]>
Commit | Line | Data |
---|---|---|
fe0f7911 DK |
1 | #!/bin/sh |
2 | set -e | |
3 | ||
3abb6a6a DK |
4 | TESTDIR="$(readlink -f "$(dirname "$0")")" |
5 | . "$TESTDIR/framework" | |
fe0f7911 DK |
6 | |
7 | setupenvironment | |
8 | configarchitecture "i386" | |
9 | ||
5a23c56d | 10 | export APT_DONT_SIGN='Release.gpg' |
fe0f7911 DK |
11 | buildaptarchive |
12 | setupflataptarchive | |
13 | changetowebserver | |
14 | ||
f2c0ec8b | 15 | webserverconfig 'aptwebserver::support::range' 'false' |
331e8396 | 16 | |
fe0f7911 DK |
17 | prepare() { |
18 | local DATE="${2:-now}" | |
331e8396 DK |
19 | if [ "$DATE" = 'now' ]; then |
20 | if [ "$1" = "${PKGFILE}-new" ]; then | |
21 | DATE='now - 1 day' | |
22 | else | |
23 | DATE='now - 7 day' | |
24 | fi | |
fe0f7911 DK |
25 | fi |
26 | for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do | |
63c71412 | 27 | touch -d 'now - 1 year' "$release" |
fe0f7911 | 28 | done |
8de79b68 | 29 | aptget clean |
63c71412 | 30 | cp "$1" aptarchive/Packages |
fe0f7911 | 31 | find aptarchive -name 'Release' -delete |
331e8396 | 32 | compressfile 'aptarchive/Packages' "$DATE" |
89901946 | 33 | generatereleasefiles "$DATE" 'now + 1 month' |
fe0f7911 DK |
34 | } |
35 | ||
36 | installaptold() { | |
46e00c90 | 37 | rm -rf rootdir/var/cache/apt/archives |
6c0765c0 | 38 | testsuccessequal "Reading package lists... |
fe0f7911 DK |
39 | Building dependency tree... |
40 | Suggested packages: | |
9112f777 | 41 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
42 | The following NEW packages will be installed: |
43 | apt | |
44 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
45 | After this operation, 5370 kB of additional disk space will be used. | |
6c0765c0 DK |
46 | Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3 |
47 | Download complete and in download only mode" aptget install apt -dy | |
fe0f7911 DK |
48 | } |
49 | ||
50 | installaptnew() { | |
89901946 | 51 | rm -rf rootdir/var/cache/apt/archives |
6c0765c0 | 52 | testsuccessequal "Reading package lists... |
fe0f7911 DK |
53 | Building dependency tree... |
54 | Suggested packages: | |
9112f777 | 55 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
56 | The following NEW packages will be installed: |
57 | apt | |
58 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
59 | After this operation, 5808 kB of additional disk space will be used. | |
6c0765c0 DK |
60 | Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1 |
61 | Download complete and in download only mode" aptget install apt -dy | |
fe0f7911 DK |
62 | } |
63 | ||
64 | failaptold() { | |
25b86db1 | 65 | testfailureequal 'Reading package lists... |
fe0f7911 DK |
66 | Building dependency tree... |
67 | Suggested packages: | |
9112f777 | 68 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
69 | The following NEW packages will be installed: |
70 | apt | |
71 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
72 | After this operation, 5370 kB of additional disk space will be used. | |
73 | WARNING: The following packages cannot be authenticated! | |
74 | apt | |
b381a482 | 75 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy |
fe0f7911 DK |
76 | } |
77 | ||
78 | failaptnew() { | |
25b86db1 | 79 | testfailureequal 'Reading package lists... |
fe0f7911 DK |
80 | Building dependency tree... |
81 | Suggested packages: | |
9112f777 | 82 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
83 | The following NEW packages will be installed: |
84 | apt | |
85 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
86 | After this operation, 5808 kB of additional disk space will be used. | |
87 | WARNING: The following packages cannot be authenticated! | |
88 | apt | |
b381a482 | 89 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy |
fe0f7911 DK |
90 | } |
91 | ||
92 | # fake our downloadable file | |
93 | touch aptarchive/apt.deb | |
94 | ||
63c71412 | 95 | PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')" |
fe0f7911 | 96 | |
6bf93605 | 97 | updatewithwarnings() { |
4e03c47d | 98 | testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 |
6bf93605 | 99 | testsuccess grep -E "$1" rootdir/tmp/testwarning.output |
331e8396 DK |
100 | } |
101 | ||
fe0f7911 | 102 | runtest() { |
8fa99570 | 103 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
63c71412 | 104 | prepare "${PKGFILE}" |
fe0f7911 DK |
105 | rm -rf rootdir/var/lib/apt/lists |
106 | signreleasefiles 'Joe Sixpack' | |
8fa99570 | 107 | successfulaptgetupdate |
63c71412 | 108 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
109 | " aptcache show apt |
110 | installaptold | |
111 | ||
8fa99570 | 112 | msgmsg 'Good warm archive signed by' 'Joe Sixpack' |
63c71412 | 113 | prepare "${PKGFILE}-new" |
fe0f7911 | 114 | signreleasefiles 'Joe Sixpack' |
8fa99570 | 115 | successfulaptgetupdate |
63c71412 | 116 | testsuccessequal "$(cat "${PKGFILE}-new") |
fe0f7911 DK |
117 | " aptcache show apt |
118 | installaptnew | |
119 | ||
8fa99570 | 120 | msgmsg 'Cold archive signed by' 'Rex Expired' |
63c71412 | 121 | prepare "${PKGFILE}" |
29a59c46 DK |
122 | rm -rf rootdir/var/lib/apt/lists |
123 | cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg | |
124 | signreleasefiles 'Rex Expired' | |
f13b413a | 125 | updatewithwarnings '^W: .* EXPKEYSIG' |
63c71412 | 126 | testsuccessequal "$(cat "${PKGFILE}") |
29a59c46 DK |
127 | " aptcache show apt |
128 | failaptold | |
fb7b11eb | 129 | rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
fe0f7911 | 130 | |
1af227c2 DK |
131 | msgmsg 'Cold archive expired signed by' 'Joe Sixpack' |
132 | if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then | |
133 | touch rootdir/etc/apt/apt.conf.d/99gnupg2 | |
134 | elif gpg2 --version >/dev/null 2>&1; then | |
135 | echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2 | |
136 | if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then | |
137 | rm rootdir/etc/apt/apt.conf.d/99gnupg2 | |
138 | fi | |
139 | fi | |
140 | if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then | |
141 | prepare "${PKGFILE}" | |
142 | rm -rf rootdir/var/lib/apt/lists | |
143 | signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01 | |
1af227c2 DK |
144 | updatewithwarnings '^W: .* EXPSIG' |
145 | testsuccessequal "$(cat "${PKGFILE}") | |
146 | " aptcache show apt | |
147 | failaptold | |
148 | rm -f rootdir/etc/apt/apt.conf.d/99gnupg2 | |
149 | else | |
150 | msgskip 'Not a new enough gpg available providing --fake-system-time' | |
151 | fi | |
152 | ||
fb7b11eb DK |
153 | msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid' |
154 | prepare "${PKGFILE}" | |
155 | rm -rf rootdir/var/lib/apt/lists | |
156 | signreleasefiles 'Joe Sixpack,Marvin Paranoid' | |
fb7b11eb DK |
157 | successfulaptgetupdate 'NO_PUBKEY' |
158 | testsuccessequal "$(cat "${PKGFILE}") | |
159 | " aptcache show apt | |
160 | installaptold | |
161 | ||
162 | msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired' | |
163 | prepare "${PKGFILE}" | |
164 | rm -rf rootdir/var/lib/apt/lists | |
165 | signreleasefiles 'Joe Sixpack,Rex Expired' | |
fb7b11eb DK |
166 | cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
167 | successfulaptgetupdate 'EXPKEYSIG' | |
168 | rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg | |
169 | testsuccessequal "$(cat "${PKGFILE}") | |
170 | " aptcache show apt | |
171 | installaptold | |
172 | ||
8fa99570 | 173 | msgmsg 'Cold archive signed by' 'Marvin Paranoid' |
63c71412 | 174 | prepare "${PKGFILE}" |
fe0f7911 DK |
175 | rm -rf rootdir/var/lib/apt/lists |
176 | signreleasefiles 'Marvin Paranoid' | |
6bf93605 | 177 | updatewithwarnings '^W: .* NO_PUBKEY' |
63c71412 | 178 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
179 | " aptcache show apt |
180 | failaptold | |
181 | ||
8fa99570 | 182 | msgmsg 'Bad warm archive signed by' 'Joe Sixpack' |
63c71412 | 183 | prepare "${PKGFILE}-new" |
fe0f7911 | 184 | signreleasefiles 'Joe Sixpack' |
8fa99570 | 185 | successfulaptgetupdate |
63c71412 | 186 | testsuccessequal "$(cat "${PKGFILE}-new") |
fe0f7911 DK |
187 | " aptcache show apt |
188 | installaptnew | |
189 | ||
8fa99570 | 190 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
63c71412 | 191 | prepare "${PKGFILE}" |
fe0f7911 DK |
192 | rm -rf rootdir/var/lib/apt/lists |
193 | signreleasefiles 'Joe Sixpack' | |
8fa99570 | 194 | successfulaptgetupdate |
63c71412 | 195 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
196 | " aptcache show apt |
197 | installaptold | |
198 | ||
8fa99570 | 199 | msgmsg 'Good warm archive signed by' 'Marvin Paranoid' |
63c71412 | 200 | prepare "${PKGFILE}-new" |
fe0f7911 | 201 | signreleasefiles 'Marvin Paranoid' |
6bf93605 | 202 | updatewithwarnings '^W: .* NO_PUBKEY' |
63c71412 | 203 | testsuccessequal "$(cat "${PKGFILE}") |
29a59c46 DK |
204 | " aptcache show apt |
205 | installaptold | |
206 | ||
8fa99570 | 207 | msgmsg 'Good warm archive signed by' 'Rex Expired' |
63c71412 | 208 | prepare "${PKGFILE}-new" |
29a59c46 DK |
209 | cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
210 | signreleasefiles 'Rex Expired' | |
f13b413a | 211 | updatewithwarnings '^W: .* EXPKEYSIG' |
63c71412 | 212 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
213 | " aptcache show apt |
214 | installaptold | |
29a59c46 DK |
215 | rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
216 | ||
8fa99570 | 217 | msgmsg 'Good warm archive signed by' 'Joe Sixpack' |
63c71412 | 218 | prepare "${PKGFILE}-new" |
29a59c46 | 219 | signreleasefiles |
8fa99570 | 220 | successfulaptgetupdate |
63c71412 | 221 | testsuccessequal "$(cat "${PKGFILE}-new") |
29a59c46 DK |
222 | " aptcache show apt |
223 | installaptnew | |
b0d40854 | 224 | |
8fa99570 | 225 | msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' |
63c71412 | 226 | prepare "${PKGFILE}" |
b0d40854 DK |
227 | rm -rf rootdir/var/lib/apt/lists |
228 | signreleasefiles 'Marvin Paranoid' | |
b0d40854 DK |
229 | local MARVIN="$(readlink -f keys/marvinparanoid.pub)" |
230 | sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* | |
8fa99570 | 231 | successfulaptgetupdate |
63c71412 | 232 | testsuccessequal "$(cat "${PKGFILE}") |
b0d40854 DK |
233 | " aptcache show apt |
234 | installaptold | |
235 | ||
8fa99570 | 236 | msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack' |
b0d40854 DK |
237 | rm -rf rootdir/var/lib/apt/lists |
238 | signreleasefiles 'Joe Sixpack' | |
b0d40854 | 239 | updatewithwarnings '^W: .* NO_PUBKEY' |
b0d40854 | 240 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/* |
46e00c90 | 241 | |
b0d40854 | 242 | local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" |
46e00c90 DK |
243 | msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack' |
244 | rm -rf rootdir/var/lib/apt/lists | |
245 | signreleasefiles 'Joe Sixpack' | |
46e00c90 DK |
246 | sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* |
247 | updatewithwarnings '^W: .* be verified because the public key is not available: .*' | |
b0d40854 | 248 | |
8fa99570 | 249 | msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid' |
b0d40854 DK |
250 | rm -rf rootdir/var/lib/apt/lists |
251 | signreleasefiles 'Marvin Paranoid' | |
b0d40854 | 252 | cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg |
8fa99570 | 253 | successfulaptgetupdate |
63c71412 | 254 | testsuccessequal "$(cat "${PKGFILE}") |
b0d40854 DK |
255 | " aptcache show apt |
256 | installaptold | |
b0d40854 | 257 | |
46e00c90 DK |
258 | msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack' |
259 | rm -rf rootdir/var/lib/apt/lists | |
260 | signreleasefiles 'Marvin Paranoid,Joe Sixpack' | |
46e00c90 DK |
261 | successfulaptgetupdate 'NoPubKey: GOODSIG' |
262 | testsuccessequal "$(cat "${PKGFILE}") | |
263 | " aptcache show apt | |
264 | installaptold | |
265 | ||
266 | local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" | |
267 | msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack' | |
b0d40854 DK |
268 | rm -rf rootdir/var/lib/apt/lists |
269 | signreleasefiles 'Joe Sixpack' | |
46e00c90 DK |
270 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/* |
271 | successfulaptgetupdate | |
272 | testsuccessequal "$(cat "${PKGFILE}") | |
273 | " aptcache show apt | |
274 | installaptold | |
275 | ||
276 | local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" | |
277 | msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack' | |
278 | rm -rf rootdir/var/lib/apt/lists | |
279 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/* | |
280 | successfulaptgetupdate | |
281 | testsuccessequal "$(cat "${PKGFILE}") | |
282 | " aptcache show apt | |
283 | installaptold | |
284 | rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg | |
285 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/* | |
b0d40854 | 286 | |
89901946 DK |
287 | rm -rf rootdir/var/lib/apt/lists-bak |
288 | cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak | |
289 | prepare "${PKGFILE}-new" | |
290 | signreleasefiles 'Joe Sixpack' | |
89901946 DK |
291 | |
292 | msgmsg 'Warm archive with signed-by' 'Joe Sixpack' | |
293 | sed -i "/^Valid-Until: / a\ | |
294 | Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release | |
295 | touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release | |
296 | successfulaptgetupdate | |
297 | testsuccessequal "$(cat "${PKGFILE}-new") | |
298 | " aptcache show apt | |
299 | installaptnew | |
300 | ||
301 | msgmsg 'Warm archive with signed-by' 'Marvin Paranoid' | |
302 | rm -rf rootdir/var/lib/apt/lists | |
303 | cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists | |
304 | sed -i "/^Valid-Until: / a\ | |
305 | Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release | |
306 | touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release | |
307 | updatewithwarnings 'W: .* public key is not available: GOODSIG' | |
308 | testsuccessequal "$(cat "${PKGFILE}") | |
309 | " aptcache show apt | |
310 | installaptold | |
311 | ||
312 | msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid' | |
313 | rm -rf rootdir/var/lib/apt/lists | |
314 | cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists | |
315 | sed -i "/^Valid-Until: / a\ | |
316 | Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\ | |
317 | Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release | |
318 | touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release | |
319 | successfulaptgetupdate | |
320 | testsuccessequal "$(cat "${PKGFILE}-new") | |
321 | " aptcache show apt | |
322 | installaptnew | |
323 | ||
324 | msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack' | |
325 | rm -rf rootdir/var/lib/apt/lists | |
326 | cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists | |
327 | sed -i "/^Valid-Until: / a\ | |
328 | Signed-By: ${MARVIN} ${MARVIN}, \\ | |
329 | ${SIXPACK}" rootdir/var/lib/apt/lists/*Release | |
330 | touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release | |
331 | successfulaptgetupdate | |
332 | testsuccessequal "$(cat "${PKGFILE}-new") | |
333 | " aptcache show apt | |
334 | installaptnew | |
fe0f7911 DK |
335 | } |
336 | ||
43c1ca5d | 337 | runtest2() { |
8fa99570 | 338 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
63c71412 | 339 | prepare "${PKGFILE}" |
43c1ca5d SR |
340 | rm -rf rootdir/var/lib/apt/lists |
341 | signreleasefiles 'Joe Sixpack' | |
8fa99570 | 342 | successfulaptgetupdate |
43c1ca5d SR |
343 | |
344 | # New .deb but now an unsigned archive. For example MITM to circumvent | |
345 | # package verification. | |
8fa99570 | 346 | msgmsg 'Warm archive signed by' 'nobody' |
63c71412 | 347 | prepare "${PKGFILE}-new" |
761a5ad2 | 348 | find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete |
6bf93605 | 349 | updatewithwarnings 'W: .* no longer signed.' |
63c71412 | 350 | testsuccessequal "$(cat "${PKGFILE}-new") |
43c1ca5d SR |
351 | " aptcache show apt |
352 | failaptnew | |
353 | ||
354 | # Unsigned archive from the beginning must also be detected. | |
6bf93605 | 355 | msgmsg 'Cold archive signed by' 'nobody' |
8fa99570 | 356 | rm -rf rootdir/var/lib/apt/lists |
6bf93605 | 357 | updatewithwarnings 'W: .* is not signed.' |
63c71412 | 358 | testsuccessequal "$(cat "${PKGFILE}-new") |
43c1ca5d SR |
359 | " aptcache show apt |
360 | failaptnew | |
361 | } | |
43c1ca5d | 362 | |
8fa99570 | 363 | runtest3() { |
6a4958d3 | 364 | echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate |
08b7761a | 365 | msgmsg "Running base test with $1 digest" |
8fa99570 DK |
366 | runtest2 |
367 | ||
08b7761a | 368 | for DELETEFILE in 'InRelease' 'Release.gpg'; do |
761a5ad2 | 369 | export APT_DONT_SIGN="$DELETEFILE" |
08b7761a | 370 | msgmsg "Running test with deletion of $DELETEFILE and $1 digest" |
761a5ad2 | 371 | runtest |
5a23c56d | 372 | export APT_DONT_SIGN='Release.gpg' |
08b7761a | 373 | done |
8fa99570 DK |
374 | } |
375 | ||
e8b1db38 MV |
376 | # diable some protection by default and ensure we still do the verification |
377 | # correctly | |
378 | cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF | |
379 | Acquire::AllowInsecureRepositories "1"; | |
380 | Acquire::AllowDowngradeToInsecureRepositories "1"; | |
381 | EOF | |
08b7761a DK |
382 | # the hash marked as configureable in our gpgv method |
383 | export APT_TESTS_DIGEST_ALGO='SHA224' | |
e8b1db38 | 384 | |
8fa99570 DK |
385 | successfulaptgetupdate() { |
386 | testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 | |
fb7b11eb DK |
387 | if [ -n "$1" ]; then |
388 | cp rootdir/tmp/testsuccess.output aptupdate.output | |
389 | testsuccess grep "$1" aptupdate.output | |
390 | fi | |
8fa99570 | 391 | } |
6a4958d3 | 392 | runtest3 'Trusted' |
e8b1db38 | 393 | |
8fa99570 DK |
394 | successfulaptgetupdate() { |
395 | testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 | |
fb7b11eb DK |
396 | if [ -n "$1" ]; then |
397 | testsuccess grep "$1" rootdir/tmp/testwarning.output | |
398 | fi | |
8fa99570 DK |
399 | testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output |
400 | } | |
6a4958d3 | 401 | runtest3 'Weak' |
08b7761a DK |
402 | |
403 | msgmsg "Running test with apt-untrusted digest" | |
6a4958d3 | 404 | echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate |
08b7761a DK |
405 | runfailure() { |
406 | for DELETEFILE in 'InRelease' 'Release.gpg'; do | |
761a5ad2 | 407 | export APT_DONT_SIGN="$DELETEFILE" |
08b7761a DK |
408 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
409 | prepare "${PKGFILE}" | |
410 | rm -rf rootdir/var/lib/apt/lists | |
411 | signreleasefiles 'Joe Sixpack' | |
08b7761a DK |
412 | testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 |
413 | testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output | |
414 | testnopackage 'apt' | |
415 | testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 | |
416 | failaptold | |
417 | ||
418 | msgmsg 'Cold archive signed by' 'Marvin Paranoid' | |
419 | prepare "${PKGFILE}" | |
420 | rm -rf rootdir/var/lib/apt/lists | |
421 | signreleasefiles 'Marvin Paranoid' | |
08b7761a DK |
422 | testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 |
423 | testnopackage 'apt' | |
424 | updatewithwarnings '^W: .* NO_PUBKEY' | |
425 | testsuccessequal "$(cat "${PKGFILE}") | |
426 | " aptcache show apt | |
427 | failaptold | |
5a23c56d | 428 | export APT_DONT_SIGN='Release.gpg' |
08b7761a DK |
429 | done |
430 | } | |
431 | runfailure | |
432 | ||
433 | msgmsg "Running test with gpgv-untrusted digest" | |
434 | export APT_TESTS_DIGEST_ALGO='MD5' | |
435 | runfailure |