[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

export APT_DONT_SIGN='Release.gpg'
buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE" 'now + 1 month'
}

installaptold() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
		touch rootdir/etc/apt/apt.conf.d/99gnupg2
	elif gpg2 --version >/dev/null 2>&1; then
		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
			rm rootdir/etc/apt/apt.conf.d/99gnupg2
		fi
	fi
	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
		updatewithwarnings '^W: .* EXPSIG'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	else
		msgskip 'Not a new enough gpg available providing --fake-system-time'
	fi

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	successfulaptgetupdate 'NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Rex Expired'
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	successfulaptgetupdate 'EXPKEYSIG'
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	updatewithwarnings '^W: .* NO_PUBKEY'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*

	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	successfulaptgetupdate 'NoPubKey: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*

	rm -rf rootdir/var/lib/apt/lists-bak
	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'

	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	sed -i "/^Valid-Until: / a\
Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN} ${MARVIN}, \\
 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	msgmsg "Running base test with $1 digest"
	runtest2

	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
		runtest
		export APT_DONT_SIGN='Release.gpg'
	done
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF
# the hash marked as configurable in our gpgv method
export APT_TESTS_DIGEST_ALGO='SHA224'

successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		cp rootdir/tmp/testsuccess.output aptupdate.output
		testsuccess grep "$1" aptupdate.output
	fi
}
runtest3 'Trusted'

successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		testsuccess grep "$1" rootdir/tmp/testwarning.output
	fi
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'

msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg 'Cold archive signed by' 'Joe Sixpack'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
		testnopackage 'apt'
		testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold
		rm -rf rootdir/var/lib/apt/lists
		sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
		testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold
		sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*

		msgmsg 'Cold archive signed by' 'Marvin Paranoid'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Marvin Paranoid'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testnopackage 'apt'
		updatewithwarnings '^W: .* NO_PUBKEY'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		export APT_DONT_SIGN='Release.gpg'
	done
}
runfailure

msgmsg "Running test with gpgv-untrusted digest"
export APT_TESTS_DIGEST_ALGO='MD5'
runfailure
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
5a23c56d	10	export APT_DONT_SIGN='Release.gpg'
fe0f7911 DK	11	buildaptarchive
	12	setupflataptarchive
	13	changetowebserver
	14
f2c0ec8b	15	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	16
fe0f7911 DK	17	prepare() {
fe0f7911 DK	18	local DATE="${2:-now}"
331e8396 DK	19	if [ "$DATE" = 'now' ]; then
	20	if [ "$1" = "${PKGFILE}-new" ]; then
	21	DATE='now - 1 day'
	22	else
	23	DATE='now - 7 day'
	24	fi
fe0f7911 DK	25	fi
fe0f7911 DK	26	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	27	touch -d 'now - 1 year' "$release"
fe0f7911	28	done
8de79b68	29	aptget clean
63c71412	30	cp "$1" aptarchive/Packages
fe0f7911	31	find aptarchive -name 'Release' -delete
331e8396	32	compressfile 'aptarchive/Packages' "$DATE"
89901946	33	generatereleasefiles "$DATE" 'now + 1 month'
fe0f7911 DK	34	}
	35
	36	installaptold() {
46e00c90	37	rm -rf rootdir/var/cache/apt/archives
6c0765c0	38	testsuccessequal "Reading package lists...
fe0f7911 DK	39	Building dependency tree...
fe0f7911 DK	40	Suggested packages:
9112f777	41	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	42	The following NEW packages will be installed:
	43	apt
	44	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	45	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	46	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	47	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	48	}
	49
	50	installaptnew() {
89901946	51	rm -rf rootdir/var/cache/apt/archives
6c0765c0	52	testsuccessequal "Reading package lists...
fe0f7911 DK	53	Building dependency tree...
fe0f7911 DK	54	Suggested packages:
9112f777	55	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	56	The following NEW packages will be installed:
	57	apt
	58	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	59	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	60	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	61	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	62	}
	63
	64	failaptold() {
25b86db1	65	testfailureequal 'Reading package lists...
fe0f7911 DK	66	Building dependency tree...
fe0f7911 DK	67	Suggested packages:
9112f777	68	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	69	The following NEW packages will be installed:
	70	apt
	71	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	72	After this operation, 5370 kB of additional disk space will be used.
	73	WARNING: The following packages cannot be authenticated!
	74	apt
b381a482	75	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	76	}
	77
	78	failaptnew() {
25b86db1	79	testfailureequal 'Reading package lists...
fe0f7911 DK	80	Building dependency tree...
fe0f7911 DK	81	Suggested packages:
9112f777	82	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	83	The following NEW packages will be installed:
	84	apt
	85	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	86	After this operation, 5808 kB of additional disk space will be used.
	87	WARNING: The following packages cannot be authenticated!
	88	apt
b381a482	89	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	90	}
	91
	92	# fake our downloadable file
	93	touch aptarchive/apt.deb
	94
63c71412	95	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	96
6bf93605	97	updatewithwarnings() {
4e03c47d	98	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	99	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	100	}
331e8396 DK	101
fe0f7911	102	runtest() {
8fa99570	103	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	104	prepare "${PKGFILE}"
fe0f7911 DK	105	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	106	signreleasefiles 'Joe Sixpack'
8fa99570	107	successfulaptgetupdate
63c71412	108	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	109	" aptcache show apt
	110	installaptold
	111
8fa99570	112	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	113	prepare "${PKGFILE}-new"
fe0f7911	114	signreleasefiles 'Joe Sixpack'
8fa99570	115	successfulaptgetupdate
63c71412	116	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	117	" aptcache show apt
	118	installaptnew
	119
8fa99570	120	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	121	prepare "${PKGFILE}"
29a59c46 DK	122	rm -rf rootdir/var/lib/apt/lists
	123	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	124	signreleasefiles 'Rex Expired'
f13b413a	125	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	126	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	127	" aptcache show apt
29a59c46 DK	128	failaptold
fb7b11eb	129	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	130
1af227c2 DK	131	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	132	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	133	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	134	elif gpg2 --version >/dev/null 2>&1; then
	135	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	136	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	137	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	138	fi
	139	fi
	140	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	141	prepare "${PKGFILE}"
	142	rm -rf rootdir/var/lib/apt/lists
	143	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
1af227c2 DK	144	updatewithwarnings '^W: .* EXPSIG'
	145	testsuccessequal "$(cat "${PKGFILE}")
	146	" aptcache show apt
	147	failaptold
	148	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	149	else
	150	msgskip 'Not a new enough gpg available providing --fake-system-time'
	151	fi
	152
fb7b11eb DK	153	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	154	prepare "${PKGFILE}"
	155	rm -rf rootdir/var/lib/apt/lists
	156	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
fb7b11eb DK	157	successfulaptgetupdate 'NO_PUBKEY'
	158	testsuccessequal "$(cat "${PKGFILE}")
	159	" aptcache show apt
	160	installaptold
	161
	162	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	163	prepare "${PKGFILE}"
	164	rm -rf rootdir/var/lib/apt/lists
	165	signreleasefiles 'Joe Sixpack,Rex Expired'
fb7b11eb DK	166	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	167	successfulaptgetupdate 'EXPKEYSIG'
	168	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	169	testsuccessequal "$(cat "${PKGFILE}")
	170	" aptcache show apt
	171	installaptold
	172
8fa99570	173	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	174	prepare "${PKGFILE}"
fe0f7911 DK	175	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	176	signreleasefiles 'Marvin Paranoid'
6bf93605	177	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	178	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	179	" aptcache show apt
	180	failaptold
	181
8fa99570	182	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	183	prepare "${PKGFILE}-new"
fe0f7911	184	signreleasefiles 'Joe Sixpack'
8fa99570	185	successfulaptgetupdate
63c71412	186	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	187	" aptcache show apt
	188	installaptnew
	189
8fa99570	190	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	191	prepare "${PKGFILE}"
fe0f7911 DK	192	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	193	signreleasefiles 'Joe Sixpack'
8fa99570	194	successfulaptgetupdate
63c71412	195	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	196	" aptcache show apt
	197	installaptold
	198
8fa99570	199	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	200	prepare "${PKGFILE}-new"
fe0f7911	201	signreleasefiles 'Marvin Paranoid'
6bf93605	202	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	203	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	204	" aptcache show apt
	205	installaptold
	206
8fa99570	207	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	208	prepare "${PKGFILE}-new"
29a59c46 DK	209	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	210	signreleasefiles 'Rex Expired'
f13b413a	211	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	212	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	213	" aptcache show apt
fe0f7911 DK	214	installaptold
29a59c46 DK	215	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	216
8fa99570	217	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	218	prepare "${PKGFILE}-new"
29a59c46	219	signreleasefiles
8fa99570	220	successfulaptgetupdate
63c71412	221	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	222	" aptcache show apt
29a59c46 DK	223	installaptnew
b0d40854	224
8fa99570	225	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	226	prepare "${PKGFILE}"
b0d40854 DK	227	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	228	signreleasefiles 'Marvin Paranoid'
b0d40854 DK	229	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	230	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	231	successfulaptgetupdate
63c71412	232	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	233	" aptcache show apt
	234	installaptold
	235
8fa99570	236	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	237	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	238	signreleasefiles 'Joe Sixpack'
b0d40854	239	updatewithwarnings '^W: .* NO_PUBKEY'
b0d40854	240	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
46e00c90	241
b0d40854	242	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
46e00c90 DK	243	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	244	rm -rf rootdir/var/lib/apt/lists
	245	signreleasefiles 'Joe Sixpack'
46e00c90 DK	246	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
46e00c90 DK	247	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854	248
8fa99570	249	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
b0d40854 DK	250	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	251	signreleasefiles 'Marvin Paranoid'
b0d40854	252	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	253	successfulaptgetupdate
63c71412	254	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	255	" aptcache show apt
b0d40854 DK	256	installaptold
b0d40854	257
46e00c90 DK	258	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	259	rm -rf rootdir/var/lib/apt/lists
	260	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
46e00c90 DK	261	successfulaptgetupdate 'NoPubKey: GOODSIG'
	262	testsuccessequal "$(cat "${PKGFILE}")
	263	" aptcache show apt
	264	installaptold
	265
	266	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	267	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
b0d40854 DK	268	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	269	signreleasefiles 'Joe Sixpack'
46e00c90 DK	270	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	271	successfulaptgetupdate
	272	testsuccessequal "$(cat "${PKGFILE}")
	273	" aptcache show apt
	274	installaptold
	275
	276	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	277	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	278	rm -rf rootdir/var/lib/apt/lists
	279	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	280	successfulaptgetupdate
	281	testsuccessequal "$(cat "${PKGFILE}")
	282	" aptcache show apt
	283	installaptold
	284	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	285	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
b0d40854	286
89901946 DK	287	rm -rf rootdir/var/lib/apt/lists-bak
	288	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	289	prepare "${PKGFILE}-new"
	290	signreleasefiles 'Joe Sixpack'
89901946 DK	291
	292	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	293	sed -i "/^Valid-Until: / a\
	294	Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	295	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	296	successfulaptgetupdate
	297	testsuccessequal "$(cat "${PKGFILE}-new")
	298	" aptcache show apt
	299	installaptnew
	300
	301	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	302	rm -rf rootdir/var/lib/apt/lists
	303	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	304	sed -i "/^Valid-Until: / a\
	305	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	306	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	307	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	308	testsuccessequal "$(cat "${PKGFILE}")
	309	" aptcache show apt
	310	installaptold
	311
	312	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	313	rm -rf rootdir/var/lib/apt/lists
	314	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	315	sed -i "/^Valid-Until: / a\
	316	Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
	317	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	318	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	319	successfulaptgetupdate
	320	testsuccessequal "$(cat "${PKGFILE}-new")
	321	" aptcache show apt
	322	installaptnew
	323
	324	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	325	rm -rf rootdir/var/lib/apt/lists
	326	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	327	sed -i "/^Valid-Until: / a\
	328	Signed-By: ${MARVIN} ${MARVIN}, \\
	329	${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	330	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	331	successfulaptgetupdate
	332	testsuccessequal "$(cat "${PKGFILE}-new")
	333	" aptcache show apt
	334	installaptnew
fe0f7911 DK	335	}
fe0f7911 DK	336
43c1ca5d	337	runtest2() {
8fa99570	338	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	339	prepare "${PKGFILE}"
43c1ca5d SR	340	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	341	signreleasefiles 'Joe Sixpack'
8fa99570	342	successfulaptgetupdate
43c1ca5d SR	343
	344	# New .deb but now an unsigned archive. For example MITM to circumvent
	345	# package verification.
8fa99570	346	msgmsg 'Warm archive signed by' 'nobody'
63c71412	347	prepare "${PKGFILE}-new"
761a5ad2	348	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
6bf93605	349	updatewithwarnings 'W: .* no longer signed.'
63c71412	350	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	351	" aptcache show apt
	352	failaptnew
	353
	354	# Unsigned archive from the beginning must also be detected.
6bf93605	355	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	356	rm -rf rootdir/var/lib/apt/lists
6bf93605	357	updatewithwarnings 'W: .* is not signed.'
63c71412	358	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	359	" aptcache show apt
	360	failaptnew
	361	}
43c1ca5d	362
8fa99570	363	runtest3() {
6a4958d3	364	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a	365	msgmsg "Running base test with $1 digest"
8fa99570 DK	366	runtest2
8fa99570 DK	367
08b7761a	368	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	369	export APT_DONT_SIGN="$DELETEFILE"
08b7761a	370	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
761a5ad2	371	runtest
5a23c56d	372	export APT_DONT_SIGN='Release.gpg'
08b7761a	373	done
8fa99570 DK	374	}
8fa99570 DK	375
e8b1db38 MV	376	# diable some protection by default and ensure we still do the verification
	377	# correctly
	378	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	379	Acquire::AllowInsecureRepositories "1";
	380	Acquire::AllowDowngradeToInsecureRepositories "1";
	381	EOF
196d590a	382	# the hash marked as configurable in our gpgv method
08b7761a	383	export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38	384
8fa99570 DK	385	successfulaptgetupdate() {
8fa99570 DK	386	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	387	if [ -n "$1" ]; then
	388	cp rootdir/tmp/testsuccess.output aptupdate.output
	389	testsuccess grep "$1" aptupdate.output
	390	fi
8fa99570	391	}
6a4958d3	392	runtest3 'Trusted'
e8b1db38	393
8fa99570 DK	394	successfulaptgetupdate() {
8fa99570 DK	395	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	396	if [ -n "$1" ]; then
	397	testsuccess grep "$1" rootdir/tmp/testwarning.output
	398	fi
8fa99570 DK	399	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
8fa99570 DK	400	}
6a4958d3	401	runtest3 'Weak'
08b7761a DK	402
08b7761a DK	403	msgmsg "Running test with apt-untrusted digest"
6a4958d3	404	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a DK	405	runfailure() {
08b7761a DK	406	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	407	export APT_DONT_SIGN="$DELETEFILE"
08b7761a DK	408	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	409	prepare "${PKGFILE}"
	410	rm -rf rootdir/var/lib/apt/lists
	411	signreleasefiles 'Joe Sixpack'
08b7761a DK	412	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	413	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	414	testnopackage 'apt'
	415	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	416	failaptold
d03b947b DK	417	rm -rf rootdir/var/lib/apt/lists
	418	sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
	419	testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	420	failaptold
	421	sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
08b7761a DK	422
	423	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	424	prepare "${PKGFILE}"
	425	rm -rf rootdir/var/lib/apt/lists
	426	signreleasefiles 'Marvin Paranoid'
08b7761a DK	427	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	428	testnopackage 'apt'
	429	updatewithwarnings '^W: .* NO_PUBKEY'
	430	testsuccessequal "$(cat "${PKGFILE}")
	431	" aptcache show apt
	432	failaptold
5a23c56d	433	export APT_DONT_SIGN='Release.gpg'
08b7761a DK	434	done
	435	}
	436	runfailure
	437
	438	msgmsg "Running test with gpgv-untrusted digest"
	439	export APT_TESTS_DIGEST_ALGO='MD5'
	440	runfailure