[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

export APT_DONT_SIGN='Release.gpg'
buildaptarchive
setupflataptarchive
changetowebserver

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE" 'now + 1 month'
}

installaptold() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	if [ "$(id -u)" != '0' ]; then
		msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
		rm -rf rootdir/var/lib/apt/lists
		echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
		chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
		updatewithwarnings '^W: .* is not readable by user'
		chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
		rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		installaptold
	fi

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
		touch rootdir/etc/apt/apt.conf.d/99gnupg2
	elif gpg2 --version >/dev/null 2>&1; then
		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
			rm rootdir/etc/apt/apt.conf.d/99gnupg2
		fi
	fi
	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
		updatewithwarnings '^W: .* EXPSIG'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	else
		msgskip 'Not a new enough gpg available providing --fake-system-time'
	fi

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	successfulaptgetupdate 'NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Rex Expired'
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	successfulaptgetupdate 'EXPKEYSIG'
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	updatewithwarnings '^W: .* NO_PUBKEY'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*

	local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	successfulaptgetupdate 'NoPubKey: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*

	rm -rf rootdir/var/lib/apt/lists-bak
	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'

	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	sed -i "/^Valid-Until: / a\
Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN} ${MARVIN}, \\
 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	msgmsg "Running base test with $1 digest"
	runtest2

	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
		runtest
		export APT_DONT_SIGN='Release.gpg'
	done
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF
# the hash marked as configurable in our gpgv method
export APT_TESTS_DIGEST_ALGO='SHA224'

successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		cp rootdir/tmp/testsuccess.output aptupdate.output
		testsuccess grep "$1" aptupdate.output
	fi
}
runtest3 'Trusted'

successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		testsuccess grep "$1" rootdir/tmp/testwarning.output
	fi
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'

msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg 'Cold archive signed by' 'Joe Sixpack'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
		testnopackage 'apt'
		testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold
		rm -rf rootdir/var/lib/apt/lists
		sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
		testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold
		sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*

		msgmsg 'Cold archive signed by' 'Marvin Paranoid'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Marvin Paranoid'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testnopackage 'apt'
		updatewithwarnings '^W: .* NO_PUBKEY'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		export APT_DONT_SIGN='Release.gpg'
	done
}
runfailure

msgmsg "Running test with gpgv-untrusted digest"
export APT_TESTS_DIGEST_ALGO='MD5'
runfailure
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
5a23c56d	10	export APT_DONT_SIGN='Release.gpg'
fe0f7911 DK	11	buildaptarchive
	12	setupflataptarchive
	13	changetowebserver
	14
	15	prepare() {
	16	local DATE="${2:-now}"
331e8396 DK	17	if [ "$DATE" = 'now' ]; then
	18	if [ "$1" = "${PKGFILE}-new" ]; then
	19	DATE='now - 1 day'
	20	else
	21	DATE='now - 7 day'
	22	fi
fe0f7911 DK	23	fi
fe0f7911 DK	24	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	25	touch -d 'now - 1 year' "$release"
fe0f7911	26	done
8de79b68	27	aptget clean
63c71412	28	cp "$1" aptarchive/Packages
fe0f7911	29	find aptarchive -name 'Release' -delete
331e8396	30	compressfile 'aptarchive/Packages' "$DATE"
89901946	31	generatereleasefiles "$DATE" 'now + 1 month'
fe0f7911 DK	32	}
	33
	34	installaptold() {
46e00c90	35	rm -rf rootdir/var/cache/apt/archives
6c0765c0	36	testsuccessequal "Reading package lists...
fe0f7911 DK	37	Building dependency tree...
fe0f7911 DK	38	Suggested packages:
9112f777	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	44	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	45	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	46	}
	47
	48	installaptnew() {
89901946	49	rm -rf rootdir/var/cache/apt/archives
6c0765c0	50	testsuccessequal "Reading package lists...
fe0f7911 DK	51	Building dependency tree...
fe0f7911 DK	52	Suggested packages:
9112f777	53	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	54	The following NEW packages will be installed:
	55	apt
	56	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	57	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	58	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	59	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	60	}
	61
	62	failaptold() {
25b86db1	63	testfailureequal 'Reading package lists...
fe0f7911 DK	64	Building dependency tree...
fe0f7911 DK	65	Suggested packages:
9112f777	66	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	67	The following NEW packages will be installed:
	68	apt
	69	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	70	After this operation, 5370 kB of additional disk space will be used.
	71	WARNING: The following packages cannot be authenticated!
	72	apt
b381a482	73	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	74	}
	75
	76	failaptnew() {
25b86db1	77	testfailureequal 'Reading package lists...
fe0f7911 DK	78	Building dependency tree...
fe0f7911 DK	79	Suggested packages:
9112f777	80	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	81	The following NEW packages will be installed:
	82	apt
	83	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	84	After this operation, 5808 kB of additional disk space will be used.
	85	WARNING: The following packages cannot be authenticated!
	86	apt
b381a482	87	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	88	}
	89
	90	# fake our downloadable file
	91	touch aptarchive/apt.deb
	92
63c71412	93	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	94
6bf93605	95	updatewithwarnings() {
4e03c47d	96	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	97	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	98	}
331e8396 DK	99
fe0f7911	100	runtest() {
8fa99570	101	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	102	prepare "${PKGFILE}"
fe0f7911 DK	103	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	104	signreleasefiles 'Joe Sixpack'
8fa99570	105	successfulaptgetupdate
63c71412	106	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	107	" aptcache show apt
	108	installaptold
	109
29c59095 DK	110	if [ "$(id -u)" != '0' ]; then
	111	msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
	112	rm -rf rootdir/var/lib/apt/lists
	113	echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
	114	chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
	115	updatewithwarnings '^W: .* is not readable by user'
	116	chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
	117	rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
	118	testsuccessequal "$(cat "${PKGFILE}")
	119	" aptcache show apt
	120	installaptold
	121	fi
	122
8fa99570	123	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	124	prepare "${PKGFILE}-new"
fe0f7911	125	signreleasefiles 'Joe Sixpack'
8fa99570	126	successfulaptgetupdate
63c71412	127	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	128	" aptcache show apt
	129	installaptnew
	130
8fa99570	131	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	132	prepare "${PKGFILE}"
29a59c46 DK	133	rm -rf rootdir/var/lib/apt/lists
	134	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	135	signreleasefiles 'Rex Expired'
f13b413a	136	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	137	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	138	" aptcache show apt
29a59c46 DK	139	failaptold
fb7b11eb	140	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	141
1af227c2 DK	142	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	143	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	144	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	145	elif gpg2 --version >/dev/null 2>&1; then
	146	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	147	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	148	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	149	fi
	150	fi
	151	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	152	prepare "${PKGFILE}"
	153	rm -rf rootdir/var/lib/apt/lists
	154	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
1af227c2 DK	155	updatewithwarnings '^W: .* EXPSIG'
	156	testsuccessequal "$(cat "${PKGFILE}")
	157	" aptcache show apt
	158	failaptold
	159	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	160	else
	161	msgskip 'Not a new enough gpg available providing --fake-system-time'
	162	fi
	163
fb7b11eb DK	164	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	165	prepare "${PKGFILE}"
	166	rm -rf rootdir/var/lib/apt/lists
	167	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
fb7b11eb DK	168	successfulaptgetupdate 'NO_PUBKEY'
	169	testsuccessequal "$(cat "${PKGFILE}")
	170	" aptcache show apt
	171	installaptold
	172
	173	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	174	prepare "${PKGFILE}"
	175	rm -rf rootdir/var/lib/apt/lists
	176	signreleasefiles 'Joe Sixpack,Rex Expired'
fb7b11eb DK	177	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	178	successfulaptgetupdate 'EXPKEYSIG'
	179	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	180	testsuccessequal "$(cat "${PKGFILE}")
	181	" aptcache show apt
	182	installaptold
	183
8fa99570	184	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	185	prepare "${PKGFILE}"
fe0f7911 DK	186	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	187	signreleasefiles 'Marvin Paranoid'
6bf93605	188	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	189	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	190	" aptcache show apt
	191	failaptold
	192
8fa99570	193	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	194	prepare "${PKGFILE}-new"
fe0f7911	195	signreleasefiles 'Joe Sixpack'
8fa99570	196	successfulaptgetupdate
63c71412	197	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	198	" aptcache show apt
	199	installaptnew
	200
8fa99570	201	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	202	prepare "${PKGFILE}"
fe0f7911 DK	203	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	204	signreleasefiles 'Joe Sixpack'
8fa99570	205	successfulaptgetupdate
63c71412	206	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	207	" aptcache show apt
	208	installaptold
	209
8fa99570	210	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	211	prepare "${PKGFILE}-new"
fe0f7911	212	signreleasefiles 'Marvin Paranoid'
6bf93605	213	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	214	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	215	" aptcache show apt
	216	installaptold
	217
8fa99570	218	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	219	prepare "${PKGFILE}-new"
29a59c46 DK	220	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	221	signreleasefiles 'Rex Expired'
f13b413a	222	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	223	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	224	" aptcache show apt
fe0f7911 DK	225	installaptold
29a59c46 DK	226	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	227
8fa99570	228	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	229	prepare "${PKGFILE}-new"
29a59c46	230	signreleasefiles
8fa99570	231	successfulaptgetupdate
63c71412	232	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	233	" aptcache show apt
29a59c46 DK	234	installaptnew
b0d40854	235
8fa99570	236	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	237	prepare "${PKGFILE}"
b0d40854 DK	238	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	239	signreleasefiles 'Marvin Paranoid'
b0d40854 DK	240	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	241	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	242	successfulaptgetupdate
63c71412	243	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	244	" aptcache show apt
	245	installaptold
	246
8fa99570	247	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	248	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	249	signreleasefiles 'Joe Sixpack'
b0d40854	250	updatewithwarnings '^W: .* NO_PUBKEY'
b0d40854	251	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
46e00c90	252
19fdf93d	253	local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons \| grep '^fpr' \| cut -d':' -f 10)"
46e00c90 DK	254	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	255	rm -rf rootdir/var/lib/apt/lists
	256	signreleasefiles 'Joe Sixpack'
46e00c90 DK	257	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
46e00c90 DK	258	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854	259
8fa99570	260	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
b0d40854 DK	261	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	262	signreleasefiles 'Marvin Paranoid'
b0d40854	263	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	264	successfulaptgetupdate
63c71412	265	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	266	" aptcache show apt
b0d40854 DK	267	installaptold
b0d40854	268
46e00c90 DK	269	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	270	rm -rf rootdir/var/lib/apt/lists
	271	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
46e00c90 DK	272	successfulaptgetupdate 'NoPubKey: GOODSIG'
	273	testsuccessequal "$(cat "${PKGFILE}")
	274	" aptcache show apt
	275	installaptold
	276
19fdf93d	277	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons \| grep '^fpr' \| cut -d':' -f 10)"
46e00c90	278	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
b0d40854 DK	279	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	280	signreleasefiles 'Joe Sixpack'
46e00c90 DK	281	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	282	successfulaptgetupdate
	283	testsuccessequal "$(cat "${PKGFILE}")
	284	" aptcache show apt
	285	installaptold
	286
46e00c90 DK	287	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	288	rm -rf rootdir/var/lib/apt/lists
	289	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	290	successfulaptgetupdate
	291	testsuccessequal "$(cat "${PKGFILE}")
	292	" aptcache show apt
	293	installaptold
	294	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	295	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
b0d40854	296
89901946 DK	297	rm -rf rootdir/var/lib/apt/lists-bak
	298	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	299	prepare "${PKGFILE}-new"
	300	signreleasefiles 'Joe Sixpack'
89901946 DK	301
	302	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	303	sed -i "/^Valid-Until: / a\
	304	Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	305	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	306	successfulaptgetupdate
	307	testsuccessequal "$(cat "${PKGFILE}-new")
	308	" aptcache show apt
	309	installaptnew
	310
	311	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	312	rm -rf rootdir/var/lib/apt/lists
	313	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	314	sed -i "/^Valid-Until: / a\
	315	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	316	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	317	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	318	testsuccessequal "$(cat "${PKGFILE}")
	319	" aptcache show apt
	320	installaptold
	321
	322	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	323	rm -rf rootdir/var/lib/apt/lists
	324	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	325	sed -i "/^Valid-Until: / a\
	326	Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
	327	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	328	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	329	successfulaptgetupdate
	330	testsuccessequal "$(cat "${PKGFILE}-new")
	331	" aptcache show apt
	332	installaptnew
	333
	334	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	335	rm -rf rootdir/var/lib/apt/lists
	336	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	337	sed -i "/^Valid-Until: / a\
	338	Signed-By: ${MARVIN} ${MARVIN}, \\
	339	${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	340	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	341	successfulaptgetupdate
	342	testsuccessequal "$(cat "${PKGFILE}-new")
	343	" aptcache show apt
	344	installaptnew
fe0f7911 DK	345	}
fe0f7911 DK	346
43c1ca5d	347	runtest2() {
8fa99570	348	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	349	prepare "${PKGFILE}"
43c1ca5d SR	350	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	351	signreleasefiles 'Joe Sixpack'
8fa99570	352	successfulaptgetupdate
43c1ca5d SR	353
	354	# New .deb but now an unsigned archive. For example MITM to circumvent
	355	# package verification.
8fa99570	356	msgmsg 'Warm archive signed by' 'nobody'
63c71412	357	prepare "${PKGFILE}-new"
761a5ad2	358	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
6bf93605	359	updatewithwarnings 'W: .* no longer signed.'
63c71412	360	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	361	" aptcache show apt
	362	failaptnew
	363
	364	# Unsigned archive from the beginning must also be detected.
6bf93605	365	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	366	rm -rf rootdir/var/lib/apt/lists
6bf93605	367	updatewithwarnings 'W: .* is not signed.'
63c71412	368	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	369	" aptcache show apt
	370	failaptnew
	371	}
43c1ca5d	372
8fa99570	373	runtest3() {
6a4958d3	374	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a	375	msgmsg "Running base test with $1 digest"
8fa99570 DK	376	runtest2
8fa99570 DK	377
08b7761a	378	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	379	export APT_DONT_SIGN="$DELETEFILE"
08b7761a	380	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
761a5ad2	381	runtest
5a23c56d	382	export APT_DONT_SIGN='Release.gpg'
08b7761a	383	done
8fa99570 DK	384	}
8fa99570 DK	385
e8b1db38 MV	386	# diable some protection by default and ensure we still do the verification
	387	# correctly
	388	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	389	Acquire::AllowInsecureRepositories "1";
	390	Acquire::AllowDowngradeToInsecureRepositories "1";
	391	EOF
196d590a	392	# the hash marked as configurable in our gpgv method
08b7761a	393	export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38	394
8fa99570 DK	395	successfulaptgetupdate() {
8fa99570 DK	396	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	397	if [ -n "$1" ]; then
	398	cp rootdir/tmp/testsuccess.output aptupdate.output
	399	testsuccess grep "$1" aptupdate.output
	400	fi
8fa99570	401	}
6a4958d3	402	runtest3 'Trusted'
e8b1db38	403
8fa99570 DK	404	successfulaptgetupdate() {
8fa99570 DK	405	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	406	if [ -n "$1" ]; then
	407	testsuccess grep "$1" rootdir/tmp/testwarning.output
	408	fi
8fa99570 DK	409	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
8fa99570 DK	410	}
6a4958d3	411	runtest3 'Weak'
08b7761a DK	412
08b7761a DK	413	msgmsg "Running test with apt-untrusted digest"
6a4958d3	414	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a DK	415	runfailure() {
08b7761a DK	416	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	417	export APT_DONT_SIGN="$DELETEFILE"
08b7761a DK	418	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	419	prepare "${PKGFILE}"
	420	rm -rf rootdir/var/lib/apt/lists
	421	signreleasefiles 'Joe Sixpack'
08b7761a DK	422	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	423	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	424	testnopackage 'apt'
	425	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	426	failaptold
d03b947b DK	427	rm -rf rootdir/var/lib/apt/lists
	428	sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
	429	testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	430	failaptold
	431	sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
08b7761a DK	432
	433	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	434	prepare "${PKGFILE}"
	435	rm -rf rootdir/var/lib/apt/lists
	436	signreleasefiles 'Marvin Paranoid'
08b7761a DK	437	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	438	testnopackage 'apt'
	439	updatewithwarnings '^W: .* NO_PUBKEY'
	440	testsuccessequal "$(cat "${PKGFILE}")
	441	" aptcache show apt
	442	failaptold
5a23c56d	443	export APT_DONT_SIGN='Release.gpg'
08b7761a DK	444	done
	445	}
	446	runfailure
	447
	448	msgmsg "Running test with gpgv-untrusted digest"
	449	export APT_TESTS_DIGEST_ALGO='MD5'
	450	runfailure