[apt.git] / test / integration / test-releasefile-verification

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture "i386"

buildaptarchive
setupflataptarchive
changetowebserver

webserverconfig 'aptwebserver::support::range' 'false'

prepare() {
	local DATE="${2:-now}"
	if [ "$DATE" = 'now' ]; then
		if [ "$1" = "${PKGFILE}-new" ]; then
			DATE='now - 1 day'
		else
			DATE='now - 7 day'
		fi
	fi
	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
		touch -d 'now - 1 year' "$release"
	done
	aptget clean
	cp "$1" aptarchive/Packages
	find aptarchive -name 'Release' -delete
	compressfile 'aptarchive/Packages' "$DATE"
	generatereleasefiles "$DATE"
}

installaptold() {
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
Download complete and in download only mode" aptget install apt -dy
}

installaptnew() {
	testsuccessequal "Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
Download complete and in download only mode" aptget install apt -dy
}

failaptold() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5370 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

failaptnew() {
	testfailureequal 'Reading package lists...
Building dependency tree...
Suggested packages:
  aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
The following NEW packages will be installed:
  apt
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
After this operation, 5808 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  apt
E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
}

# fake our downloadable file
touch aptarchive/apt.deb

PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"

updatewithwarnings() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}

runtest() {
	local DELETEFILE="$1"
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
		touch rootdir/etc/apt/apt.conf.d/99gnupg2
	elif gpg2 --version >/dev/null 2>&1; then
		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
			rm rootdir/etc/apt/apt.conf.d/99gnupg2
		fi
	fi
	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
		find aptarchive/ -name "$DELETEFILE" -delete
		updatewithwarnings '^W: .* EXPSIG'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	else
		msgskip 'Not a new enough gpg available providing --fake-system-time'
	fi

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate 'NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack,Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	successfulaptgetupdate 'EXPKEYSIG'
	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	failaptold

	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	prepare "${PKGFILE}-new"
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Good warm archive signed by' 'Rex Expired'
	prepare "${PKGFILE}-new"
	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	signreleasefiles 'Rex Expired'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* EXPKEYSIG'
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}-new"
	signreleasefiles
	find aptarchive/ -name "$DELETEFILE" -delete
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	installaptnew

	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold

	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* NO_PUBKEY'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"

	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Marvin Paranoid'
	find aptarchive/ -name "$DELETEFILE" -delete
	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	successfulaptgetupdate
	testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
	installaptold
	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg

	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	find aptarchive/ -name "$DELETEFILE" -delete
	updatewithwarnings '^W: .* be verified because the public key is not available: .*'

	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
}

runtest2() {
	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	prepare "${PKGFILE}"
	rm -rf rootdir/var/lib/apt/lists
	signreleasefiles 'Joe Sixpack'
	successfulaptgetupdate

	# New .deb but now an unsigned archive. For example MITM to circumvent
	# package verification.
	msgmsg 'Warm archive signed by' 'nobody'
	prepare "${PKGFILE}-new"
	find aptarchive/ -name InRelease -delete
	find aptarchive/ -name Release.gpg -delete
	updatewithwarnings 'W: .* no longer signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew

	# Unsigned archive from the beginning must also be detected.
	msgmsg 'Cold archive signed by' 'nobody'
	rm -rf rootdir/var/lib/apt/lists
	updatewithwarnings 'W: .* is not signed.'
	testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
	failaptnew
}

runtest3() {
	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	msgmsg "Running base test with $1 digest"
	runtest2

	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
		runtest "$DELETEFILE"
	done
}

# diable some protection by default and ensure we still do the verification
# correctly
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
Acquire::AllowInsecureRepositories "1";
Acquire::AllowDowngradeToInsecureRepositories "1";
EOF
# the hash marked as configureable in our gpgv method
export APT_TESTS_DIGEST_ALGO='SHA224'

successfulaptgetupdate() {
	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		cp rootdir/tmp/testsuccess.output aptupdate.output
		testsuccess grep "$1" aptupdate.output
	fi
}
runtest3 'Trusted'

successfulaptgetupdate() {
	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	if [ -n "$1" ]; then
		testsuccess grep "$1" rootdir/tmp/testwarning.output
	fi
	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'

msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
	for DELETEFILE in 'InRelease' 'Release.gpg'; do
		msgmsg 'Cold archive signed by' 'Joe Sixpack'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Joe Sixpack'
		find aptarchive/ -name "$DELETEFILE" -delete
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
		testnopackage 'apt'
		testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		failaptold

		msgmsg 'Cold archive signed by' 'Marvin Paranoid'
		prepare "${PKGFILE}"
		rm -rf rootdir/var/lib/apt/lists
		signreleasefiles 'Marvin Paranoid'
		find aptarchive/ -name "$DELETEFILE" -delete
		testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
		testnopackage 'apt'
		updatewithwarnings '^W: .* NO_PUBKEY'
		testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
		failaptold
	done
}
runfailure

msgmsg "Running test with gpgv-untrusted digest"
export APT_TESTS_DIGEST_ALGO='MD5'
runfailure
Commit	Line	Data
fe0f7911 DK	1	#!/bin/sh
	2	set -e
	3
3abb6a6a DK	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
3abb6a6a DK	5	. "$TESTDIR/framework"
fe0f7911 DK	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
f2c0ec8b	14	webserverconfig 'aptwebserver::support::range' 'false'
331e8396	15
fe0f7911 DK	16	prepare() {
fe0f7911 DK	17	local DATE="${2:-now}"
331e8396 DK	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
fe0f7911 DK	24	fi
fe0f7911 DK	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
63c71412	26	touch -d 'now - 1 year' "$release"
fe0f7911	27	done
8de79b68	28	aptget clean
63c71412	29	cp "$1" aptarchive/Packages
fe0f7911	30	find aptarchive -name 'Release' -delete
331e8396	31	compressfile 'aptarchive/Packages' "$DATE"
fe0f7911 DK	32	generatereleasefiles "$DATE"
	33	}
	34
	35	installaptold() {
6c0765c0	36	testsuccessequal "Reading package lists...
fe0f7911 DK	37	Building dependency tree...
fe0f7911 DK	38	Suggested packages:
9112f777	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
6c0765c0 DK	44	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
6c0765c0 DK	45	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	46	}
	47
	48	installaptnew() {
6c0765c0	49	testsuccessequal "Reading package lists...
fe0f7911 DK	50	Building dependency tree...
fe0f7911 DK	51	Suggested packages:
9112f777	52	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	53	The following NEW packages will be installed:
	54	apt
	55	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	56	After this operation, 5808 kB of additional disk space will be used.
6c0765c0 DK	57	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
6c0765c0 DK	58	Download complete and in download only mode" aptget install apt -dy
fe0f7911 DK	59	}
	60
	61	failaptold() {
25b86db1	62	testfailureequal 'Reading package lists...
fe0f7911 DK	63	Building dependency tree...
fe0f7911 DK	64	Suggested packages:
9112f777	65	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	66	The following NEW packages will be installed:
	67	apt
	68	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	69	After this operation, 5370 kB of additional disk space will be used.
	70	WARNING: The following packages cannot be authenticated!
	71	apt
b381a482	72	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	73	}
	74
	75	failaptnew() {
25b86db1	76	testfailureequal 'Reading package lists...
fe0f7911 DK	77	Building dependency tree...
fe0f7911 DK	78	Suggested packages:
9112f777	79	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
fe0f7911 DK	80	The following NEW packages will be installed:
	81	apt
	82	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	83	After this operation, 5808 kB of additional disk space will be used.
	84	WARNING: The following packages cannot be authenticated!
	85	apt
b381a482	86	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
fe0f7911 DK	87	}
	88
	89	# fake our downloadable file
	90	touch aptarchive/apt.deb
	91
63c71412	92	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
fe0f7911	93
6bf93605	94	updatewithwarnings() {
4e03c47d	95	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
6bf93605	96	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
331e8396 DK	97	}
331e8396 DK	98
fe0f7911	99	runtest() {
08b7761a	100	local DELETEFILE="$1"
8fa99570	101	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	102	prepare "${PKGFILE}"
fe0f7911 DK	103	rm -rf rootdir/var/lib/apt/lists
	104	signreleasefiles 'Joe Sixpack'
	105	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	106	successfulaptgetupdate
63c71412	107	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	108	" aptcache show apt
	109	installaptold
	110
8fa99570	111	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	112	prepare "${PKGFILE}-new"
fe0f7911 DK	113	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	114	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	115	successfulaptgetupdate
63c71412	116	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	117	" aptcache show apt
	118	installaptnew
	119
8fa99570	120	msgmsg 'Cold archive signed by' 'Rex Expired'
63c71412	121	prepare "${PKGFILE}"
29a59c46 DK	122	rm -rf rootdir/var/lib/apt/lists
	123	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	124	signreleasefiles 'Rex Expired'
	125	find aptarchive/ -name "$DELETEFILE" -delete
f13b413a	126	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	127	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	128	" aptcache show apt
29a59c46 DK	129	failaptold
fb7b11eb	130	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
fe0f7911	131
1af227c2 DK	132	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	133	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	134	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	135	elif gpg2 --version >/dev/null 2>&1; then
	136	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	137	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	138	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	139	fi
	140	fi
	141	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	142	prepare "${PKGFILE}"
	143	rm -rf rootdir/var/lib/apt/lists
	144	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
	145	find aptarchive/ -name "$DELETEFILE" -delete
	146	updatewithwarnings '^W: .* EXPSIG'
	147	testsuccessequal "$(cat "${PKGFILE}")
	148	" aptcache show apt
	149	failaptold
	150	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	151	else
	152	msgskip 'Not a new enough gpg available providing --fake-system-time'
	153	fi
	154
fb7b11eb DK	155	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	156	prepare "${PKGFILE}"
	157	rm -rf rootdir/var/lib/apt/lists
	158	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	159	find aptarchive/ -name "$DELETEFILE" -delete
	160	successfulaptgetupdate 'NO_PUBKEY'
	161	testsuccessequal "$(cat "${PKGFILE}")
	162	" aptcache show apt
	163	installaptold
	164
	165	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	166	prepare "${PKGFILE}"
	167	rm -rf rootdir/var/lib/apt/lists
	168	signreleasefiles 'Joe Sixpack,Rex Expired'
	169	find aptarchive/ -name "$DELETEFILE" -delete
	170	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	171	successfulaptgetupdate 'EXPKEYSIG'
	172	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	173	testsuccessequal "$(cat "${PKGFILE}")
	174	" aptcache show apt
	175	installaptold
	176
8fa99570	177	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
63c71412	178	prepare "${PKGFILE}"
fe0f7911 DK	179	rm -rf rootdir/var/lib/apt/lists
	180	signreleasefiles 'Marvin Paranoid'
	181	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	182	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	183	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	184	" aptcache show apt
	185	failaptold
	186
8fa99570	187	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
63c71412	188	prepare "${PKGFILE}-new"
fe0f7911 DK	189	signreleasefiles 'Joe Sixpack'
fe0f7911 DK	190	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	191	successfulaptgetupdate
63c71412	192	testsuccessequal "$(cat "${PKGFILE}-new")
fe0f7911 DK	193	" aptcache show apt
	194	installaptnew
	195
8fa99570	196	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	197	prepare "${PKGFILE}"
fe0f7911 DK	198	rm -rf rootdir/var/lib/apt/lists
	199	signreleasefiles 'Joe Sixpack'
	200	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	201	successfulaptgetupdate
63c71412	202	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	203	" aptcache show apt
	204	installaptold
	205
8fa99570	206	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
63c71412	207	prepare "${PKGFILE}-new"
fe0f7911 DK	208	signreleasefiles 'Marvin Paranoid'
fe0f7911 DK	209	find aptarchive/ -name "$DELETEFILE" -delete
6bf93605	210	updatewithwarnings '^W: .* NO_PUBKEY'
63c71412	211	testsuccessequal "$(cat "${PKGFILE}")
29a59c46 DK	212	" aptcache show apt
	213	installaptold
	214
8fa99570	215	msgmsg 'Good warm archive signed by' 'Rex Expired'
63c71412	216	prepare "${PKGFILE}-new"
29a59c46 DK	217	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	218	signreleasefiles 'Rex Expired'
	219	find aptarchive/ -name "$DELETEFILE" -delete
f13b413a	220	updatewithwarnings '^W: .* EXPKEYSIG'
63c71412	221	testsuccessequal "$(cat "${PKGFILE}")
fe0f7911 DK	222	" aptcache show apt
fe0f7911 DK	223	installaptold
29a59c46 DK	224	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
29a59c46 DK	225
8fa99570	226	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
63c71412	227	prepare "${PKGFILE}-new"
29a59c46 DK	228	signreleasefiles
29a59c46 DK	229	find aptarchive/ -name "$DELETEFILE" -delete
8fa99570	230	successfulaptgetupdate
63c71412	231	testsuccessequal "$(cat "${PKGFILE}-new")
29a59c46 DK	232	" aptcache show apt
29a59c46 DK	233	installaptnew
b0d40854	234
8fa99570	235	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
63c71412	236	prepare "${PKGFILE}"
b0d40854 DK	237	rm -rf rootdir/var/lib/apt/lists
	238	signreleasefiles 'Marvin Paranoid'
	239	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	240	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
b0d40854 DK	241	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
8fa99570	242	successfulaptgetupdate
63c71412	243	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	244	" aptcache show apt
	245	installaptold
	246
8fa99570	247	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
b0d40854 DK	248	rm -rf rootdir/var/lib/apt/lists
	249	signreleasefiles 'Joe Sixpack'
	250	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	251	updatewithwarnings '^W: .* NO_PUBKEY'
	252
	253	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	254	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	255
8fa99570	256	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
63c71412	257	prepare "${PKGFILE}"
b0d40854 DK	258	rm -rf rootdir/var/lib/apt/lists
	259	signreleasefiles 'Marvin Paranoid'
	260	find aptarchive/ -name "$DELETEFILE" -delete
b0d40854 DK	261	sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
b0d40854 DK	262	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
8fa99570	263	successfulaptgetupdate
63c71412	264	testsuccessequal "$(cat "${PKGFILE}")
b0d40854 DK	265	" aptcache show apt
	266	installaptold
	267	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	268
8fa99570	269	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
b0d40854 DK	270	rm -rf rootdir/var/lib/apt/lists
	271	signreleasefiles 'Joe Sixpack'
	272	find aptarchive/ -name "$DELETEFILE" -delete
4e03c47d	273	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
b0d40854 DK	274
b0d40854 DK	275	sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
fe0f7911 DK	276	}
fe0f7911 DK	277
43c1ca5d	278	runtest2() {
8fa99570	279	msgmsg 'Cold archive signed by' 'Joe Sixpack'
63c71412	280	prepare "${PKGFILE}"
43c1ca5d SR	281	rm -rf rootdir/var/lib/apt/lists
43c1ca5d SR	282	signreleasefiles 'Joe Sixpack'
8fa99570	283	successfulaptgetupdate
43c1ca5d SR	284
	285	# New .deb but now an unsigned archive. For example MITM to circumvent
	286	# package verification.
8fa99570	287	msgmsg 'Warm archive signed by' 'nobody'
63c71412	288	prepare "${PKGFILE}-new"
43c1ca5d SR	289	find aptarchive/ -name InRelease -delete
43c1ca5d SR	290	find aptarchive/ -name Release.gpg -delete
6bf93605	291	updatewithwarnings 'W: .* no longer signed.'
63c71412	292	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	293	" aptcache show apt
	294	failaptnew
	295
	296	# Unsigned archive from the beginning must also be detected.
6bf93605	297	msgmsg 'Cold archive signed by' 'nobody'
8fa99570	298	rm -rf rootdir/var/lib/apt/lists
6bf93605	299	updatewithwarnings 'W: .* is not signed.'
63c71412	300	testsuccessequal "$(cat "${PKGFILE}-new")
43c1ca5d SR	301	" aptcache show apt
	302	failaptnew
	303	}
43c1ca5d	304
8fa99570	305	runtest3() {
6a4958d3	306	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a	307	msgmsg "Running base test with $1 digest"
8fa99570 DK	308	runtest2
8fa99570 DK	309
08b7761a DK	310	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	311	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
	312	runtest "$DELETEFILE"
	313	done
8fa99570 DK	314	}
8fa99570 DK	315
e8b1db38 MV	316	# diable some protection by default and ensure we still do the verification
	317	# correctly
	318	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	319	Acquire::AllowInsecureRepositories "1";
	320	Acquire::AllowDowngradeToInsecureRepositories "1";
	321	EOF
08b7761a DK	322	# the hash marked as configureable in our gpgv method
08b7761a DK	323	export APT_TESTS_DIGEST_ALGO='SHA224'
e8b1db38	324
8fa99570 DK	325	successfulaptgetupdate() {
8fa99570 DK	326	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	327	if [ -n "$1" ]; then
	328	cp rootdir/tmp/testsuccess.output aptupdate.output
	329	testsuccess grep "$1" aptupdate.output
	330	fi
8fa99570	331	}
6a4958d3	332	runtest3 'Trusted'
e8b1db38	333
8fa99570 DK	334	successfulaptgetupdate() {
8fa99570 DK	335	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
fb7b11eb DK	336	if [ -n "$1" ]; then
	337	testsuccess grep "$1" rootdir/tmp/testwarning.output
	338	fi
8fa99570 DK	339	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
8fa99570 DK	340	}
6a4958d3	341	runtest3 'Weak'
08b7761a DK	342
08b7761a DK	343	msgmsg "Running test with apt-untrusted digest"
6a4958d3	344	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
08b7761a DK	345	runfailure() {
	346	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	347	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	348	prepare "${PKGFILE}"
	349	rm -rf rootdir/var/lib/apt/lists
	350	signreleasefiles 'Joe Sixpack'
	351	find aptarchive/ -name "$DELETEFILE" -delete
	352	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	353	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	354	testnopackage 'apt'
	355	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	356	failaptold
	357
	358	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	359	prepare "${PKGFILE}"
	360	rm -rf rootdir/var/lib/apt/lists
	361	signreleasefiles 'Marvin Paranoid'
	362	find aptarchive/ -name "$DELETEFILE" -delete
	363	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	364	testnopackage 'apt'
	365	updatewithwarnings '^W: .* NO_PUBKEY'
	366	testsuccessequal "$(cat "${PKGFILE}")
	367	" aptcache show apt
	368	failaptold
	369	done
	370	}
	371	runfailure
	372
	373	msgmsg "Running test with gpgv-untrusted digest"
	374	export APT_TESTS_DIGEST_ALGO='MD5'
	375	runfailure