git.saurik.com Git - apt.git/blame_incremental - test/integration/test-releasefile-verification

... / ...

Commit	Line	Data
	1	#!/bin/sh
	2	set -e
	3
	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
	5	. "$TESTDIR/framework"
	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	export APT_DONT_SIGN='Release.gpg'
	11	buildaptarchive
	12	setupflataptarchive
	13	changetowebserver
	14
	15	prepare() {
	16	local DATE="${2:-now}"
	17	if [ "$DATE" = 'now' ]; then
	18	if [ "$1" = "${PKGFILE}-new" ]; then
	19	DATE='now - 1 day'
	20	else
	21	DATE='now - 7 day'
	22	fi
	23	fi
	24	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
	25	touch -d 'now - 1 year' "$release"
	26	done
	27	aptget clean
	28	cp "$1" aptarchive/Packages
	29	find aptarchive -name 'Release' -delete
	30	compressfile 'aptarchive/Packages' "$DATE"
	31	generatereleasefiles "$DATE" 'now + 1 month'
	32	}
	33
	34	installaptold() {
	35	rm -rf rootdir/var/cache/apt/archives
	36	testsuccessequal "Reading package lists...
	37	Building dependency tree...
	38	Suggested packages:
	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
	44	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
	45	Download complete and in download only mode" aptget install apt -dy
	46	}
	47
	48	installaptnew() {
	49	rm -rf rootdir/var/cache/apt/archives
	50	testsuccessequal "Reading package lists...
	51	Building dependency tree...
	52	Suggested packages:
	53	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	54	The following NEW packages will be installed:
	55	apt
	56	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	57	After this operation, 5808 kB of additional disk space will be used.
	58	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
	59	Download complete and in download only mode" aptget install apt -dy
	60	}
	61
	62	failaptold() {
	63	testfailureequal 'Reading package lists...
	64	Building dependency tree...
	65	Suggested packages:
	66	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	67	The following NEW packages will be installed:
	68	apt
	69	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	70	After this operation, 5370 kB of additional disk space will be used.
	71	WARNING: The following packages cannot be authenticated!
	72	apt
	73	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
	74	}
	75
	76	failaptnew() {
	77	testfailureequal 'Reading package lists...
	78	Building dependency tree...
	79	Suggested packages:
	80	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	81	The following NEW packages will be installed:
	82	apt
	83	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	84	After this operation, 5808 kB of additional disk space will be used.
	85	WARNING: The following packages cannot be authenticated!
	86	apt
	87	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
	88	}
	89
	90	# fake our downloadable file
	91	touch aptarchive/apt.deb
	92
	93	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
	94
	95	updatewithwarnings() {
	96	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	97	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
	98	}
	99
	100	runtest() {
	101	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	102	prepare "${PKGFILE}"
	103	rm -rf rootdir/var/lib/apt/lists
	104	signreleasefiles 'Joe Sixpack'
	105	successfulaptgetupdate
	106	testsuccessequal "$(cat "${PKGFILE}")
	107	" aptcache show apt
	108	installaptold
	109
	110	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	111	prepare "${PKGFILE}-new"
	112	signreleasefiles 'Joe Sixpack'
	113	successfulaptgetupdate
	114	testsuccessequal "$(cat "${PKGFILE}-new")
	115	" aptcache show apt
	116	installaptnew
	117
	118	msgmsg 'Cold archive signed by' 'Rex Expired'
	119	prepare "${PKGFILE}"
	120	rm -rf rootdir/var/lib/apt/lists
	121	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	122	signreleasefiles 'Rex Expired'
	123	updatewithwarnings '^W: .* EXPKEYSIG'
	124	testsuccessequal "$(cat "${PKGFILE}")
	125	" aptcache show apt
	126	failaptold
	127	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	128
	129	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
	130	if dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	131	touch rootdir/etc/apt/apt.conf.d/99gnupg2
	132	elif gpg2 --version >/dev/null 2>&1; then
	133	echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
	134	if ! dpkg --compare-versions "$(aptkey adv --version \| head -n 2 \| tail -n 1 \| cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
	135	rm rootdir/etc/apt/apt.conf.d/99gnupg2
	136	fi
	137	fi
	138	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
	139	prepare "${PKGFILE}"
	140	rm -rf rootdir/var/lib/apt/lists
	141	signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
	142	updatewithwarnings '^W: .* EXPSIG'
	143	testsuccessequal "$(cat "${PKGFILE}")
	144	" aptcache show apt
	145	failaptold
	146	rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
	147	else
	148	msgskip 'Not a new enough gpg available providing --fake-system-time'
	149	fi
	150
	151	msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
	152	prepare "${PKGFILE}"
	153	rm -rf rootdir/var/lib/apt/lists
	154	signreleasefiles 'Joe Sixpack,Marvin Paranoid'
	155	successfulaptgetupdate 'NO_PUBKEY'
	156	testsuccessequal "$(cat "${PKGFILE}")
	157	" aptcache show apt
	158	installaptold
	159
	160	msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
	161	prepare "${PKGFILE}"
	162	rm -rf rootdir/var/lib/apt/lists
	163	signreleasefiles 'Joe Sixpack,Rex Expired'
	164	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	165	successfulaptgetupdate 'EXPKEYSIG'
	166	rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	167	testsuccessequal "$(cat "${PKGFILE}")
	168	" aptcache show apt
	169	installaptold
	170
	171	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	172	prepare "${PKGFILE}"
	173	rm -rf rootdir/var/lib/apt/lists
	174	signreleasefiles 'Marvin Paranoid'
	175	updatewithwarnings '^W: .* NO_PUBKEY'
	176	testsuccessequal "$(cat "${PKGFILE}")
	177	" aptcache show apt
	178	failaptold
	179
	180	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	181	prepare "${PKGFILE}-new"
	182	signreleasefiles 'Joe Sixpack'
	183	successfulaptgetupdate
	184	testsuccessequal "$(cat "${PKGFILE}-new")
	185	" aptcache show apt
	186	installaptnew
	187
	188	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	189	prepare "${PKGFILE}"
	190	rm -rf rootdir/var/lib/apt/lists
	191	signreleasefiles 'Joe Sixpack'
	192	successfulaptgetupdate
	193	testsuccessequal "$(cat "${PKGFILE}")
	194	" aptcache show apt
	195	installaptold
	196
	197	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	198	prepare "${PKGFILE}-new"
	199	signreleasefiles 'Marvin Paranoid'
	200	updatewithwarnings '^W: .* NO_PUBKEY'
	201	testsuccessequal "$(cat "${PKGFILE}")
	202	" aptcache show apt
	203	installaptold
	204
	205	msgmsg 'Good warm archive signed by' 'Rex Expired'
	206	prepare "${PKGFILE}-new"
	207	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	208	signreleasefiles 'Rex Expired'
	209	updatewithwarnings '^W: .* EXPKEYSIG'
	210	testsuccessequal "$(cat "${PKGFILE}")
	211	" aptcache show apt
	212	installaptold
	213	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	214
	215	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	216	prepare "${PKGFILE}-new"
	217	signreleasefiles
	218	successfulaptgetupdate
	219	testsuccessequal "$(cat "${PKGFILE}-new")
	220	" aptcache show apt
	221	installaptnew
	222
	223	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	224	prepare "${PKGFILE}"
	225	rm -rf rootdir/var/lib/apt/lists
	226	signreleasefiles 'Marvin Paranoid'
	227	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	228	sed -i "s#^$deb\(-src$\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	229	successfulaptgetupdate
	230	testsuccessequal "$(cat "${PKGFILE}")
	231	" aptcache show apt
	232	installaptold
	233
	234	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	235	rm -rf rootdir/var/lib/apt/lists
	236	signreleasefiles 'Joe Sixpack'
	237	updatewithwarnings '^W: .* NO_PUBKEY'
	238	sed -i "s#^$deb\(-src$\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	239
	240	local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons \| grep '^fpr' \| cut -d':' -f 10)"
	241	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	242	rm -rf rootdir/var/lib/apt/lists
	243	signreleasefiles 'Joe Sixpack'
	244	sed -i "s#^$deb\(-src$\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	245	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
	246
	247	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	248	rm -rf rootdir/var/lib/apt/lists
	249	signreleasefiles 'Marvin Paranoid'
	250	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	251	successfulaptgetupdate
	252	testsuccessequal "$(cat "${PKGFILE}")
	253	" aptcache show apt
	254	installaptold
	255
	256	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
	257	rm -rf rootdir/var/lib/apt/lists
	258	signreleasefiles 'Marvin Paranoid,Joe Sixpack'
	259	successfulaptgetupdate 'NoPubKey: GOODSIG'
	260	testsuccessequal "$(cat "${PKGFILE}")
	261	" aptcache show apt
	262	installaptold
	263
	264	local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons \| grep '^fpr' \| cut -d':' -f 10)"
	265	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	266	rm -rf rootdir/var/lib/apt/lists
	267	signreleasefiles 'Joe Sixpack'
	268	sed -i "s#^$deb\(-src$\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
	269	successfulaptgetupdate
	270	testsuccessequal "$(cat "${PKGFILE}")
	271	" aptcache show apt
	272	installaptold
	273
	274	msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
	275	rm -rf rootdir/var/lib/apt/lists
	276	sed -i "s#^$deb\(-src$\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
	277	successfulaptgetupdate
	278	testsuccessequal "$(cat "${PKGFILE}")
	279	" aptcache show apt
	280	installaptold
	281	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	282	sed -i "s#^$deb\(-src$\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
	283
	284	rm -rf rootdir/var/lib/apt/lists-bak
	285	cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
	286	prepare "${PKGFILE}-new"
	287	signreleasefiles 'Joe Sixpack'
	288
	289	msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
	290	sed -i "/^Valid-Until: / a\
	291	Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	292	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	293	successfulaptgetupdate
	294	testsuccessequal "$(cat "${PKGFILE}-new")
	295	" aptcache show apt
	296	installaptnew
	297
	298	msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
	299	rm -rf rootdir/var/lib/apt/lists
	300	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	301	sed -i "/^Valid-Until: / a\
	302	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	303	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	304	updatewithwarnings 'W: .* public key is not available: GOODSIG'
	305	testsuccessequal "$(cat "${PKGFILE}")
	306	" aptcache show apt
	307	installaptold
	308
	309	msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
	310	rm -rf rootdir/var/lib/apt/lists
	311	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	312	sed -i "/^Valid-Until: / a\
	313	Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
	314	Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
	315	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	316	successfulaptgetupdate
	317	testsuccessequal "$(cat "${PKGFILE}-new")
	318	" aptcache show apt
	319	installaptnew
	320
	321	msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
	322	rm -rf rootdir/var/lib/apt/lists
	323	cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
	324	sed -i "/^Valid-Until: / a\
	325	Signed-By: ${MARVIN} ${MARVIN}, \\
	326	${SIXPACK}" rootdir/var/lib/apt/lists/*Release
	327	touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
	328	successfulaptgetupdate
	329	testsuccessequal "$(cat "${PKGFILE}-new")
	330	" aptcache show apt
	331	installaptnew
	332	}
	333
	334	runtest2() {
	335	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	336	prepare "${PKGFILE}"
	337	rm -rf rootdir/var/lib/apt/lists
	338	signreleasefiles 'Joe Sixpack'
	339	successfulaptgetupdate
	340
	341	# New .deb but now an unsigned archive. For example MITM to circumvent
	342	# package verification.
	343	msgmsg 'Warm archive signed by' 'nobody'
	344	prepare "${PKGFILE}-new"
	345	find aptarchive/ $ -name InRelease -o -name Release.gpg $ -delete
	346	updatewithwarnings 'W: .* no longer signed.'
	347	testsuccessequal "$(cat "${PKGFILE}-new")
	348	" aptcache show apt
	349	failaptnew
	350
	351	# Unsigned archive from the beginning must also be detected.
	352	msgmsg 'Cold archive signed by' 'nobody'
	353	rm -rf rootdir/var/lib/apt/lists
	354	updatewithwarnings 'W: .* is not signed.'
	355	testsuccessequal "$(cat "${PKGFILE}-new")
	356	" aptcache show apt
	357	failaptnew
	358	}
	359
	360	runtest3() {
	361	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	362	msgmsg "Running base test with $1 digest"
	363	runtest2
	364
	365	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	366	export APT_DONT_SIGN="$DELETEFILE"
	367	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
	368	runtest
	369	export APT_DONT_SIGN='Release.gpg'
	370	done
	371	}
	372
	373	# diable some protection by default and ensure we still do the verification
	374	# correctly
	375	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	376	Acquire::AllowInsecureRepositories "1";
	377	Acquire::AllowDowngradeToInsecureRepositories "1";
	378	EOF
	379	# the hash marked as configurable in our gpgv method
	380	export APT_TESTS_DIGEST_ALGO='SHA224'
	381
	382	successfulaptgetupdate() {
	383	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	384	if [ -n "$1" ]; then
	385	cp rootdir/tmp/testsuccess.output aptupdate.output
	386	testsuccess grep "$1" aptupdate.output
	387	fi
	388	}
	389	runtest3 'Trusted'
	390
	391	successfulaptgetupdate() {
	392	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	393	if [ -n "$1" ]; then
	394	testsuccess grep "$1" rootdir/tmp/testwarning.output
	395	fi
	396	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
	397	}
	398	runtest3 'Weak'
	399
	400	msgmsg "Running test with apt-untrusted digest"
	401	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	402	runfailure() {
	403	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	404	export APT_DONT_SIGN="$DELETEFILE"
	405	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	406	prepare "${PKGFILE}"
	407	rm -rf rootdir/var/lib/apt/lists
	408	signreleasefiles 'Joe Sixpack'
	409	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	410	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	411	testnopackage 'apt'
	412	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	413	failaptold
	414	rm -rf rootdir/var/lib/apt/lists
	415	sed -i 's#^deb$-src$\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
	416	testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	417	failaptold
	418	sed -i 's#^deb$-src$\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
	419
	420	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	421	prepare "${PKGFILE}"
	422	rm -rf rootdir/var/lib/apt/lists
	423	signreleasefiles 'Marvin Paranoid'
	424	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	425	testnopackage 'apt'
	426	updatewithwarnings '^W: .* NO_PUBKEY'
	427	testsuccessequal "$(cat "${PKGFILE}")
	428	" aptcache show apt
	429	failaptold
	430	export APT_DONT_SIGN='Release.gpg'
	431	done
	432	}
	433	runfailure
	434
	435	msgmsg "Running test with gpgv-untrusted digest"
	436	export APT_TESTS_DIGEST_ALGO='MD5'
	437	runfailure