]>
Commit | Line | Data |
---|---|---|
fe0f7911 DK |
1 | #!/bin/sh |
2 | set -e | |
3 | ||
3abb6a6a DK |
4 | TESTDIR="$(readlink -f "$(dirname "$0")")" |
5 | . "$TESTDIR/framework" | |
fe0f7911 DK |
6 | |
7 | setupenvironment | |
8 | configarchitecture "i386" | |
9 | ||
10 | buildaptarchive | |
11 | setupflataptarchive | |
12 | changetowebserver | |
13 | ||
f2c0ec8b | 14 | webserverconfig 'aptwebserver::support::range' 'false' |
331e8396 | 15 | |
fe0f7911 DK |
16 | prepare() { |
17 | local DATE="${2:-now}" | |
331e8396 DK |
18 | if [ "$DATE" = 'now' ]; then |
19 | if [ "$1" = "${PKGFILE}-new" ]; then | |
20 | DATE='now - 1 day' | |
21 | else | |
22 | DATE='now - 7 day' | |
23 | fi | |
fe0f7911 DK |
24 | fi |
25 | for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do | |
63c71412 | 26 | touch -d 'now - 1 year' "$release" |
fe0f7911 | 27 | done |
8de79b68 | 28 | aptget clean |
63c71412 | 29 | cp "$1" aptarchive/Packages |
fe0f7911 | 30 | find aptarchive -name 'Release' -delete |
331e8396 | 31 | compressfile 'aptarchive/Packages' "$DATE" |
fe0f7911 DK |
32 | generatereleasefiles "$DATE" |
33 | } | |
34 | ||
35 | installaptold() { | |
6c0765c0 | 36 | testsuccessequal "Reading package lists... |
fe0f7911 DK |
37 | Building dependency tree... |
38 | Suggested packages: | |
9112f777 | 39 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
40 | The following NEW packages will be installed: |
41 | apt | |
42 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
43 | After this operation, 5370 kB of additional disk space will be used. | |
6c0765c0 DK |
44 | Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3 |
45 | Download complete and in download only mode" aptget install apt -dy | |
fe0f7911 DK |
46 | } |
47 | ||
48 | installaptnew() { | |
6c0765c0 | 49 | testsuccessequal "Reading package lists... |
fe0f7911 DK |
50 | Building dependency tree... |
51 | Suggested packages: | |
9112f777 | 52 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
53 | The following NEW packages will be installed: |
54 | apt | |
55 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
56 | After this operation, 5808 kB of additional disk space will be used. | |
6c0765c0 DK |
57 | Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1 |
58 | Download complete and in download only mode" aptget install apt -dy | |
fe0f7911 DK |
59 | } |
60 | ||
61 | failaptold() { | |
25b86db1 | 62 | testfailureequal 'Reading package lists... |
fe0f7911 DK |
63 | Building dependency tree... |
64 | Suggested packages: | |
9112f777 | 65 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
66 | The following NEW packages will be installed: |
67 | apt | |
68 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
69 | After this operation, 5370 kB of additional disk space will be used. | |
70 | WARNING: The following packages cannot be authenticated! | |
71 | apt | |
b381a482 | 72 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy |
fe0f7911 DK |
73 | } |
74 | ||
75 | failaptnew() { | |
25b86db1 | 76 | testfailureequal 'Reading package lists... |
fe0f7911 DK |
77 | Building dependency tree... |
78 | Suggested packages: | |
9112f777 | 79 | aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt |
fe0f7911 DK |
80 | The following NEW packages will be installed: |
81 | apt | |
82 | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | |
83 | After this operation, 5808 kB of additional disk space will be used. | |
84 | WARNING: The following packages cannot be authenticated! | |
85 | apt | |
b381a482 | 86 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy |
fe0f7911 DK |
87 | } |
88 | ||
89 | # fake our downloadable file | |
90 | touch aptarchive/apt.deb | |
91 | ||
63c71412 | 92 | PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')" |
fe0f7911 | 93 | |
6bf93605 | 94 | updatewithwarnings() { |
4e03c47d | 95 | testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 |
6bf93605 | 96 | testsuccess grep -E "$1" rootdir/tmp/testwarning.output |
331e8396 DK |
97 | } |
98 | ||
fe0f7911 | 99 | runtest() { |
63c71412 | 100 | prepare "${PKGFILE}" |
fe0f7911 DK |
101 | rm -rf rootdir/var/lib/apt/lists |
102 | signreleasefiles 'Joe Sixpack' | |
103 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
104 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
105 | testsuccess aptget update | |
63c71412 | 106 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
107 | " aptcache show apt |
108 | installaptold | |
109 | ||
63c71412 | 110 | prepare "${PKGFILE}-new" |
fe0f7911 DK |
111 | signreleasefiles 'Joe Sixpack' |
112 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
113 | msgmsg 'Good warm archive signed by' 'Joe Sixpack' |
114 | testsuccess aptget update | |
63c71412 | 115 | testsuccessequal "$(cat "${PKGFILE}-new") |
fe0f7911 DK |
116 | " aptcache show apt |
117 | installaptnew | |
118 | ||
63c71412 | 119 | prepare "${PKGFILE}" |
29a59c46 DK |
120 | rm -rf rootdir/var/lib/apt/lists |
121 | cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg | |
122 | signreleasefiles 'Rex Expired' | |
123 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
124 | msgmsg 'Cold archive signed by' 'Rex Expired' |
125 | updatewithwarnings '^W: .* KEYEXPIRED' | |
63c71412 | 126 | testsuccessequal "$(cat "${PKGFILE}") |
29a59c46 DK |
127 | " aptcache show apt |
128 | failaptold | |
129 | rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg | |
fe0f7911 | 130 | |
63c71412 | 131 | prepare "${PKGFILE}" |
fe0f7911 DK |
132 | rm -rf rootdir/var/lib/apt/lists |
133 | signreleasefiles 'Marvin Paranoid' | |
134 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
135 | msgmsg 'Cold archive signed by' 'Marvin Paranoid' |
136 | updatewithwarnings '^W: .* NO_PUBKEY' | |
63c71412 | 137 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
138 | " aptcache show apt |
139 | failaptold | |
140 | ||
63c71412 | 141 | prepare "${PKGFILE}-new" |
fe0f7911 DK |
142 | signreleasefiles 'Joe Sixpack' |
143 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
144 | msgmsg 'Bad warm archive signed by' 'Joe Sixpack' |
145 | testsuccess aptget update | |
63c71412 | 146 | testsuccessequal "$(cat "${PKGFILE}-new") |
fe0f7911 DK |
147 | " aptcache show apt |
148 | installaptnew | |
149 | ||
150 | ||
63c71412 | 151 | prepare "${PKGFILE}" |
fe0f7911 DK |
152 | rm -rf rootdir/var/lib/apt/lists |
153 | signreleasefiles 'Joe Sixpack' | |
154 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
155 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
156 | testsuccess aptget update | |
63c71412 | 157 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
158 | " aptcache show apt |
159 | installaptold | |
160 | ||
63c71412 | 161 | prepare "${PKGFILE}-new" |
fe0f7911 DK |
162 | signreleasefiles 'Marvin Paranoid' |
163 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
164 | msgmsg 'Good warm archive signed by' 'Marvin Paranoid' |
165 | updatewithwarnings '^W: .* NO_PUBKEY' | |
63c71412 | 166 | testsuccessequal "$(cat "${PKGFILE}") |
29a59c46 DK |
167 | " aptcache show apt |
168 | installaptold | |
169 | ||
63c71412 | 170 | prepare "${PKGFILE}-new" |
29a59c46 DK |
171 | cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
172 | signreleasefiles 'Rex Expired' | |
173 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
174 | msgmsg 'Good warm archive signed by' 'Rex Expired' |
175 | updatewithwarnings '^W: .* KEYEXPIRED' | |
63c71412 | 176 | testsuccessequal "$(cat "${PKGFILE}") |
fe0f7911 DK |
177 | " aptcache show apt |
178 | installaptold | |
29a59c46 DK |
179 | rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg |
180 | ||
63c71412 | 181 | prepare "${PKGFILE}-new" |
29a59c46 DK |
182 | signreleasefiles |
183 | find aptarchive/ -name "$DELETEFILE" -delete | |
6bf93605 DK |
184 | msgmsg 'Good warm archive signed by' 'Joe Sixpack' |
185 | testsuccess aptget update | |
63c71412 | 186 | testsuccessequal "$(cat "${PKGFILE}-new") |
29a59c46 DK |
187 | " aptcache show apt |
188 | installaptnew | |
b0d40854 | 189 | |
63c71412 | 190 | prepare "${PKGFILE}" |
b0d40854 DK |
191 | rm -rf rootdir/var/lib/apt/lists |
192 | signreleasefiles 'Marvin Paranoid' | |
193 | find aptarchive/ -name "$DELETEFILE" -delete | |
194 | msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' | |
195 | local MARVIN="$(readlink -f keys/marvinparanoid.pub)" | |
196 | sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* | |
197 | testsuccess aptget update -o Debug::pkgAcquire::Worker=1 | |
63c71412 | 198 | testsuccessequal "$(cat "${PKGFILE}") |
b0d40854 DK |
199 | " aptcache show apt |
200 | installaptold | |
201 | ||
202 | rm -rf rootdir/var/lib/apt/lists | |
203 | signreleasefiles 'Joe Sixpack' | |
204 | find aptarchive/ -name "$DELETEFILE" -delete | |
205 | msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack' | |
206 | updatewithwarnings '^W: .* NO_PUBKEY' | |
207 | ||
208 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/* | |
209 | local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" | |
210 | ||
63c71412 | 211 | prepare "${PKGFILE}" |
b0d40854 DK |
212 | rm -rf rootdir/var/lib/apt/lists |
213 | signreleasefiles 'Marvin Paranoid' | |
214 | find aptarchive/ -name "$DELETEFILE" -delete | |
215 | msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid' | |
216 | sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* | |
217 | cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg | |
218 | testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 | |
63c71412 | 219 | testsuccessequal "$(cat "${PKGFILE}") |
b0d40854 DK |
220 | " aptcache show apt |
221 | installaptold | |
222 | rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg | |
223 | ||
224 | rm -rf rootdir/var/lib/apt/lists | |
225 | signreleasefiles 'Joe Sixpack' | |
226 | find aptarchive/ -name "$DELETEFILE" -delete | |
227 | msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack' | |
4e03c47d | 228 | updatewithwarnings '^W: .* be verified because the public key is not available: .*' |
b0d40854 DK |
229 | |
230 | sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/* | |
fe0f7911 DK |
231 | } |
232 | ||
43c1ca5d | 233 | runtest2() { |
63c71412 | 234 | prepare "${PKGFILE}" |
43c1ca5d SR |
235 | rm -rf rootdir/var/lib/apt/lists |
236 | signreleasefiles 'Joe Sixpack' | |
6bf93605 DK |
237 | msgmsg 'Cold archive signed by' 'Joe Sixpack' |
238 | testsuccess aptget update | |
43c1ca5d SR |
239 | |
240 | # New .deb but now an unsigned archive. For example MITM to circumvent | |
241 | # package verification. | |
63c71412 | 242 | prepare "${PKGFILE}-new" |
43c1ca5d SR |
243 | find aptarchive/ -name InRelease -delete |
244 | find aptarchive/ -name Release.gpg -delete | |
6bf93605 DK |
245 | msgmsg 'Warm archive signed by' 'nobody' |
246 | updatewithwarnings 'W: .* no longer signed.' | |
63c71412 | 247 | testsuccessequal "$(cat "${PKGFILE}-new") |
43c1ca5d SR |
248 | " aptcache show apt |
249 | failaptnew | |
250 | ||
251 | # Unsigned archive from the beginning must also be detected. | |
252 | rm -rf rootdir/var/lib/apt/lists | |
6bf93605 DK |
253 | msgmsg 'Cold archive signed by' 'nobody' |
254 | updatewithwarnings 'W: .* is not signed.' | |
63c71412 | 255 | testsuccessequal "$(cat "${PKGFILE}-new") |
43c1ca5d SR |
256 | " aptcache show apt |
257 | failaptnew | |
258 | } | |
43c1ca5d | 259 | |
e8b1db38 MV |
260 | # diable some protection by default and ensure we still do the verification |
261 | # correctly | |
262 | cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF | |
263 | Acquire::AllowInsecureRepositories "1"; | |
264 | Acquire::AllowDowngradeToInsecureRepositories "1"; | |
265 | EOF | |
266 | ||
3a8776a3 | 267 | msgmsg "Running base test" |
e8b1db38 | 268 | runtest2 |
43c1ca5d | 269 | |
fe0f7911 | 270 | DELETEFILE="InRelease" |
e8b1db38 | 271 | msgmsg "Running test with deletion of $DELETEFILE" |
fe0f7911 | 272 | runtest |
e8b1db38 | 273 | |
e3c62328 | 274 | DELETEFILE="Release.gpg" |
e8b1db38 | 275 | msgmsg "Running test with deletion of $DELETEFILE" |
e3c62328 | 276 | runtest |