[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE" 'now + 1 month'
}

installaptold() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
		touch rootdir/etc/apt/apt.conf.d/99gnupg2
	elif gpg2 --version >/dev/null 2>&1; then
		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
			rm rootdir/etc/apt/apt.conf.d/99gnupg2
		fi
	fi
	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
		updatewithwarnings '^W: .* EXPSIG'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	else
		msgskip 'Not a new enough gpg available providing --fake-system-time'
	fi

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	successfulaptgetupdate 'NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Rex Expired'
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	successfulaptgetupdate 'EXPKEYSIG'
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	updatewithwarnings '^W: .* NO_PUBKEY'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*

	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	successfulaptgetupdate 'NoPubKey: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*

	rm -rf rootdir/var/lib/apt/lists-bak
	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'

	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	sed -i "/^Valid-Until: / a\
Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN} ${MARVIN}, \\
 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	msgmsg "Running base test with $1 digest"
	runtest2

	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
		runtest
		unset APT_DONT_SIGN
	done
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF
# the hash marked as configureable in our gpgv method
export APT_TESTS_DIGEST_ALGO='SHA224'

successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		cp rootdir/tmp/testsuccess.output aptupdate.output
		testsuccess grep "$1" aptupdate.output
	fi
}
runtest3 'Trusted'

successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		testsuccess grep "$1" rootdir/tmp/testwarning.output
	fi
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'

msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		export APT_DONT_SIGN="$DELETEFILE"
		msgmsg 'Cold archive signed by' 'Joe Sixpack'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
		testnopackage 'apt'
		testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold

		msgmsg 'Cold archive signed by' 'Marvin Paranoid'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Marvin Paranoid'
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testnopackage 'apt'
		updatewithwarnings '^W: .* NO_PUBKEY'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		unset APT_DONT_SIGN
	done
}
runfailure

msgmsg "Running test with gpgv-untrusted digest"
export APT_TESTS_DIGEST_ALGO='MD5'
runfailure
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
f2c0ec8b	14	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	15
fe0f7911 DK	16	prepare() {
fe0f7911 DK	17	local DATE="${2:-now}"
331e8396 DK	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
fe0f7911 DK	24	fi
fe0f7911 DK	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	26	touch -d 'now - 1 year' "$release"
fe0f7911	27	done
8de79b68	28	aptget clean
63c71412	29	cp "$1" aptarchive/Packages
fe0f7911	30	find aptarchive -name 'Release' -delete
331e8396	31	compressfile 'aptarchive/Packages' "$DATE"
89901946	32	generatereleasefiles "$DATE" 'now + 1 month'
fe0f7911 DK	33	}
	34
	35	installaptold() {
46e00c90	36	rm -rf rootdir/var/cache/apt/archives
6c0765c0	37	testsuccessequal "Reading package lists...
fe0f7911 DK	38	Building dependency tree...
fe0f7911 DK	39	Suggested packages:
9112f777	40	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	41	The following NEW packages will be installed:
	42	apt
	43	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	44	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	45	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	46	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	47	}
	48
	49	installaptnew() {
89901946	50	rm -rf rootdir/var/cache/apt/archives
6c0765c0	51	testsuccessequal "Reading package lists...
fe0f7911 DK	52	Building dependency tree...
fe0f7911 DK	53	Suggested packages:
9112f777	54	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	55	The following NEW packages will be installed:
	56	apt
	57	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	58	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	59	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	60	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	61	}
	62
	63	failaptold() {
25b86db1	64	testfailureequal 'Reading package lists...
fe0f7911 DK	65	Building dependency tree...
fe0f7911 DK	66	Suggested packages:
9112f777	67	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	68	The following NEW packages will be installed:
	69	apt
	70	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	71	After this operation, 5370 kB of additional disk space will be used.
	72	WARNING: The following packages cannot be authenticated!
	73	apt
b381a482	74	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	75	}
	76
	77	failaptnew() {
25b86db1	78	testfailureequal 'Reading package lists...
fe0f7911 DK	79	Building dependency tree...
fe0f7911 DK	80	Suggested packages:
9112f777	81	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	82	The following NEW packages will be installed:
	83	apt
	84	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	85	After this operation, 5808 kB of additional disk space will be used.
	86	WARNING: The following packages cannot be authenticated!
	87	apt
b381a482	88	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	89	}
	90
	91	# fake our downloadable file
	92	touch aptarchive/apt.deb
	93
63c71412	94	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	95
6bf93605	96	updatewithwarnings() {
4e03c47d	97	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	98	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	99	}
331e8396 DK	100
fe0f7911	101	runtest() {
8fa99570	102	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	103	prepare "${PKGFILE}"
fe0f7911 DK	104	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	105	signreleasefiles 'Joe Sixpack'
8fa99570	106	successfulaptgetupdate
63c71412	107	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	108	" aptcache show apt
	109	installaptold
	110
8fa99570	111	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	112	prepare "${PKGFILE}-new"
fe0f7911	113	signreleasefiles 'Joe Sixpack'
8fa99570	114	successfulaptgetupdate
63c71412	115	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	116	" aptcache show apt
	117	installaptnew
	118
8fa99570	119	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	120	prepare "${PKGFILE}"
29a59c46 DK	121	rm -rf rootdir/var/lib/apt/lists
	122	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	123	signreleasefiles 'Rex Expired'
f13b413a	124	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	125	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	126	" aptcache show apt
29a59c46 DK	127	failaptold
fb7b11eb	128	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	129
1af227c2 DK	130	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	131	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	132	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	133	elif gpg2 --version >/dev/null 2>&1; then
	134	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	135	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	136	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	137	fi
	138	fi
	139	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	140	prepare "${PKGFILE}"
	141	rm -rf rootdir/var/lib/apt/lists
	142	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
1af227c2 DK	143	updatewithwarnings '^W: .* EXPSIG'
	144	testsuccessequal "$(cat "${PKGFILE}")
	145	" aptcache show apt
	146	failaptold
	147	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	148	else
	149	msgskip 'Not a new enough gpg available providing --fake-system-time'
	150	fi
	151
fb7b11eb DK	152	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	153	prepare "${PKGFILE}"
	154	rm -rf rootdir/var/lib/apt/lists
	155	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
fb7b11eb DK	156	successfulaptgetupdate 'NO_PUBKEY'
	157	testsuccessequal "$(cat "${PKGFILE}")
	158	" aptcache show apt
	159	installaptold
	160
	161	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	162	prepare "${PKGFILE}"
	163	rm -rf rootdir/var/lib/apt/lists
	164	signreleasefiles 'Joe Sixpack,Rex Expired'
fb7b11eb DK	165	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	166	successfulaptgetupdate 'EXPKEYSIG'
	167	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	168	testsuccessequal "$(cat "${PKGFILE}")
	169	" aptcache show apt
	170	installaptold
	171
8fa99570	172	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	173	prepare "${PKGFILE}"
fe0f7911 DK	174	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	175	signreleasefiles 'Marvin Paranoid'
6bf93605	176	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	177	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	178	" aptcache show apt
	179	failaptold
	180
8fa99570	181	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	182	prepare "${PKGFILE}-new"
fe0f7911	183	signreleasefiles 'Joe Sixpack'
8fa99570	184	successfulaptgetupdate
63c71412	185	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	186	" aptcache show apt
	187	installaptnew
	188
8fa99570	189	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	190	prepare "${PKGFILE}"
fe0f7911 DK	191	rm -rf rootdir/var/lib/apt/lists
fe0f7911 DK	192	signreleasefiles 'Joe Sixpack'
8fa99570	193	successfulaptgetupdate
63c71412	194	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	195	" aptcache show apt
	196	installaptold
	197
8fa99570	198	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	199	prepare "${PKGFILE}-new"
fe0f7911	200	signreleasefiles 'Marvin Paranoid'
6bf93605	201	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	202	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	203	" aptcache show apt
	204	installaptold
	205
8fa99570	206	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	207	prepare "${PKGFILE}-new"
29a59c46 DK	208	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	209	signreleasefiles 'Rex Expired'
f13b413a	210	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	211	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	212	" aptcache show apt
fe0f7911 DK	213	installaptold
29a59c46 DK	214	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	215
8fa99570	216	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	217	prepare "${PKGFILE}-new"
29a59c46	218	signreleasefiles
8fa99570	219	successfulaptgetupdate
63c71412	220	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	221	" aptcache show apt
29a59c46 DK	222	installaptnew
b0d40854	223
8fa99570	224	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	225	prepare "${PKGFILE}"
b0d40854 DK	226	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	227	signreleasefiles 'Marvin Paranoid'
b0d40854 DK	228	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	229	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	230	successfulaptgetupdate
63c71412	231	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	232	" aptcache show apt
	233	installaptold
	234
8fa99570	235	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	236	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	237	signreleasefiles 'Joe Sixpack'
b0d40854	238	updatewithwarnings '^W: .* NO_PUBKEY'
b0d40854	239	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
46e00c90	240
b0d40854	241	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
46e00c90 DK	242	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	243	rm -rf rootdir/var/lib/apt/lists
	244	signreleasefiles 'Joe Sixpack'
46e00c90 DK	245	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
46e00c90 DK	246	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854	247
8fa99570	248	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
b0d40854 DK	249	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	250	signreleasefiles 'Marvin Paranoid'
b0d40854	251	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	252	successfulaptgetupdate
63c71412	253	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	254	" aptcache show apt
b0d40854 DK	255	installaptold
b0d40854	256
46e00c90 DK	257	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	258	rm -rf rootdir/var/lib/apt/lists
	259	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
46e00c90 DK	260	successfulaptgetupdate 'NoPubKey: GOODSIG'
	261	testsuccessequal "$(cat "${PKGFILE}")
	262	" aptcache show apt
	263	installaptold
	264
	265	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	266	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
b0d40854 DK	267	rm -rf rootdir/var/lib/apt/lists
b0d40854 DK	268	signreleasefiles 'Joe Sixpack'
46e00c90 DK	269	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	270	successfulaptgetupdate
	271	testsuccessequal "$(cat "${PKGFILE}")
	272	" aptcache show apt
	273	installaptold
	274
	275	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	276	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	277	rm -rf rootdir/var/lib/apt/lists
	278	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	279	successfulaptgetupdate
	280	testsuccessequal "$(cat "${PKGFILE}")
	281	" aptcache show apt
	282	installaptold
	283	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	284	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
b0d40854	285
89901946 DK	286	rm -rf rootdir/var/lib/apt/lists-bak
	287	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	288	prepare "${PKGFILE}-new"
	289	signreleasefiles 'Joe Sixpack'
89901946 DK	290
	291	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	292	sed -i "/^Valid-Until: / a\
	293	Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	294	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	295	successfulaptgetupdate
	296	testsuccessequal "$(cat "${PKGFILE}-new")
	297	" aptcache show apt
	298	installaptnew
	299
	300	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	301	rm -rf rootdir/var/lib/apt/lists
	302	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	303	sed -i "/^Valid-Until: / a\
	304	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	305	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	306	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	307	testsuccessequal "$(cat "${PKGFILE}")
	308	" aptcache show apt
	309	installaptold
	310
	311	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	312	rm -rf rootdir/var/lib/apt/lists
	313	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	314	sed -i "/^Valid-Until: / a\
	315	Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
	316	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	317	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	318	successfulaptgetupdate
	319	testsuccessequal "$(cat "${PKGFILE}-new")
	320	" aptcache show apt
	321	installaptnew
	322
	323	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	324	rm -rf rootdir/var/lib/apt/lists
	325	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	326	sed -i "/^Valid-Until: / a\
	327	Signed-By: ${MARVIN} ${MARVIN}, \\
	328	${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	329	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	330	successfulaptgetupdate
	331	testsuccessequal "$(cat "${PKGFILE}-new")
	332	" aptcache show apt
	333	installaptnew
fe0f7911 DK	334	}
fe0f7911 DK	335
43c1ca5d	336	runtest2() {
8fa99570	337	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	338	prepare "${PKGFILE}"
43c1ca5d SR	339	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	340	signreleasefiles 'Joe Sixpack'
8fa99570	341	successfulaptgetupdate
43c1ca5d SR	342
	343	# New .deb but now an unsigned archive. For example MITM to circumvent
	344	# package verification.
8fa99570	345	msgmsg 'Warm archive signed by' 'nobody'
63c71412	346	prepare "${PKGFILE}-new"
761a5ad2	347	find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
6bf93605	348	updatewithwarnings 'W: .* no longer signed.'
63c71412	349	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	350	" aptcache show apt
	351	failaptnew
	352
	353	# Unsigned archive from the beginning must also be detected.
6bf93605	354	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	355	rm -rf rootdir/var/lib/apt/lists
6bf93605	356	updatewithwarnings 'W: .* is not signed.'
63c71412	357	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	358	" aptcache show apt
	359	failaptnew
	360	}
43c1ca5d	361
8fa99570	362	runtest3() {
6a4958d3	363	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a	364	msgmsg "Running base test with $1 digest"
8fa99570 DK	365	runtest2
8fa99570 DK	366
08b7761a	367	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	368	export APT_DONT_SIGN="$DELETEFILE"
08b7761a	369	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
761a5ad2 DK	370	runtest
761a5ad2 DK	371	unset APT_DONT_SIGN
08b7761a	372	done
8fa99570 DK	373	}
8fa99570 DK	374
e8b1db38 MV	375	# diable some protection by default and ensure we still do the verification
	376	# correctly
	377	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	378	Acquire::AllowInsecureRepositories "1";
	379	Acquire::AllowDowngradeToInsecureRepositories "1";
	380	EOF
08b7761a DK	381	# the hash marked as configureable in our gpgv method
08b7761a DK	382	export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38	383
8fa99570 DK	384	successfulaptgetupdate() {
8fa99570 DK	385	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	386	if [ -n "$1" ]; then
	387	cp rootdir/tmp/testsuccess.output aptupdate.output
	388	testsuccess grep "$1" aptupdate.output
	389	fi
8fa99570	390	}
6a4958d3	391	runtest3 'Trusted'
e8b1db38	392
8fa99570 DK	393	successfulaptgetupdate() {
8fa99570 DK	394	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	395	if [ -n "$1" ]; then
	396	testsuccess grep "$1" rootdir/tmp/testwarning.output
	397	fi
8fa99570 DK	398	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
8fa99570 DK	399	}
6a4958d3	400	runtest3 'Weak'
08b7761a DK	401
08b7761a DK	402	msgmsg "Running test with apt-untrusted digest"
6a4958d3	403	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a DK	404	runfailure() {
08b7761a DK	405	for DELETEFILE in 'InRelease' 'Release.gpg'; do
761a5ad2	406	export APT_DONT_SIGN="$DELETEFILE"
08b7761a DK	407	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	408	prepare "${PKGFILE}"
	409	rm -rf rootdir/var/lib/apt/lists
	410	signreleasefiles 'Joe Sixpack'
08b7761a DK	411	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	412	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	413	testnopackage 'apt'
	414	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	415	failaptold
	416
	417	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	418	prepare "${PKGFILE}"
	419	rm -rf rootdir/var/lib/apt/lists
	420	signreleasefiles 'Marvin Paranoid'
08b7761a DK	421	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	422	testnopackage 'apt'
	423	updatewithwarnings '^W: .* NO_PUBKEY'
	424	testsuccessequal "$(cat "${PKGFILE}")
	425	" aptcache show apt
	426	failaptold
761a5ad2	427	unset APT_DONT_SIGN
08b7761a DK	428	done
	429	}
	430	runfailure
	431
	432	msgmsg "Running test with gpgv-untrusted digest"
	433	export APT_TESTS_DIGEST_ALGO='MD5'
	434	runfailure