[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE" 'now + 1 month'
}

installaptold() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	rm -rf rootdir/var/cache/apt/archives
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	local DELETEFILE="$1"
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
		touch rootdir/etc/apt/apt.conf.d/99gnupg2
	elif gpg2 --version >/dev/null 2>&1; then
		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
			rm rootdir/etc/apt/apt.conf.d/99gnupg2
		fi
	fi
	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
		find aptarchive/ -name "$DELETEFILE" -delete
		updatewithwarnings '^W: .* EXPSIG'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	else
		msgskip 'Not a new enough gpg available providing --fake-system-time'
	fi

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate 'NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	successfulaptgetupdate 'EXPKEYSIG'
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*

	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate 'NoPubKey: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*

	rm -rf rootdir/var/lib/apt/lists-bak
	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete

	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	sed -i "/^Valid-Until: / a\
Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN} ${MARVIN}, \\
 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ -name InRelease -delete
	find aptarchive/ -name Release.gpg -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	msgmsg "Running base test with $1 digest"
	runtest2

	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
		runtest "$DELETEFILE"
	done
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF
# the hash marked as configureable in our gpgv method
export APT_TESTS_DIGEST_ALGO='SHA224'

successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		cp rootdir/tmp/testsuccess.output aptupdate.output
		testsuccess grep "$1" aptupdate.output
	fi
}
runtest3 'Trusted'

successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		testsuccess grep "$1" rootdir/tmp/testwarning.output
	fi
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'

msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		msgmsg 'Cold archive signed by' 'Joe Sixpack'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack'
		find aptarchive/ -name "$DELETEFILE" -delete
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
		testnopackage 'apt'
		testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold

		msgmsg 'Cold archive signed by' 'Marvin Paranoid'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Marvin Paranoid'
		find aptarchive/ -name "$DELETEFILE" -delete
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testnopackage 'apt'
		updatewithwarnings '^W: .* NO_PUBKEY'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
	done
}
runfailure

msgmsg "Running test with gpgv-untrusted digest"
export APT_TESTS_DIGEST_ALGO='MD5'
runfailure
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
f2c0ec8b	14	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	15
fe0f7911 DK	16	prepare() {
fe0f7911 DK	17	local DATE="${2:-now}"
331e8396 DK	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
fe0f7911 DK	24	fi
fe0f7911 DK	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	26	touch -d 'now - 1 year' "$release"
fe0f7911	27	done
8de79b68	28	aptget clean
63c71412	29	cp "$1" aptarchive/Packages
fe0f7911	30	find aptarchive -name 'Release' -delete
331e8396	31	compressfile 'aptarchive/Packages' "$DATE"
89901946	32	generatereleasefiles "$DATE" 'now + 1 month'
fe0f7911 DK	33	}
	34
	35	installaptold() {
46e00c90	36	rm -rf rootdir/var/cache/apt/archives
6c0765c0	37	testsuccessequal "Reading package lists...
fe0f7911 DK	38	Building dependency tree...
fe0f7911 DK	39	Suggested packages:
9112f777	40	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	41	The following NEW packages will be installed:
	42	apt
	43	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	44	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	45	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	46	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	47	}
	48
	49	installaptnew() {
89901946	50	rm -rf rootdir/var/cache/apt/archives
6c0765c0	51	testsuccessequal "Reading package lists...
fe0f7911 DK	52	Building dependency tree...
fe0f7911 DK	53	Suggested packages:
9112f777	54	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	55	The following NEW packages will be installed:
	56	apt
	57	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	58	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	59	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	60	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	61	}
	62
	63	failaptold() {
25b86db1	64	testfailureequal 'Reading package lists...
fe0f7911 DK	65	Building dependency tree...
fe0f7911 DK	66	Suggested packages:
9112f777	67	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	68	The following NEW packages will be installed:
	69	apt
	70	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	71	After this operation, 5370 kB of additional disk space will be used.
	72	WARNING: The following packages cannot be authenticated!
	73	apt
b381a482	74	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	75	}
	76
	77	failaptnew() {
25b86db1	78	testfailureequal 'Reading package lists...
fe0f7911 DK	79	Building dependency tree...
fe0f7911 DK	80	Suggested packages:
9112f777	81	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	82	The following NEW packages will be installed:
	83	apt
	84	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	85	After this operation, 5808 kB of additional disk space will be used.
	86	WARNING: The following packages cannot be authenticated!
	87	apt
b381a482	88	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	89	}
	90
	91	# fake our downloadable file
	92	touch aptarchive/apt.deb
	93
63c71412	94	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	95
6bf93605	96	updatewithwarnings() {
4e03c47d	97	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	98	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	99	}
331e8396 DK	100
fe0f7911	101	runtest() {
08b7761a	102	local DELETEFILE="$1"
8fa99570	103	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	104	prepare "${PKGFILE}"
fe0f7911 DK	105	rm -rf rootdir/var/lib/apt/lists
	106	signreleasefiles 'Joe Sixpack'
	107	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	108	successfulaptgetupdate
63c71412	109	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	110	" aptcache show apt
	111	installaptold
	112
8fa99570	113	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	114	prepare "${PKGFILE}-new"
fe0f7911 DK	115	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	116	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	117	successfulaptgetupdate
63c71412	118	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	119	" aptcache show apt
	120	installaptnew
	121
8fa99570	122	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	123	prepare "${PKGFILE}"
29a59c46 DK	124	rm -rf rootdir/var/lib/apt/lists
	125	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	126	signreleasefiles 'Rex Expired'
	127	find aptarchive/ -name "$DELETEFILE" -delete
f13b413a	128	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	129	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	130	" aptcache show apt
29a59c46 DK	131	failaptold
fb7b11eb	132	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	133
1af227c2 DK	134	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	135	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	136	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	137	elif gpg2 --version >/dev/null 2>&1; then
	138	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	139	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	140	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	141	fi
	142	fi
	143	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	144	prepare "${PKGFILE}"
	145	rm -rf rootdir/var/lib/apt/lists
	146	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
	147	find aptarchive/ -name "$DELETEFILE" -delete
	148	updatewithwarnings '^W: .* EXPSIG'
	149	testsuccessequal "$(cat "${PKGFILE}")
	150	" aptcache show apt
	151	failaptold
	152	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	153	else
	154	msgskip 'Not a new enough gpg available providing --fake-system-time'
	155	fi
	156
fb7b11eb DK	157	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	158	prepare "${PKGFILE}"
	159	rm -rf rootdir/var/lib/apt/lists
	160	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	161	find aptarchive/ -name "$DELETEFILE" -delete
	162	successfulaptgetupdate 'NO_PUBKEY'
	163	testsuccessequal "$(cat "${PKGFILE}")
	164	" aptcache show apt
	165	installaptold
	166
	167	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	168	prepare "${PKGFILE}"
	169	rm -rf rootdir/var/lib/apt/lists
	170	signreleasefiles 'Joe Sixpack,Rex Expired'
	171	find aptarchive/ -name "$DELETEFILE" -delete
	172	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	173	successfulaptgetupdate 'EXPKEYSIG'
	174	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	175	testsuccessequal "$(cat "${PKGFILE}")
	176	" aptcache show apt
	177	installaptold
	178
8fa99570	179	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	180	prepare "${PKGFILE}"
fe0f7911 DK	181	rm -rf rootdir/var/lib/apt/lists
	182	signreleasefiles 'Marvin Paranoid'
	183	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	184	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	185	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	186	" aptcache show apt
	187	failaptold
	188
8fa99570	189	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	190	prepare "${PKGFILE}-new"
fe0f7911 DK	191	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	192	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	193	successfulaptgetupdate
63c71412	194	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	195	" aptcache show apt
	196	installaptnew
	197
8fa99570	198	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	199	prepare "${PKGFILE}"
fe0f7911 DK	200	rm -rf rootdir/var/lib/apt/lists
	201	signreleasefiles 'Joe Sixpack'
	202	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	203	successfulaptgetupdate
63c71412	204	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	205	" aptcache show apt
	206	installaptold
	207
8fa99570	208	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	209	prepare "${PKGFILE}-new"
fe0f7911 DK	210	signreleasefiles 'Marvin Paranoid'
fe0f7911 DK	211	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	212	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	213	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	214	" aptcache show apt
	215	installaptold
	216
8fa99570	217	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	218	prepare "${PKGFILE}-new"
29a59c46 DK	219	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	220	signreleasefiles 'Rex Expired'
	221	find aptarchive/ -name "$DELETEFILE" -delete
f13b413a	222	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	223	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	224	" aptcache show apt
fe0f7911 DK	225	installaptold
29a59c46 DK	226	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	227
8fa99570	228	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	229	prepare "${PKGFILE}-new"
29a59c46 DK	230	signreleasefiles
29a59c46 DK	231	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	232	successfulaptgetupdate
63c71412	233	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	234	" aptcache show apt
29a59c46 DK	235	installaptnew
b0d40854	236
8fa99570	237	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	238	prepare "${PKGFILE}"
b0d40854 DK	239	rm -rf rootdir/var/lib/apt/lists
	240	signreleasefiles 'Marvin Paranoid'
	241	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	242	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	243	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	244	successfulaptgetupdate
63c71412	245	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	246	" aptcache show apt
	247	installaptold
	248
8fa99570	249	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	250	rm -rf rootdir/var/lib/apt/lists
	251	signreleasefiles 'Joe Sixpack'
	252	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854	253	updatewithwarnings '^W: .* NO_PUBKEY'
b0d40854	254	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
46e00c90	255
b0d40854	256	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
46e00c90 DK	257	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	258	rm -rf rootdir/var/lib/apt/lists
	259	signreleasefiles 'Joe Sixpack'
	260	find aptarchive/ -name "$DELETEFILE" -delete
	261	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	262	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854	263
8fa99570	264	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
b0d40854 DK	265	rm -rf rootdir/var/lib/apt/lists
	266	signreleasefiles 'Marvin Paranoid'
	267	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854	268	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	269	successfulaptgetupdate
63c71412	270	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	271	" aptcache show apt
b0d40854 DK	272	installaptold
b0d40854	273
46e00c90 DK	274	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	275	rm -rf rootdir/var/lib/apt/lists
	276	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	277	find aptarchive/ -name "$DELETEFILE" -delete
	278	successfulaptgetupdate 'NoPubKey: GOODSIG'
	279	testsuccessequal "$(cat "${PKGFILE}")
	280	" aptcache show apt
	281	installaptold
	282
	283	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	284	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
b0d40854 DK	285	rm -rf rootdir/var/lib/apt/lists
	286	signreleasefiles 'Joe Sixpack'
	287	find aptarchive/ -name "$DELETEFILE" -delete
46e00c90 DK	288	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	289	successfulaptgetupdate
	290	testsuccessequal "$(cat "${PKGFILE}")
	291	" aptcache show apt
	292	installaptold
	293
	294	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	295	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	296	rm -rf rootdir/var/lib/apt/lists
	297	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	298	successfulaptgetupdate
	299	testsuccessequal "$(cat "${PKGFILE}")
	300	" aptcache show apt
	301	installaptold
	302	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	303	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
b0d40854	304
89901946 DK	305	rm -rf rootdir/var/lib/apt/lists-bak
	306	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	307	prepare "${PKGFILE}-new"
	308	signreleasefiles 'Joe Sixpack'
	309	find aptarchive/ -name "$DELETEFILE" -delete
	310
	311	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	312	sed -i "/^Valid-Until: / a\
	313	Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	314	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	315	successfulaptgetupdate
	316	testsuccessequal "$(cat "${PKGFILE}-new")
	317	" aptcache show apt
	318	installaptnew
	319
	320	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	321	rm -rf rootdir/var/lib/apt/lists
	322	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	323	sed -i "/^Valid-Until: / a\
	324	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	325	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	326	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	327	testsuccessequal "$(cat "${PKGFILE}")
	328	" aptcache show apt
	329	installaptold
	330
	331	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	332	rm -rf rootdir/var/lib/apt/lists
	333	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	334	sed -i "/^Valid-Until: / a\
	335	Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
	336	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	337	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	338	successfulaptgetupdate
	339	testsuccessequal "$(cat "${PKGFILE}-new")
	340	" aptcache show apt
	341	installaptnew
	342
	343	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	344	rm -rf rootdir/var/lib/apt/lists
	345	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	346	sed -i "/^Valid-Until: / a\
	347	Signed-By: ${MARVIN} ${MARVIN}, \\
	348	${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	349	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	350	successfulaptgetupdate
	351	testsuccessequal "$(cat "${PKGFILE}-new")
	352	" aptcache show apt
	353	installaptnew
fe0f7911 DK	354	}
fe0f7911 DK	355
43c1ca5d	356	runtest2() {
8fa99570	357	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	358	prepare "${PKGFILE}"
43c1ca5d SR	359	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	360	signreleasefiles 'Joe Sixpack'
8fa99570	361	successfulaptgetupdate
43c1ca5d SR	362
	363	# New .deb but now an unsigned archive. For example MITM to circumvent
	364	# package verification.
8fa99570	365	msgmsg 'Warm archive signed by' 'nobody'
63c71412	366	prepare "${PKGFILE}-new"
43c1ca5d SR	367	find aptarchive/ -name InRelease -delete
43c1ca5d SR	368	find aptarchive/ -name Release.gpg -delete
6bf93605	369	updatewithwarnings 'W: .* no longer signed.'
63c71412	370	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	371	" aptcache show apt
	372	failaptnew
	373
	374	# Unsigned archive from the beginning must also be detected.
6bf93605	375	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	376	rm -rf rootdir/var/lib/apt/lists
6bf93605	377	updatewithwarnings 'W: .* is not signed.'
63c71412	378	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	379	" aptcache show apt
	380	failaptnew
	381	}
43c1ca5d	382
8fa99570	383	runtest3() {
6a4958d3	384	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a	385	msgmsg "Running base test with $1 digest"
8fa99570 DK	386	runtest2
8fa99570 DK	387
08b7761a DK	388	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	389	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
	390	runtest "$DELETEFILE"
	391	done
8fa99570 DK	392	}
8fa99570 DK	393
e8b1db38 MV	394	# diable some protection by default and ensure we still do the verification
	395	# correctly
	396	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	397	Acquire::AllowInsecureRepositories "1";
	398	Acquire::AllowDowngradeToInsecureRepositories "1";
	399	EOF
08b7761a DK	400	# the hash marked as configureable in our gpgv method
08b7761a DK	401	export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38	402
8fa99570 DK	403	successfulaptgetupdate() {
8fa99570 DK	404	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	405	if [ -n "$1" ]; then
	406	cp rootdir/tmp/testsuccess.output aptupdate.output
	407	testsuccess grep "$1" aptupdate.output
	408	fi
8fa99570	409	}
6a4958d3	410	runtest3 'Trusted'
e8b1db38	411
8fa99570 DK	412	successfulaptgetupdate() {
8fa99570 DK	413	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	414	if [ -n "$1" ]; then
	415	testsuccess grep "$1" rootdir/tmp/testwarning.output
	416	fi
8fa99570 DK	417	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
8fa99570 DK	418	}
6a4958d3	419	runtest3 'Weak'
08b7761a DK	420
08b7761a DK	421	msgmsg "Running test with apt-untrusted digest"
6a4958d3	422	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a DK	423	runfailure() {
	424	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	425	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	426	prepare "${PKGFILE}"
	427	rm -rf rootdir/var/lib/apt/lists
	428	signreleasefiles 'Joe Sixpack'
	429	find aptarchive/ -name "$DELETEFILE" -delete
	430	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	431	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	432	testnopackage 'apt'
	433	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	434	failaptold
	435
	436	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	437	prepare "${PKGFILE}"
	438	rm -rf rootdir/var/lib/apt/lists
	439	signreleasefiles 'Marvin Paranoid'
	440	find aptarchive/ -name "$DELETEFILE" -delete
	441	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	442	testnopackage 'apt'
	443	updatewithwarnings '^W: .* NO_PUBKEY'
	444	testsuccessequal "$(cat "${PKGFILE}")
	445	" aptcache show apt
	446	failaptold
	447	done
	448	}
	449	runfailure
	450
	451	msgmsg "Running test with gpgv-untrusted digest"
	452	export APT_TESTS_DIGEST_ALGO='MD5'
	453	runfailure