[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE"
}

installaptold() {
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* KEYEXPIRED'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* KEYEXPIRED'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg

	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ -name InRelease -delete
	find aptarchive/ -name Release.gpg -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	export APT_TESTS_DIGEST_ALGO="$1"
	msgmsg "Running base test with digest $1"
	runtest2

	DELETEFILE="InRelease"
	msgmsg "Running test with deletion of $DELETEFILE and digest $1"
	runtest

	DELETEFILE="Release.gpg"
	msgmsg "Running test with deletion of $DELETEFILE and digest $1"
	runtest

	unset APT_TESTS_DIGEST_ALGO
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF

# an all-round good hash
successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
}
runtest3 'SHA512'

# a hash we consider weak and therefore warn about
rm -f rootdir/etc/apt/apt.conf.d/no-sha1
successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'SHA1'
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
f2c0ec8b	14	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	15
fe0f7911 DK	16	prepare() {
fe0f7911 DK	17	local DATE="${2:-now}"
331e8396 DK	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
fe0f7911 DK	24	fi
fe0f7911 DK	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	26	touch -d 'now - 1 year' "$release"
fe0f7911	27	done
8de79b68	28	aptget clean
63c71412	29	cp "$1" aptarchive/Packages
fe0f7911	30	find aptarchive -name 'Release' -delete
331e8396	31	compressfile 'aptarchive/Packages' "$DATE"
fe0f7911 DK	32	generatereleasefiles "$DATE"
	33	}
	34
	35	installaptold() {
6c0765c0	36	testsuccessequal "Reading package lists...
fe0f7911 DK	37	Building dependency tree...
fe0f7911 DK	38	Suggested packages:
9112f777	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	44	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	45	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	46	}
	47
	48	installaptnew() {
6c0765c0	49	testsuccessequal "Reading package lists...
fe0f7911 DK	50	Building dependency tree...
fe0f7911 DK	51	Suggested packages:
9112f777	52	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	53	The following NEW packages will be installed:
	54	apt
	55	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	56	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	57	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	58	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	59	}
	60
	61	failaptold() {
25b86db1	62	testfailureequal 'Reading package lists...
fe0f7911 DK	63	Building dependency tree...
fe0f7911 DK	64	Suggested packages:
9112f777	65	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	66	The following NEW packages will be installed:
	67	apt
	68	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	69	After this operation, 5370 kB of additional disk space will be used.
	70	WARNING: The following packages cannot be authenticated!
	71	apt
b381a482	72	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	73	}
	74
	75	failaptnew() {
25b86db1	76	testfailureequal 'Reading package lists...
fe0f7911 DK	77	Building dependency tree...
fe0f7911 DK	78	Suggested packages:
9112f777	79	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	80	The following NEW packages will be installed:
	81	apt
	82	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	83	After this operation, 5808 kB of additional disk space will be used.
	84	WARNING: The following packages cannot be authenticated!
	85	apt
b381a482	86	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	87	}
	88
	89	# fake our downloadable file
	90	touch aptarchive/apt.deb
	91
63c71412	92	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	93
6bf93605	94	updatewithwarnings() {
4e03c47d	95	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	96	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	97	}
331e8396 DK	98
fe0f7911	99	runtest() {
8fa99570	100	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	101	prepare "${PKGFILE}"
fe0f7911 DK	102	rm -rf rootdir/var/lib/apt/lists
	103	signreleasefiles 'Joe Sixpack'
	104	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	105	successfulaptgetupdate
63c71412	106	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	107	" aptcache show apt
	108	installaptold
	109
8fa99570	110	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	111	prepare "${PKGFILE}-new"
fe0f7911 DK	112	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	113	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	114	successfulaptgetupdate
63c71412	115	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	116	" aptcache show apt
	117	installaptnew
	118
8fa99570	119	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	120	prepare "${PKGFILE}"
29a59c46 DK	121	rm -rf rootdir/var/lib/apt/lists
	122	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	123	signreleasefiles 'Rex Expired'
	124	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	125	updatewithwarnings '^W: .* KEYEXPIRED'
63c71412	126	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	127	" aptcache show apt
	128	failaptold
	129	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	130
8fa99570	131	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	132	prepare "${PKGFILE}"
fe0f7911 DK	133	rm -rf rootdir/var/lib/apt/lists
	134	signreleasefiles 'Marvin Paranoid'
	135	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	136	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	137	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	138	" aptcache show apt
	139	failaptold
	140
8fa99570	141	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	142	prepare "${PKGFILE}-new"
fe0f7911 DK	143	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	144	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	145	successfulaptgetupdate
63c71412	146	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	147	" aptcache show apt
	148	installaptnew
	149
8fa99570	150	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	151	prepare "${PKGFILE}"
fe0f7911 DK	152	rm -rf rootdir/var/lib/apt/lists
	153	signreleasefiles 'Joe Sixpack'
	154	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	155	successfulaptgetupdate
63c71412	156	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	157	" aptcache show apt
	158	installaptold
	159
8fa99570	160	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	161	prepare "${PKGFILE}-new"
fe0f7911 DK	162	signreleasefiles 'Marvin Paranoid'
fe0f7911 DK	163	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	164	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	165	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	166	" aptcache show apt
	167	installaptold
	168
8fa99570	169	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	170	prepare "${PKGFILE}-new"
29a59c46 DK	171	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	172	signreleasefiles 'Rex Expired'
	173	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	174	updatewithwarnings '^W: .* KEYEXPIRED'
63c71412	175	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	176	" aptcache show apt
fe0f7911 DK	177	installaptold
29a59c46 DK	178	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	179
8fa99570	180	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	181	prepare "${PKGFILE}-new"
29a59c46 DK	182	signreleasefiles
29a59c46 DK	183	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	184	successfulaptgetupdate
63c71412	185	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	186	" aptcache show apt
29a59c46 DK	187	installaptnew
b0d40854	188
8fa99570	189	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	190	prepare "${PKGFILE}"
b0d40854 DK	191	rm -rf rootdir/var/lib/apt/lists
	192	signreleasefiles 'Marvin Paranoid'
	193	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	194	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	195	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	196	successfulaptgetupdate
63c71412	197	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	198	" aptcache show apt
	199	installaptold
	200
8fa99570	201	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	202	rm -rf rootdir/var/lib/apt/lists
	203	signreleasefiles 'Joe Sixpack'
	204	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	205	updatewithwarnings '^W: .* NO_PUBKEY'
	206
	207	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	208	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	209
8fa99570	210	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
63c71412	211	prepare "${PKGFILE}"
b0d40854 DK	212	rm -rf rootdir/var/lib/apt/lists
	213	signreleasefiles 'Marvin Paranoid'
	214	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	215	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
b0d40854 DK	216	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	217	successfulaptgetupdate
63c71412	218	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	219	" aptcache show apt
	220	installaptold
	221	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	222
8fa99570	223	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
b0d40854 DK	224	rm -rf rootdir/var/lib/apt/lists
	225	signreleasefiles 'Joe Sixpack'
	226	find aptarchive/ -name "$DELETEFILE" -delete
4e03c47d	227	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854 DK	228
b0d40854 DK	229	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
fe0f7911 DK	230	}
fe0f7911 DK	231
43c1ca5d	232	runtest2() {
8fa99570	233	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	234	prepare "${PKGFILE}"
43c1ca5d SR	235	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	236	signreleasefiles 'Joe Sixpack'
8fa99570	237	successfulaptgetupdate
43c1ca5d SR	238
	239	# New .deb but now an unsigned archive. For example MITM to circumvent
	240	# package verification.
8fa99570	241	msgmsg 'Warm archive signed by' 'nobody'
63c71412	242	prepare "${PKGFILE}-new"
43c1ca5d SR	243	find aptarchive/ -name InRelease -delete
43c1ca5d SR	244	find aptarchive/ -name Release.gpg -delete
6bf93605	245	updatewithwarnings 'W: .* no longer signed.'
63c71412	246	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	247	" aptcache show apt
	248	failaptnew
	249
	250	# Unsigned archive from the beginning must also be detected.
6bf93605	251	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	252	rm -rf rootdir/var/lib/apt/lists
6bf93605	253	updatewithwarnings 'W: .* is not signed.'
63c71412	254	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	255	" aptcache show apt
	256	failaptnew
	257	}
43c1ca5d	258
8fa99570 DK	259	runtest3() {
	260	export APT_TESTS_DIGEST_ALGO="$1"
	261	msgmsg "Running base test with digest $1"
	262	runtest2
	263
	264	DELETEFILE="InRelease"
	265	msgmsg "Running test with deletion of $DELETEFILE and digest $1"
	266	runtest
	267
	268	DELETEFILE="Release.gpg"
	269	msgmsg "Running test with deletion of $DELETEFILE and digest $1"
	270	runtest
	271
	272	unset APT_TESTS_DIGEST_ALGO
	273	}
	274
e8b1db38 MV	275	# diable some protection by default and ensure we still do the verification
	276	# correctly
	277	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	278	Acquire::AllowInsecureRepositories "1";
	279	Acquire::AllowDowngradeToInsecureRepositories "1";
	280	EOF
	281
8fa99570 DK	282	# an all-round good hash
	283	successfulaptgetupdate() {
	284	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	285	}
	286	runtest3 'SHA512'
e8b1db38	287
8fa99570 DK	288	# a hash we consider weak and therefore warn about
	289	rm -f rootdir/etc/apt/apt.conf.d/no-sha1
	290	successfulaptgetupdate() {
	291	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	292	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
	293	}
	294	runtest3 'SHA1'