[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR=$(readlink -f $(dirname $0))
. $TESTDIR/framework

setupenvironment
configarchitecture "i386"

buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' $release
	done
	aptget clean
	cp $1 aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE"
}

installaptold() {
	testsuccessequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:8080  apt 0.7.25.3
Download complete and in download only mode' aptget install apt -dy
}

installaptnew() {
	testsuccessequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:8080  apt 0.8.0~pre1
Download complete and in download only mode' aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	testsuccess aptget update
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold

	prepare ${PKGFILE}-new
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	testsuccess aptget update
	testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
	installaptnew

	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by' 'Rex Expired'
	updatewithwarnings '^W: .* KEYEXPIRED'
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	failaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	failaptold

	prepare ${PKGFILE}-new
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	testsuccess aptget update
	testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
	installaptnew


	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	testsuccess aptget update
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold

	prepare ${PKGFILE}-new
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold

	prepare ${PKGFILE}-new
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Good warm archive signed by' 'Rex Expired'
	updatewithwarnings '^W: .* KEYEXPIRED'
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	prepare ${PKGFILE}-new
	signreleasefiles
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	testsuccess aptget update
	testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
	installaptnew

	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold

	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	updatewithwarnings '^W: .* NO_PUBKEY'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"

	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg

	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
}

runtest2() {
	prepare ${PKGFILE}
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	testsuccess aptget update

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	prepare ${PKGFILE}-new
	find aptarchive/ -name InRelease -delete
	find aptarchive/ -name Release.gpg -delete
	msgmsg 'Warm archive signed by' 'nobody'
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	rm -rf rootdir/var/lib/apt/lists
	msgmsg 'Cold archive signed by' 'nobody'
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
	failaptnew
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF

msgmsg "Running base test"
runtest2

DELETEFILE="InRelease"
msgmsg "Running test with deletion of $DELETEFILE"
runtest

DELETEFILE="Release.gpg"
msgmsg "Running test with deletion of $DELETEFILE"
runtest
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
	4	TESTDIR=$(readlink -f $(dirname $0))
	5	. $TESTDIR/framework
	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
f2c0ec8b	14	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	15
fe0f7911 DK	16	prepare() {
fe0f7911 DK	17	local DATE="${2:-now}"
331e8396 DK	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
fe0f7911 DK	24	fi
fe0f7911 DK	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
331e8396	26	touch -d 'now - 1 year' $release
fe0f7911	27	done
8de79b68	28	aptget clean
fe0f7911 DK	29	cp $1 aptarchive/Packages
fe0f7911 DK	30	find aptarchive -name 'Release' -delete
331e8396	31	compressfile 'aptarchive/Packages' "$DATE"
fe0f7911 DK	32	generatereleasefiles "$DATE"
	33	}
	34
	35	installaptold() {
25b86db1	36	testsuccessequal 'Reading package lists...
fe0f7911 DK	37	Building dependency tree...
fe0f7911 DK	38	Suggested packages:
9112f777	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
1da3b7b8	44	Get:1 http://localhost:8080 apt 0.7.25.3
fe0f7911 DK	45	Download complete and in download only mode' aptget install apt -dy
	46	}
	47
	48	installaptnew() {
25b86db1	49	testsuccessequal 'Reading package lists...
fe0f7911 DK	50	Building dependency tree...
fe0f7911 DK	51	Suggested packages:
9112f777	52	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	53	The following NEW packages will be installed:
	54	apt
	55	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	56	After this operation, 5808 kB of additional disk space will be used.
1da3b7b8	57	Get:1 http://localhost:8080 apt 0.8.0~pre1
fe0f7911 DK	58	Download complete and in download only mode' aptget install apt -dy
	59	}
	60
	61	failaptold() {
25b86db1	62	testfailureequal 'Reading package lists...
fe0f7911 DK	63	Building dependency tree...
fe0f7911 DK	64	Suggested packages:
9112f777	65	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	66	The following NEW packages will be installed:
	67	apt
	68	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	69	After this operation, 5370 kB of additional disk space will be used.
	70	WARNING: The following packages cannot be authenticated!
	71	apt
b381a482	72	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	73	}
	74
	75	failaptnew() {
25b86db1	76	testfailureequal 'Reading package lists...
fe0f7911 DK	77	Building dependency tree...
fe0f7911 DK	78	Suggested packages:
9112f777	79	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	80	The following NEW packages will be installed:
	81	apt
	82	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	83	After this operation, 5808 kB of additional disk space will be used.
	84	WARNING: The following packages cannot be authenticated!
	85	apt
b381a482	86	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	87	}
	88
	89	# fake our downloadable file
	90	touch aptarchive/apt.deb
	91
	92	PKGFILE="${TESTDIR}/$(echo "$(basename $0)" \| sed 's#^test-#Packages-#')"
	93
6bf93605	94	updatewithwarnings() {
4e03c47d	95	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	96	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	97	}
331e8396 DK	98
fe0f7911 DK	99	runtest() {
	100	prepare ${PKGFILE}
	101	rm -rf rootdir/var/lib/apt/lists
	102	signreleasefiles 'Joe Sixpack'
	103	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	104	msgmsg 'Cold archive signed by' 'Joe Sixpack'
6bf93605 DK	105	testsuccess aptget update
25b86db1	106	testsuccessequal "$(cat ${PKGFILE})
fe0f7911 DK	107	" aptcache show apt
	108	installaptold
	109
	110	prepare ${PKGFILE}-new
	111	signreleasefiles 'Joe Sixpack'
	112	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	113	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
6bf93605 DK	114	testsuccess aptget update
25b86db1	115	testsuccessequal "$(cat ${PKGFILE}-new)
fe0f7911 DK	116	" aptcache show apt
	117	installaptnew
	118
29a59c46 DK	119	prepare ${PKGFILE}
	120	rm -rf rootdir/var/lib/apt/lists
	121	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	122	signreleasefiles 'Rex Expired'
	123	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	124	msgmsg 'Cold archive signed by' 'Rex Expired'
6bf93605 DK	125	updatewithwarnings '^W: .* KEYEXPIRED'
25b86db1	126	testsuccessequal "$(cat ${PKGFILE})
29a59c46 DK	127	" aptcache show apt
	128	failaptold
	129	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911 DK	130
	131	prepare ${PKGFILE}
	132	rm -rf rootdir/var/lib/apt/lists
	133	signreleasefiles 'Marvin Paranoid'
	134	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	135	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
6bf93605 DK	136	updatewithwarnings '^W: .* NO_PUBKEY'
25b86db1	137	testsuccessequal "$(cat ${PKGFILE})
fe0f7911 DK	138	" aptcache show apt
	139	failaptold
	140
	141	prepare ${PKGFILE}-new
fe0f7911 DK	142	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	143	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	144	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
6bf93605 DK	145	testsuccess aptget update
25b86db1	146	testsuccessequal "$(cat ${PKGFILE}-new)
fe0f7911 DK	147	" aptcache show apt
	148	installaptnew
	149
	150
	151	prepare ${PKGFILE}
	152	rm -rf rootdir/var/lib/apt/lists
	153	signreleasefiles 'Joe Sixpack'
	154	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	155	msgmsg 'Cold archive signed by' 'Joe Sixpack'
6bf93605 DK	156	testsuccess aptget update
25b86db1	157	testsuccessequal "$(cat ${PKGFILE})
fe0f7911 DK	158	" aptcache show apt
	159	installaptold
	160
	161	prepare ${PKGFILE}-new
	162	signreleasefiles 'Marvin Paranoid'
	163	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	164	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
6bf93605 DK	165	updatewithwarnings '^W: .* NO_PUBKEY'
25b86db1	166	testsuccessequal "$(cat ${PKGFILE})
29a59c46 DK	167	" aptcache show apt
	168	installaptold
	169
	170	prepare ${PKGFILE}-new
	171	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	172	signreleasefiles 'Rex Expired'
	173	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	174	msgmsg 'Good warm archive signed by' 'Rex Expired'
6bf93605 DK	175	updatewithwarnings '^W: .* KEYEXPIRED'
25b86db1	176	testsuccessequal "$(cat ${PKGFILE})
fe0f7911 DK	177	" aptcache show apt
fe0f7911 DK	178	installaptold
29a59c46 DK	179	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	180
	181	prepare ${PKGFILE}-new
	182	signreleasefiles
	183	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 DK	184	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
6bf93605 DK	185	testsuccess aptget update
25b86db1	186	testsuccessequal "$(cat ${PKGFILE}-new)
29a59c46 DK	187	" aptcache show apt
29a59c46 DK	188	installaptnew
b0d40854 DK	189
	190	prepare ${PKGFILE}
	191	rm -rf rootdir/var/lib/apt/lists
	192	signreleasefiles 'Marvin Paranoid'
	193	find aptarchive/ -name "$DELETEFILE" -delete
	194	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	195	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	196	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	197	testsuccess aptget update -o Debug::pkgAcquire::Worker=1
	198	testsuccessequal "$(cat ${PKGFILE})
	199	" aptcache show apt
	200	installaptold
	201
	202	rm -rf rootdir/var/lib/apt/lists
	203	signreleasefiles 'Joe Sixpack'
	204	find aptarchive/ -name "$DELETEFILE" -delete
	205	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	206	updatewithwarnings '^W: .* NO_PUBKEY'
	207
	208	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	209	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	210
	211	prepare ${PKGFILE}
	212	rm -rf rootdir/var/lib/apt/lists
	213	signreleasefiles 'Marvin Paranoid'
	214	find aptarchive/ -name "$DELETEFILE" -delete
	215	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	216	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	217	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	218	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	219	testsuccessequal "$(cat ${PKGFILE})
	220	" aptcache show apt
	221	installaptold
	222	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	223
	224	rm -rf rootdir/var/lib/apt/lists
	225	signreleasefiles 'Joe Sixpack'
	226	find aptarchive/ -name "$DELETEFILE" -delete
	227	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
4e03c47d	228	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854 DK	229
b0d40854 DK	230	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
fe0f7911 DK	231	}
fe0f7911 DK	232
43c1ca5d SR	233	runtest2() {
	234	prepare ${PKGFILE}
	235	rm -rf rootdir/var/lib/apt/lists
	236	signreleasefiles 'Joe Sixpack'
6bf93605 DK	237	msgmsg 'Cold archive signed by' 'Joe Sixpack'
6bf93605 DK	238	testsuccess aptget update
43c1ca5d SR	239
	240	# New .deb but now an unsigned archive. For example MITM to circumvent
	241	# package verification.
	242	prepare ${PKGFILE}-new
	243	find aptarchive/ -name InRelease -delete
	244	find aptarchive/ -name Release.gpg -delete
6bf93605 DK	245	msgmsg 'Warm archive signed by' 'nobody'
6bf93605 DK	246	updatewithwarnings 'W: .* no longer signed.'
25b86db1	247	testsuccessequal "$(cat ${PKGFILE}-new)
43c1ca5d SR	248	" aptcache show apt
	249	failaptnew
	250
	251	# Unsigned archive from the beginning must also be detected.
	252	rm -rf rootdir/var/lib/apt/lists
6bf93605 DK	253	msgmsg 'Cold archive signed by' 'nobody'
6bf93605 DK	254	updatewithwarnings 'W: .* is not signed.'
25b86db1	255	testsuccessequal "$(cat ${PKGFILE}-new)
43c1ca5d SR	256	" aptcache show apt
	257	failaptnew
	258	}
43c1ca5d	259
e8b1db38 MV	260	# diable some protection by default and ensure we still do the verification
	261	# correctly
	262	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	263	Acquire::AllowInsecureRepositories "1";
	264	Acquire::AllowDowngradeToInsecureRepositories "1";
	265	EOF
	266
3a8776a3	267	msgmsg "Running base test"
e8b1db38	268	runtest2
43c1ca5d	269
fe0f7911	270	DELETEFILE="InRelease"
e8b1db38	271	msgmsg "Running test with deletion of $DELETEFILE"
fe0f7911	272	runtest
e8b1db38	273
e3c62328	274	DELETEFILE="Release.gpg"
e8b1db38	275	msgmsg "Running test with deletion of $DELETEFILE"
e3c62328	276	runtest