]> git.saurik.com Git - apt.git/blame - test/integration/test-releasefile-verification
ensure filesize of deb is included in the hashes list
[apt.git] / test / integration / test-releasefile-verification
CommitLineData
fe0f7911
DK
1#!/bin/sh
2set -e
3
3abb6a6a
DK
4TESTDIR="$(readlink -f "$(dirname "$0")")"
5. "$TESTDIR/framework"
fe0f7911
DK
6
7setupenvironment
8configarchitecture "i386"
9
5a23c56d 10export APT_DONT_SIGN='Release.gpg'
fe0f7911
DK
11buildaptarchive
12setupflataptarchive
13changetowebserver
14
f2c0ec8b 15webserverconfig 'aptwebserver::support::range' 'false'
331e8396 16
fe0f7911
DK
17prepare() {
18 local DATE="${2:-now}"
331e8396
DK
19 if [ "$DATE" = 'now' ]; then
20 if [ "$1" = "${PKGFILE}-new" ]; then
21 DATE='now - 1 day'
22 else
23 DATE='now - 7 day'
24 fi
fe0f7911
DK
25 fi
26 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412 27 touch -d 'now - 1 year' "$release"
fe0f7911 28 done
8de79b68 29 aptget clean
63c71412 30 cp "$1" aptarchive/Packages
fe0f7911 31 find aptarchive -name 'Release' -delete
331e8396 32 compressfile 'aptarchive/Packages' "$DATE"
89901946 33 generatereleasefiles "$DATE" 'now + 1 month'
fe0f7911
DK
34}
35
36installaptold() {
46e00c90 37 rm -rf rootdir/var/cache/apt/archives
6c0765c0 38 testsuccessequal "Reading package lists...
fe0f7911
DK
39Building dependency tree...
40Suggested packages:
9112f777 41 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
42The following NEW packages will be installed:
43 apt
440 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
45After this operation, 5370 kB of additional disk space will be used.
6c0765c0
DK
46Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
47Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
48}
49
50installaptnew() {
89901946 51 rm -rf rootdir/var/cache/apt/archives
6c0765c0 52 testsuccessequal "Reading package lists...
fe0f7911
DK
53Building dependency tree...
54Suggested packages:
9112f777 55 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
56The following NEW packages will be installed:
57 apt
580 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
59After this operation, 5808 kB of additional disk space will be used.
6c0765c0
DK
60Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
61Download complete and in download only mode" aptget install apt -dy
fe0f7911
DK
62}
63
64failaptold() {
25b86db1 65 testfailureequal 'Reading package lists...
fe0f7911
DK
66Building dependency tree...
67Suggested packages:
9112f777 68 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
69The following NEW packages will be installed:
70 apt
710 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
72After this operation, 5370 kB of additional disk space will be used.
73WARNING: The following packages cannot be authenticated!
74 apt
b381a482 75E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
76}
77
78failaptnew() {
25b86db1 79 testfailureequal 'Reading package lists...
fe0f7911
DK
80Building dependency tree...
81Suggested packages:
9112f777 82 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911
DK
83The following NEW packages will be installed:
84 apt
850 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
86After this operation, 5808 kB of additional disk space will be used.
87WARNING: The following packages cannot be authenticated!
88 apt
b381a482 89E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911
DK
90}
91
92# fake our downloadable file
93touch aptarchive/apt.deb
94
63c71412 95PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
fe0f7911 96
6bf93605 97updatewithwarnings() {
4e03c47d 98 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605 99 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396
DK
100}
101
fe0f7911 102runtest() {
8fa99570 103 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 104 prepare "${PKGFILE}"
fe0f7911
DK
105 rm -rf rootdir/var/lib/apt/lists
106 signreleasefiles 'Joe Sixpack'
8fa99570 107 successfulaptgetupdate
63c71412 108 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
109" aptcache show apt
110 installaptold
111
8fa99570 112 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412 113 prepare "${PKGFILE}-new"
fe0f7911 114 signreleasefiles 'Joe Sixpack'
8fa99570 115 successfulaptgetupdate
63c71412 116 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
117" aptcache show apt
118 installaptnew
119
8fa99570 120 msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412 121 prepare "${PKGFILE}"
29a59c46
DK
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
f13b413a 125 updatewithwarnings '^W: .* EXPKEYSIG'
63c71412 126 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
127" aptcache show apt
128 failaptold
fb7b11eb 129 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911 130
1af227c2
DK
131 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
132 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
133 touch rootdir/etc/apt/apt.conf.d/99gnupg2
134 elif gpg2 --version >/dev/null 2>&1; then
135 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
136 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
137 rm rootdir/etc/apt/apt.conf.d/99gnupg2
138 fi
139 fi
140 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
141 prepare "${PKGFILE}"
142 rm -rf rootdir/var/lib/apt/lists
143 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
1af227c2
DK
144 updatewithwarnings '^W: .* EXPSIG'
145 testsuccessequal "$(cat "${PKGFILE}")
146" aptcache show apt
147 failaptold
148 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
149 else
150 msgskip 'Not a new enough gpg available providing --fake-system-time'
151 fi
152
fb7b11eb
DK
153 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
154 prepare "${PKGFILE}"
155 rm -rf rootdir/var/lib/apt/lists
156 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
fb7b11eb
DK
157 successfulaptgetupdate 'NO_PUBKEY'
158 testsuccessequal "$(cat "${PKGFILE}")
159" aptcache show apt
160 installaptold
161
162 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
163 prepare "${PKGFILE}"
164 rm -rf rootdir/var/lib/apt/lists
165 signreleasefiles 'Joe Sixpack,Rex Expired'
fb7b11eb
DK
166 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
167 successfulaptgetupdate 'EXPKEYSIG'
168 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
169 testsuccessequal "$(cat "${PKGFILE}")
170" aptcache show apt
171 installaptold
172
8fa99570 173 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412 174 prepare "${PKGFILE}"
fe0f7911
DK
175 rm -rf rootdir/var/lib/apt/lists
176 signreleasefiles 'Marvin Paranoid'
6bf93605 177 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 178 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
179" aptcache show apt
180 failaptold
181
8fa99570 182 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412 183 prepare "${PKGFILE}-new"
fe0f7911 184 signreleasefiles 'Joe Sixpack'
8fa99570 185 successfulaptgetupdate
63c71412 186 testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911
DK
187" aptcache show apt
188 installaptnew
189
8fa99570 190 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 191 prepare "${PKGFILE}"
fe0f7911
DK
192 rm -rf rootdir/var/lib/apt/lists
193 signreleasefiles 'Joe Sixpack'
8fa99570 194 successfulaptgetupdate
63c71412 195 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
196" aptcache show apt
197 installaptold
198
8fa99570 199 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412 200 prepare "${PKGFILE}-new"
fe0f7911 201 signreleasefiles 'Marvin Paranoid'
6bf93605 202 updatewithwarnings '^W: .* NO_PUBKEY'
63c71412 203 testsuccessequal "$(cat "${PKGFILE}")
29a59c46
DK
204" aptcache show apt
205 installaptold
206
8fa99570 207 msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412 208 prepare "${PKGFILE}-new"
29a59c46
DK
209 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
210 signreleasefiles 'Rex Expired'
f13b413a 211 updatewithwarnings '^W: .* EXPKEYSIG'
63c71412 212 testsuccessequal "$(cat "${PKGFILE}")
fe0f7911
DK
213" aptcache show apt
214 installaptold
29a59c46
DK
215 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
216
8fa99570 217 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412 218 prepare "${PKGFILE}-new"
29a59c46 219 signreleasefiles
8fa99570 220 successfulaptgetupdate
63c71412 221 testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46
DK
222" aptcache show apt
223 installaptnew
b0d40854 224
8fa99570 225 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412 226 prepare "${PKGFILE}"
b0d40854
DK
227 rm -rf rootdir/var/lib/apt/lists
228 signreleasefiles 'Marvin Paranoid'
b0d40854
DK
229 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
230 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570 231 successfulaptgetupdate
63c71412 232 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
233" aptcache show apt
234 installaptold
235
8fa99570 236 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854
DK
237 rm -rf rootdir/var/lib/apt/lists
238 signreleasefiles 'Joe Sixpack'
b0d40854 239 updatewithwarnings '^W: .* NO_PUBKEY'
b0d40854 240 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
46e00c90 241
b0d40854 242 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
46e00c90
DK
243 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
244 rm -rf rootdir/var/lib/apt/lists
245 signreleasefiles 'Joe Sixpack'
46e00c90
DK
246 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
247 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854 248
8fa99570 249 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
b0d40854
DK
250 rm -rf rootdir/var/lib/apt/lists
251 signreleasefiles 'Marvin Paranoid'
b0d40854 252 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570 253 successfulaptgetupdate
63c71412 254 testsuccessequal "$(cat "${PKGFILE}")
b0d40854
DK
255" aptcache show apt
256 installaptold
b0d40854 257
46e00c90
DK
258 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
259 rm -rf rootdir/var/lib/apt/lists
260 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
46e00c90
DK
261 successfulaptgetupdate 'NoPubKey: GOODSIG'
262 testsuccessequal "$(cat "${PKGFILE}")
263" aptcache show apt
264 installaptold
265
266 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
267 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
b0d40854
DK
268 rm -rf rootdir/var/lib/apt/lists
269 signreleasefiles 'Joe Sixpack'
46e00c90
DK
270 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
271 successfulaptgetupdate
272 testsuccessequal "$(cat "${PKGFILE}")
273" aptcache show apt
274 installaptold
275
276 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
277 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
278 rm -rf rootdir/var/lib/apt/lists
279 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
280 successfulaptgetupdate
281 testsuccessequal "$(cat "${PKGFILE}")
282" aptcache show apt
283 installaptold
284 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
285 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
b0d40854 286
89901946
DK
287 rm -rf rootdir/var/lib/apt/lists-bak
288 cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
289 prepare "${PKGFILE}-new"
290 signreleasefiles 'Joe Sixpack'
89901946
DK
291
292 msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
293 sed -i "/^Valid-Until: / a\
294Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
295 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
296 successfulaptgetupdate
297 testsuccessequal "$(cat "${PKGFILE}-new")
298" aptcache show apt
299 installaptnew
300
301 msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
302 rm -rf rootdir/var/lib/apt/lists
303 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
304 sed -i "/^Valid-Until: / a\
305Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
306 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
307 updatewithwarnings 'W: .* public key is not available: GOODSIG'
308 testsuccessequal "$(cat "${PKGFILE}")
309" aptcache show apt
310 installaptold
311
312 msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
313 rm -rf rootdir/var/lib/apt/lists
314 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
315 sed -i "/^Valid-Until: / a\
316Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
317Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
318 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
319 successfulaptgetupdate
320 testsuccessequal "$(cat "${PKGFILE}-new")
321" aptcache show apt
322 installaptnew
323
324 msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
325 rm -rf rootdir/var/lib/apt/lists
326 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
327 sed -i "/^Valid-Until: / a\
328Signed-By: ${MARVIN} ${MARVIN}, \\
329 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
330 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
331 successfulaptgetupdate
332 testsuccessequal "$(cat "${PKGFILE}-new")
333" aptcache show apt
334 installaptnew
fe0f7911
DK
335}
336
43c1ca5d 337runtest2() {
8fa99570 338 msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412 339 prepare "${PKGFILE}"
43c1ca5d
SR
340 rm -rf rootdir/var/lib/apt/lists
341 signreleasefiles 'Joe Sixpack'
8fa99570 342 successfulaptgetupdate
43c1ca5d
SR
343
344 # New .deb but now an unsigned archive. For example MITM to circumvent
345 # package verification.
8fa99570 346 msgmsg 'Warm archive signed by' 'nobody'
63c71412 347 prepare "${PKGFILE}-new"
761a5ad2 348 find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
6bf93605 349 updatewithwarnings 'W: .* no longer signed.'
63c71412 350 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
351" aptcache show apt
352 failaptnew
353
354 # Unsigned archive from the beginning must also be detected.
6bf93605 355 msgmsg 'Cold archive signed by' 'nobody'
8fa99570 356 rm -rf rootdir/var/lib/apt/lists
6bf93605 357 updatewithwarnings 'W: .* is not signed.'
63c71412 358 testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d
SR
359" aptcache show apt
360 failaptnew
361}
43c1ca5d 362
8fa99570 363runtest3() {
6a4958d3 364 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a 365 msgmsg "Running base test with $1 digest"
8fa99570
DK
366 runtest2
367
08b7761a 368 for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2 369 export APT_DONT_SIGN="$DELETEFILE"
08b7761a 370 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
761a5ad2 371 runtest
5a23c56d 372 export APT_DONT_SIGN='Release.gpg'
08b7761a 373 done
8fa99570
DK
374}
375
e8b1db38
MV
376# diable some protection by default and ensure we still do the verification
377# correctly
378cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
379Acquire::AllowInsecureRepositories "1";
380Acquire::AllowDowngradeToInsecureRepositories "1";
381EOF
08b7761a
DK
382# the hash marked as configureable in our gpgv method
383export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38 384
8fa99570
DK
385successfulaptgetupdate() {
386 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb
DK
387 if [ -n "$1" ]; then
388 cp rootdir/tmp/testsuccess.output aptupdate.output
389 testsuccess grep "$1" aptupdate.output
390 fi
8fa99570 391}
6a4958d3 392runtest3 'Trusted'
e8b1db38 393
8fa99570
DK
394successfulaptgetupdate() {
395 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb
DK
396 if [ -n "$1" ]; then
397 testsuccess grep "$1" rootdir/tmp/testwarning.output
398 fi
8fa99570
DK
399 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
400}
6a4958d3 401runtest3 'Weak'
08b7761a
DK
402
403msgmsg "Running test with apt-untrusted digest"
6a4958d3 404echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a
DK
405runfailure() {
406 for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2 407 export APT_DONT_SIGN="$DELETEFILE"
08b7761a
DK
408 msgmsg 'Cold archive signed by' 'Joe Sixpack'
409 prepare "${PKGFILE}"
410 rm -rf rootdir/var/lib/apt/lists
411 signreleasefiles 'Joe Sixpack'
08b7761a
DK
412 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
413 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
414 testnopackage 'apt'
415 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
416 failaptold
417
418 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
419 prepare "${PKGFILE}"
420 rm -rf rootdir/var/lib/apt/lists
421 signreleasefiles 'Marvin Paranoid'
08b7761a
DK
422 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
423 testnopackage 'apt'
424 updatewithwarnings '^W: .* NO_PUBKEY'
425 testsuccessequal "$(cat "${PKGFILE}")
426" aptcache show apt
427 failaptold
5a23c56d 428 export APT_DONT_SIGN='Release.gpg'
08b7761a
DK
429 done
430}
431runfailure
432
433msgmsg "Running test with gpgv-untrusted digest"
434export APT_TESTS_DIGEST_ALGO='MD5'
435runfailure