: / d' $(find ./aptarchive -name 'Release')
+signreleasefiles
+testwarning aptget update
+
+# the repo is now signed by unknown key, but marked as trusted
+rm -rf rootdir/etc/apt/trusted.gpg.d
+sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+
+msgmsg 'Forgot to disable in follow-up' 'Check-Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now + 3 days' 'now + 7 days'
+signreleasefiles
+testfailure aptget update
+testwarning aptget update -o Acquire::Check-Date=no
+listcurrentlistsdirectory > listsdir.lst
+generatereleasefiles 'now + 5 days' 'now + 13 days'
+signreleasefiles
+testfailure aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+testwarning aptget update -o Acquire::Check-Date=no
+testsuccess cmp "$(find aptarchive/ -name 'InRelease')" "$(find rootdir/var/lib/apt/ -name '*_Release')"
+
+msgmsg 'Force-Trusted InRelease file is silently ignored' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testwarning aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testwarning aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-04 19:26:47 +0000