]> git.saurik.com Git - apt.git/blame - test/integration/test-releasefile-verification
gpgv: cleanup statusfd parsing a bit
[apt.git] / test / integration / test-releasefile-verification
CommitLineData
fe0f7911
DK
1#!/bin/sh
2set -e
3
3abb6a6a
DK
4TESTDIR="$(readlink -f "$(dirname "$0")")"
5. "$TESTDIR/framework"
fe0f7911
DK
6
7setupenvironment
8configarchitecture "i386"
9
10buildaptarchive
11setupflataptarchive
12changetowebserver
13
f2c0ec8b 14webserverconfig 'aptwebserver::support::range' 'false'
331e8396 15
fe0f7911
DK
16prepare() {
17 local DATE="${2:-now}"
331e8396
DK
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
fe0f7911
DK
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412 26 touch -d 'now - 1 year' "$release"
fe0f7911 27 done
8de79b68 28 aptget clean
63c71412 29 cp "$1" aptarchive/Packages
fe0f7911 30 find aptarchive -name 'Release' -delete
331e8396 31 compressfile 'aptarchive/Packages' "$DATE"
fe0f7911
DK
32 generatereleasefiles "$DATE"
33}
34
35installaptold() {
6c0765c0 36 testsuccessequal "Reading package lists...
fe0f7911
DK
37Building dependency tree...
38Suggested packages:
9112f777 39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
40The following NEW packages will be installed:
41 apt
420 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43After this operation, 5370 kB of additional disk space will be used.
6c0765c0
DK
44Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
46}
47
48installaptnew() {
6c0765c0 49 testsuccessequal "Reading package lists...
fe0f7911
DK
50Building dependency tree...
51Suggested packages:
9112f777 52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
53The following NEW packages will be installed:
54 apt
550 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56After this operation, 5808 kB of additional disk space will be used.
6c0765c0
DK
57Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
59}
60
61failaptold() {
25b86db1 62 testfailureequal 'Reading package lists...
fe0f7911
DK
63Building dependency tree...
64Suggested packages:
9112f777 65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
66The following NEW packages will be installed:
67 apt
680 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69After this operation, 5370 kB of additional disk space will be used.
70WARNING: The following packages cannot be authenticated!
71 apt
b381a482 72E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
73}
74
75failaptnew() {
25b86db1 76 testfailureequal 'Reading package lists...
fe0f7911
DK
77Building dependency tree...
78Suggested packages:
9112f777 79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
80The following NEW packages will be installed:
81 apt
820 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83After this operation, 5808 kB of additional disk space will be used.
84WARNING: The following packages cannot be authenticated!
85 apt
b381a482 86E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
87}
88
89# fake our downloadable file
90touch aptarchive/apt.deb
91
63c71412 92PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
fe0f7911 93
6bf93605 94updatewithwarnings() {
4e03c47d 95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605 96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396
DK
97}
98
fe0f7911 99runtest() {
08b7761a 100 local DELETEFILE="$1"
8fa99570 101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 102 prepare "${PKGFILE}"
fe0f7911
DK
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 find aptarchive/ -name "$DELETEFILE" -delete
8fa99570 106 successfulaptgetupdate
63c71412 107 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
108" aptcache show apt
109 installaptold
110
8fa99570 111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412 112 prepare "${PKGFILE}-new"
fe0f7911
DK
113 signreleasefiles 'Joe Sixpack'
114 find aptarchive/ -name "$DELETEFILE" -delete
8fa99570 115 successfulaptgetupdate
63c71412 116 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
117" aptcache show apt
118 installaptnew
119
8fa99570 120 msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412 121 prepare "${PKGFILE}"
29a59c46
DK
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 find aptarchive/ -name "$DELETEFILE" -delete
f13b413a 126 updatewithwarnings '^W: .* EXPKEYSIG'
63c71412 127 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
128" aptcache show apt
129 failaptold
fb7b11eb 130 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911 131
1af227c2
DK
132 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
133 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
134 touch rootdir/etc/apt/apt.conf.d/99gnupg2
135 elif gpg2 --version >/dev/null 2>&1; then
136 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
137 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
138 rm rootdir/etc/apt/apt.conf.d/99gnupg2
139 fi
140 fi
141 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
142 prepare "${PKGFILE}"
143 rm -rf rootdir/var/lib/apt/lists
144 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
145 find aptarchive/ -name "$DELETEFILE" -delete
146 updatewithwarnings '^W: .* EXPSIG'
147 testsuccessequal "$(cat "${PKGFILE}")
148" aptcache show apt
149 failaptold
150 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
151 else
152 msgskip 'Not a new enough gpg available providing --fake-system-time'
153 fi
154
fb7b11eb
DK
155 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
156 prepare "${PKGFILE}"
157 rm -rf rootdir/var/lib/apt/lists
158 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
159 find aptarchive/ -name "$DELETEFILE" -delete
160 successfulaptgetupdate 'NO_PUBKEY'
161 testsuccessequal "$(cat "${PKGFILE}")
162" aptcache show apt
163 installaptold
164
165 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
166 prepare "${PKGFILE}"
167 rm -rf rootdir/var/lib/apt/lists
168 signreleasefiles 'Joe Sixpack,Rex Expired'
169 find aptarchive/ -name "$DELETEFILE" -delete
170 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
171 successfulaptgetupdate 'EXPKEYSIG'
172 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
173 testsuccessequal "$(cat "${PKGFILE}")
174" aptcache show apt
175 installaptold
176
8fa99570 177 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412 178 prepare "${PKGFILE}"
fe0f7911
DK
179 rm -rf rootdir/var/lib/apt/lists
180 signreleasefiles 'Marvin Paranoid'
181 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 182 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 183 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
184" aptcache show apt
185 failaptold
186
8fa99570 187 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412 188 prepare "${PKGFILE}-new"
fe0f7911
DK
189 signreleasefiles 'Joe Sixpack'
190 find aptarchive/ -name "$DELETEFILE" -delete
8fa99570 191 successfulaptgetupdate
63c71412 192 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
193" aptcache show apt
194 installaptnew
195
8fa99570 196 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 197 prepare "${PKGFILE}"
fe0f7911
DK
198 rm -rf rootdir/var/lib/apt/lists
199 signreleasefiles 'Joe Sixpack'
200 find aptarchive/ -name "$DELETEFILE" -delete
8fa99570 201 successfulaptgetupdate
63c71412 202 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
203" aptcache show apt
204 installaptold
205
8fa99570 206 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412 207 prepare "${PKGFILE}-new"
fe0f7911
DK
208 signreleasefiles 'Marvin Paranoid'
209 find aptarchive/ -name "$DELETEFILE" -delete
6bf93605 210 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 211 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
212" aptcache show apt
213 installaptold
214
8fa99570 215 msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412 216 prepare "${PKGFILE}-new"
29a59c46
DK
217 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
218 signreleasefiles 'Rex Expired'
219 find aptarchive/ -name "$DELETEFILE" -delete
f13b413a 220 updatewithwarnings '^W: .* EXPKEYSIG'
63c71412 221 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
222" aptcache show apt
223 installaptold
29a59c46
DK
224 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
225
8fa99570 226 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412 227 prepare "${PKGFILE}-new"
29a59c46
DK
228 signreleasefiles
229 find aptarchive/ -name "$DELETEFILE" -delete
8fa99570 230 successfulaptgetupdate
63c71412 231 testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46
DK
232" aptcache show apt
233 installaptnew
b0d40854 234
8fa99570 235 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412 236 prepare "${PKGFILE}"
b0d40854
DK
237 rm -rf rootdir/var/lib/apt/lists
238 signreleasefiles 'Marvin Paranoid'
239 find aptarchive/ -name "$DELETEFILE" -delete
b0d40854
DK
240 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
241 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570 242 successfulaptgetupdate
63c71412 243 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
244" aptcache show apt
245 installaptold
246
8fa99570 247 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854
DK
248 rm -rf rootdir/var/lib/apt/lists
249 signreleasefiles 'Joe Sixpack'
250 find aptarchive/ -name "$DELETEFILE" -delete
b0d40854
DK
251 updatewithwarnings '^W: .* NO_PUBKEY'
252
253 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
254 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
255
8fa99570 256 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
63c71412 257 prepare "${PKGFILE}"
b0d40854
DK
258 rm -rf rootdir/var/lib/apt/lists
259 signreleasefiles 'Marvin Paranoid'
260 find aptarchive/ -name "$DELETEFILE" -delete
b0d40854
DK
261 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
262 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570 263 successfulaptgetupdate
63c71412 264 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
265" aptcache show apt
266 installaptold
267 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
268
8fa99570 269 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
b0d40854
DK
270 rm -rf rootdir/var/lib/apt/lists
271 signreleasefiles 'Joe Sixpack'
272 find aptarchive/ -name "$DELETEFILE" -delete
4e03c47d 273 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854
DK
274
275 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
fe0f7911
DK
276}
277
43c1ca5d 278runtest2() {
8fa99570 279 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 280 prepare "${PKGFILE}"
43c1ca5d
SR
281 rm -rf rootdir/var/lib/apt/lists
282 signreleasefiles 'Joe Sixpack'
8fa99570 283 successfulaptgetupdate
43c1ca5d
SR
284
285 # New .deb but now an unsigned archive. For example MITM to circumvent
286 # package verification.
8fa99570 287 msgmsg 'Warm archive signed by' 'nobody'
63c71412 288 prepare "${PKGFILE}-new"
43c1ca5d
SR
289 find aptarchive/ -name InRelease -delete
290 find aptarchive/ -name Release.gpg -delete
6bf93605 291 updatewithwarnings 'W: .* no longer signed.'
63c71412 292 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
293" aptcache show apt
294 failaptnew
295
296 # Unsigned archive from the beginning must also be detected.
6bf93605 297 msgmsg 'Cold archive signed by' 'nobody'
8fa99570 298 rm -rf rootdir/var/lib/apt/lists
6bf93605 299 updatewithwarnings 'W: .* is not signed.'
63c71412 300 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
301" aptcache show apt
302 failaptnew
303}
43c1ca5d 304
8fa99570 305runtest3() {
6a4958d3 306 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a 307 msgmsg "Running base test with $1 digest"
8fa99570
DK
308 runtest2
309
08b7761a
DK
310 for DELETEFILE in 'InRelease' 'Release.gpg'; do
311 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
312 runtest "$DELETEFILE"
313 done
8fa99570
DK
314}
315
e8b1db38
MV
316# diable some protection by default and ensure we still do the verification
317# correctly
318cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
319Acquire::AllowInsecureRepositories "1";
320Acquire::AllowDowngradeToInsecureRepositories "1";
321EOF
08b7761a
DK
322# the hash marked as configureable in our gpgv method
323export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38 324
8fa99570
DK
325successfulaptgetupdate() {
326 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb
DK
327 if [ -n "$1" ]; then
328 cp rootdir/tmp/testsuccess.output aptupdate.output
329 testsuccess grep "$1" aptupdate.output
330 fi
8fa99570 331}
6a4958d3 332runtest3 'Trusted'
e8b1db38 333
8fa99570
DK
334successfulaptgetupdate() {
335 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb
DK
336 if [ -n "$1" ]; then
337 testsuccess grep "$1" rootdir/tmp/testwarning.output
338 fi
8fa99570
DK
339 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
340}
6a4958d3 341runtest3 'Weak'
08b7761a
DK
342
343msgmsg "Running test with apt-untrusted digest"
6a4958d3 344echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a
DK
345runfailure() {
346 for DELETEFILE in 'InRelease' 'Release.gpg'; do
347 msgmsg 'Cold archive signed by' 'Joe Sixpack'
348 prepare "${PKGFILE}"
349 rm -rf rootdir/var/lib/apt/lists
350 signreleasefiles 'Joe Sixpack'
351 find aptarchive/ -name "$DELETEFILE" -delete
352 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
353 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
354 testnopackage 'apt'
355 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
356 failaptold
357
358 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
359 prepare "${PKGFILE}"
360 rm -rf rootdir/var/lib/apt/lists
361 signreleasefiles 'Marvin Paranoid'
362 find aptarchive/ -name "$DELETEFILE" -delete
363 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
364 testnopackage 'apt'
365 updatewithwarnings '^W: .* NO_PUBKEY'
366 testsuccessequal "$(cat "${PKGFILE}")
367" aptcache show apt
368 failaptold
369 done
370}
371runfailure
372
373msgmsg "Running test with gpgv-untrusted digest"
374export APT_TESTS_DIGEST_ALGO='MD5'
375runfailure