]> git.saurik.com Git - apt.git/blame - test/integration/test-releasefile-verification
support arch:all data e.g. in separate Packages file
[apt.git] / test / integration / test-releasefile-verification
CommitLineData
fe0f7911
DK
1#!/bin/sh
2set -e
3
4TESTDIR=$(readlink -f $(dirname $0))
5. $TESTDIR/framework
6
7setupenvironment
8configarchitecture "i386"
9
10buildaptarchive
11setupflataptarchive
12changetowebserver
13
f2c0ec8b 14webserverconfig 'aptwebserver::support::range' 'false'
331e8396 15
fe0f7911
DK
16prepare() {
17 local DATE="${2:-now}"
331e8396
DK
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
fe0f7911
DK
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412 26 touch -d 'now - 1 year' "$release"
fe0f7911 27 done
8de79b68 28 aptget clean
63c71412 29 cp "$1" aptarchive/Packages
fe0f7911 30 find aptarchive -name 'Release' -delete
331e8396 31 compressfile 'aptarchive/Packages' "$DATE"
fe0f7911
DK
32 generatereleasefiles "$DATE"
33}
34
35installaptold() {
6c0765c0 36 testsuccessequal "Reading package lists...
fe0f7911
DK
37Building dependency tree...
38Suggested packages:
9112f777 39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
40The following NEW packages will be installed:
41 apt
420 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43After this operation, 5370 kB of additional disk space will be used.
6c0765c0
DK
44Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
46}
47
48installaptnew() {
6c0765c0 49 testsuccessequal "Reading package lists...
fe0f7911
DK
50Building dependency tree...
51Suggested packages:
9112f777 52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
53The following NEW packages will be installed:
54 apt
550 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56After this operation, 5808 kB of additional disk space will be used.
6c0765c0
DK
57Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
59}
60
61failaptold() {
25b86db1 62 testfailureequal 'Reading package lists...
fe0f7911
DK
63Building dependency tree...
64Suggested packages:
9112f777 65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
66The following NEW packages will be installed:
67 apt
680 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69After this operation, 5370 kB of additional disk space will be used.
70WARNING: The following packages cannot be authenticated!
71 apt
b381a482 72E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
73}
74
75failaptnew() {
25b86db1 76 testfailureequal 'Reading package lists...
fe0f7911
DK
77Building dependency tree...
78Suggested packages:
9112f777 79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
80The following NEW packages will be installed:
81 apt
820 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83After this operation, 5808 kB of additional disk space will be used.
84WARNING: The following packages cannot be authenticated!
85 apt
b381a482 86E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
87}
88
89# fake our downloadable file
90touch aptarchive/apt.deb
91
63c71412 92PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
fe0f7911 93
6bf93605 94updatewithwarnings() {
4e03c47d 95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605 96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396
DK
97}
98
fe0f7911 99runtest() {
63c71412 100 prepare "${PKGFILE}"
fe0f7911
DK
101 rm -rf rootdir/var/lib/apt/lists
102 signreleasefiles 'Joe Sixpack'
103 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
104 msgmsg 'Cold archive signed by' 'Joe Sixpack'
105 testsuccess aptget update
63c71412 106 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
107" aptcache show apt
108 installaptold
109
63c71412 110 prepare "${PKGFILE}-new"
fe0f7911
DK
111 signreleasefiles 'Joe Sixpack'
112 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
113 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
114 testsuccess aptget update
63c71412 115 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
116" aptcache show apt
117 installaptnew
118
63c71412 119 prepare "${PKGFILE}"
29a59c46
DK
120 rm -rf rootdir/var/lib/apt/lists
121 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
122 signreleasefiles 'Rex Expired'
123 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
124 msgmsg 'Cold archive signed by' 'Rex Expired'
125 updatewithwarnings '^W: .* KEYEXPIRED'
63c71412 126 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
127" aptcache show apt
128 failaptold
129 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911 130
63c71412 131 prepare "${PKGFILE}"
fe0f7911
DK
132 rm -rf rootdir/var/lib/apt/lists
133 signreleasefiles 'Marvin Paranoid'
134 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
135 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
136 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 137 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
138" aptcache show apt
139 failaptold
140
63c71412 141 prepare "${PKGFILE}-new"
fe0f7911
DK
142 signreleasefiles 'Joe Sixpack'
143 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
144 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
145 testsuccess aptget update
63c71412 146 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
147" aptcache show apt
148 installaptnew
149
150
63c71412 151 prepare "${PKGFILE}"
fe0f7911
DK
152 rm -rf rootdir/var/lib/apt/lists
153 signreleasefiles 'Joe Sixpack'
154 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
155 msgmsg 'Cold archive signed by' 'Joe Sixpack'
156 testsuccess aptget update
63c71412 157 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
158" aptcache show apt
159 installaptold
160
63c71412 161 prepare "${PKGFILE}-new"
fe0f7911
DK
162 signreleasefiles 'Marvin Paranoid'
163 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
164 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
165 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 166 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
167" aptcache show apt
168 installaptold
169
63c71412 170 prepare "${PKGFILE}-new"
29a59c46
DK
171 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
172 signreleasefiles 'Rex Expired'
173 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
174 msgmsg 'Good warm archive signed by' 'Rex Expired'
175 updatewithwarnings '^W: .* KEYEXPIRED'
63c71412 176 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
177" aptcache show apt
178 installaptold
29a59c46
DK
179 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
180
63c71412 181 prepare "${PKGFILE}-new"
29a59c46
DK
182 signreleasefiles
183 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605
DK
184 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
185 testsuccess aptget update
63c71412 186 testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46
DK
187" aptcache show apt
188 installaptnew
b0d40854 189
63c71412 190 prepare "${PKGFILE}"
b0d40854
DK
191 rm -rf rootdir/var/lib/apt/lists
192 signreleasefiles 'Marvin Paranoid'
193 find aptarchive/ -name "$DELETEFILE" -delete
194 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
195 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
196 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
197 testsuccess aptget update -o Debug::pkgAcquire::Worker=1
63c71412 198 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
199" aptcache show apt
200 installaptold
201
202 rm -rf rootdir/var/lib/apt/lists
203 signreleasefiles 'Joe Sixpack'
204 find aptarchive/ -name "$DELETEFILE" -delete
205 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
206 updatewithwarnings '^W: .* NO_PUBKEY'
207
208 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
209 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
210
63c71412 211 prepare "${PKGFILE}"
b0d40854
DK
212 rm -rf rootdir/var/lib/apt/lists
213 signreleasefiles 'Marvin Paranoid'
214 find aptarchive/ -name "$DELETEFILE" -delete
215 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
216 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
217 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
218 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
63c71412 219 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
220" aptcache show apt
221 installaptold
222 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
223
224 rm -rf rootdir/var/lib/apt/lists
225 signreleasefiles 'Joe Sixpack'
226 find aptarchive/ -name "$DELETEFILE" -delete
227 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
4e03c47d 228 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854
DK
229
230 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
fe0f7911
DK
231}
232
43c1ca5d 233runtest2() {
63c71412 234 prepare "${PKGFILE}"
43c1ca5d
SR
235 rm -rf rootdir/var/lib/apt/lists
236 signreleasefiles 'Joe Sixpack'
6bf93605
DK
237 msgmsg 'Cold archive signed by' 'Joe Sixpack'
238 testsuccess aptget update
43c1ca5d
SR
239
240 # New .deb but now an unsigned archive. For example MITM to circumvent
241 # package verification.
63c71412 242 prepare "${PKGFILE}-new"
43c1ca5d
SR
243 find aptarchive/ -name InRelease -delete
244 find aptarchive/ -name Release.gpg -delete
6bf93605
DK
245 msgmsg 'Warm archive signed by' 'nobody'
246 updatewithwarnings 'W: .* no longer signed.'
63c71412 247 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
248" aptcache show apt
249 failaptnew
250
251 # Unsigned archive from the beginning must also be detected.
252 rm -rf rootdir/var/lib/apt/lists
6bf93605
DK
253 msgmsg 'Cold archive signed by' 'nobody'
254 updatewithwarnings 'W: .* is not signed.'
63c71412 255 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
256" aptcache show apt
257 failaptnew
258}
43c1ca5d 259
e8b1db38
MV
260# diable some protection by default and ensure we still do the verification
261# correctly
262cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
263Acquire::AllowInsecureRepositories "1";
264Acquire::AllowDowngradeToInsecureRepositories "1";
265EOF
266
3a8776a3 267msgmsg "Running base test"
e8b1db38 268runtest2
43c1ca5d 269
fe0f7911 270DELETEFILE="InRelease"
e8b1db38 271msgmsg "Running test with deletion of $DELETEFILE"
fe0f7911 272runtest
e8b1db38 273
e3c62328 274DELETEFILE="Release.gpg"
e8b1db38 275msgmsg "Running test with deletion of $DELETEFILE"
e3c62328 276runtest