git.saurik.com Git - apt.git/blame_incremental - test/integration/test-releasefile-verification

... / ...

Commit	Line	Data
	1	#!/bin/sh
	2	set -e
	3
	4	TESTDIR="$(readlink -f "$(dirname "$0")")"
	5	. "$TESTDIR/framework"
	6
	7	setupenvironment
	8	configarchitecture "i386"
	9
	10	buildaptarchive
	11	setupflataptarchive
	12	changetowebserver
	13
	14	webserverconfig 'aptwebserver::support::range' 'false'
	15
	16	prepare() {
	17	local DATE="${2:-now}"
	18	if [ "$DATE" = 'now' ]; then
	19	if [ "$1" = "${PKGFILE}-new" ]; then
	20	DATE='now - 1 day'
	21	else
	22	DATE='now - 7 day'
	23	fi
	24	fi
	25	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
	26	touch -d 'now - 1 year' "$release"
	27	done
	28	aptget clean
	29	cp "$1" aptarchive/Packages
	30	find aptarchive -name 'Release' -delete
	31	compressfile 'aptarchive/Packages' "$DATE"
	32	generatereleasefiles "$DATE"
	33	}
	34
	35	installaptold() {
	36	testsuccessequal "Reading package lists...
	37	Building dependency tree...
	38	Suggested packages:
	39	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	40	The following NEW packages will be installed:
	41	apt
	42	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	43	After this operation, 5370 kB of additional disk space will be used.
	44	Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
	45	Download complete and in download only mode" aptget install apt -dy
	46	}
	47
	48	installaptnew() {
	49	testsuccessequal "Reading package lists...
	50	Building dependency tree...
	51	Suggested packages:
	52	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	53	The following NEW packages will be installed:
	54	apt
	55	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	56	After this operation, 5808 kB of additional disk space will be used.
	57	Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
	58	Download complete and in download only mode" aptget install apt -dy
	59	}
	60
	61	failaptold() {
	62	testfailureequal 'Reading package lists...
	63	Building dependency tree...
	64	Suggested packages:
	65	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	66	The following NEW packages will be installed:
	67	apt
	68	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	69	After this operation, 5370 kB of additional disk space will be used.
	70	WARNING: The following packages cannot be authenticated!
	71	apt
	72	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
	73	}
	74
	75	failaptnew() {
	76	testfailureequal 'Reading package lists...
	77	Building dependency tree...
	78	Suggested packages:
	79	aptitude \| synaptic \| wajig dpkg-dev apt-doc bzip2 lzma python-apt
	80	The following NEW packages will be installed:
	81	apt
	82	0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
	83	After this operation, 5808 kB of additional disk space will be used.
	84	WARNING: The following packages cannot be authenticated!
	85	apt
	86	E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
	87	}
	88
	89	# fake our downloadable file
	90	touch aptarchive/apt.deb
	91
	92	PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" \| sed 's#^test-#Packages-#')"
	93
	94	updatewithwarnings() {
	95	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	96	testsuccess grep -E "$1" rootdir/tmp/testwarning.output
	97	}
	98
	99	runtest() {
	100	local DELETEFILE="$1"
	101	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	102	prepare "${PKGFILE}"
	103	rm -rf rootdir/var/lib/apt/lists
	104	signreleasefiles 'Joe Sixpack'
	105	find aptarchive/ -name "$DELETEFILE" -delete
	106	successfulaptgetupdate
	107	testsuccessequal "$(cat "${PKGFILE}")
	108	" aptcache show apt
	109	installaptold
	110
	111	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	112	prepare "${PKGFILE}-new"
	113	signreleasefiles 'Joe Sixpack'
	114	find aptarchive/ -name "$DELETEFILE" -delete
	115	successfulaptgetupdate
	116	testsuccessequal "$(cat "${PKGFILE}-new")
	117	" aptcache show apt
	118	installaptnew
	119
	120	msgmsg 'Cold archive signed by' 'Rex Expired'
	121	prepare "${PKGFILE}"
	122	rm -rf rootdir/var/lib/apt/lists
	123	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	124	signreleasefiles 'Rex Expired'
	125	find aptarchive/ -name "$DELETEFILE" -delete
	126	updatewithwarnings '^W: .* KEYEXPIRED'
	127	testsuccessequal "$(cat "${PKGFILE}")
	128	" aptcache show apt
	129	failaptold
	130	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	131
	132	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	133	prepare "${PKGFILE}"
	134	rm -rf rootdir/var/lib/apt/lists
	135	signreleasefiles 'Marvin Paranoid'
	136	find aptarchive/ -name "$DELETEFILE" -delete
	137	updatewithwarnings '^W: .* NO_PUBKEY'
	138	testsuccessequal "$(cat "${PKGFILE}")
	139	" aptcache show apt
	140	failaptold
	141
	142	msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
	143	prepare "${PKGFILE}-new"
	144	signreleasefiles 'Joe Sixpack'
	145	find aptarchive/ -name "$DELETEFILE" -delete
	146	successfulaptgetupdate
	147	testsuccessequal "$(cat "${PKGFILE}-new")
	148	" aptcache show apt
	149	installaptnew
	150
	151	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	152	prepare "${PKGFILE}"
	153	rm -rf rootdir/var/lib/apt/lists
	154	signreleasefiles 'Joe Sixpack'
	155	find aptarchive/ -name "$DELETEFILE" -delete
	156	successfulaptgetupdate
	157	testsuccessequal "$(cat "${PKGFILE}")
	158	" aptcache show apt
	159	installaptold
	160
	161	msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
	162	prepare "${PKGFILE}-new"
	163	signreleasefiles 'Marvin Paranoid'
	164	find aptarchive/ -name "$DELETEFILE" -delete
	165	updatewithwarnings '^W: .* NO_PUBKEY'
	166	testsuccessequal "$(cat "${PKGFILE}")
	167	" aptcache show apt
	168	installaptold
	169
	170	msgmsg 'Good warm archive signed by' 'Rex Expired'
	171	prepare "${PKGFILE}-new"
	172	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	173	signreleasefiles 'Rex Expired'
	174	find aptarchive/ -name "$DELETEFILE" -delete
	175	updatewithwarnings '^W: .* KEYEXPIRED'
	176	testsuccessequal "$(cat "${PKGFILE}")
	177	" aptcache show apt
	178	installaptold
	179	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
	180
	181	msgmsg 'Good warm archive signed by' 'Joe Sixpack'
	182	prepare "${PKGFILE}-new"
	183	signreleasefiles
	184	find aptarchive/ -name "$DELETEFILE" -delete
	185	successfulaptgetupdate
	186	testsuccessequal "$(cat "${PKGFILE}-new")
	187	" aptcache show apt
	188	installaptnew
	189
	190	msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
	191	prepare "${PKGFILE}"
	192	rm -rf rootdir/var/lib/apt/lists
	193	signreleasefiles 'Marvin Paranoid'
	194	find aptarchive/ -name "$DELETEFILE" -delete
	195	local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
	196	sed -i "s#^$deb\(-src$\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	197	successfulaptgetupdate
	198	testsuccessequal "$(cat "${PKGFILE}")
	199	" aptcache show apt
	200	installaptold
	201
	202	msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
	203	rm -rf rootdir/var/lib/apt/lists
	204	signreleasefiles 'Joe Sixpack'
	205	find aptarchive/ -name "$DELETEFILE" -delete
	206	updatewithwarnings '^W: .* NO_PUBKEY'
	207
	208	sed -i "s#^$deb\(-src$\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	209	local MARVIN="$(aptkey --keyring $MARVIN finger \| grep 'Key fingerprint' \| cut -d'=' -f 2 \| tr -d ' ')"
	210
	211	msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
	212	prepare "${PKGFILE}"
	213	rm -rf rootdir/var/lib/apt/lists
	214	signreleasefiles 'Marvin Paranoid'
	215	find aptarchive/ -name "$DELETEFILE" -delete
	216	sed -i "s#^$deb\(-src$\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
	217	cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	218	successfulaptgetupdate
	219	testsuccessequal "$(cat "${PKGFILE}")
	220	" aptcache show apt
	221	installaptold
	222	rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
	223
	224	msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
	225	rm -rf rootdir/var/lib/apt/lists
	226	signreleasefiles 'Joe Sixpack'
	227	find aptarchive/ -name "$DELETEFILE" -delete
	228	updatewithwarnings '^W: .* be verified because the public key is not available: .*'
	229
	230	sed -i "s#^$deb\(-src$\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
	231	}
	232
	233	runtest2() {
	234	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	235	prepare "${PKGFILE}"
	236	rm -rf rootdir/var/lib/apt/lists
	237	signreleasefiles 'Joe Sixpack'
	238	successfulaptgetupdate
	239
	240	# New .deb but now an unsigned archive. For example MITM to circumvent
	241	# package verification.
	242	msgmsg 'Warm archive signed by' 'nobody'
	243	prepare "${PKGFILE}-new"
	244	find aptarchive/ -name InRelease -delete
	245	find aptarchive/ -name Release.gpg -delete
	246	updatewithwarnings 'W: .* no longer signed.'
	247	testsuccessequal "$(cat "${PKGFILE}-new")
	248	" aptcache show apt
	249	failaptnew
	250
	251	# Unsigned archive from the beginning must also be detected.
	252	msgmsg 'Cold archive signed by' 'nobody'
	253	rm -rf rootdir/var/lib/apt/lists
	254	updatewithwarnings 'W: .* is not signed.'
	255	testsuccessequal "$(cat "${PKGFILE}-new")
	256	" aptcache show apt
	257	failaptnew
	258	}
	259
	260	runtest3() {
	261	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	262	msgmsg "Running base test with $1 digest"
	263	runtest2
	264
	265	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	266	msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
	267	runtest "$DELETEFILE"
	268	done
	269	}
	270
	271	# diable some protection by default and ensure we still do the verification
	272	# correctly
	273	cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
	274	Acquire::AllowInsecureRepositories "1";
	275	Acquire::AllowDowngradeToInsecureRepositories "1";
	276	EOF
	277	# the hash marked as configureable in our gpgv method
	278	export APT_TESTS_DIGEST_ALGO='SHA224'
	279
	280	successfulaptgetupdate() {
	281	testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	282	}
	283	runtest3 'Trusted'
	284
	285	successfulaptgetupdate() {
	286	testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	287	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
	288	}
	289	runtest3 'Weak'
	290
	291	msgmsg "Running test with apt-untrusted digest"
	292	echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
	293	runfailure() {
	294	for DELETEFILE in 'InRelease' 'Release.gpg'; do
	295	msgmsg 'Cold archive signed by' 'Joe Sixpack'
	296	prepare "${PKGFILE}"
	297	rm -rf rootdir/var/lib/apt/lists
	298	signreleasefiles 'Joe Sixpack'
	299	find aptarchive/ -name "$DELETEFILE" -delete
	300	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	301	testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
	302	testnopackage 'apt'
	303	testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	304	failaptold
	305
	306	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
	307	prepare "${PKGFILE}"
	308	rm -rf rootdir/var/lib/apt/lists
	309	signreleasefiles 'Marvin Paranoid'
	310	find aptarchive/ -name "$DELETEFILE" -delete
	311	testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
	312	testnopackage 'apt'
	313	updatewithwarnings '^W: .* NO_PUBKEY'
	314	testsuccessequal "$(cat "${PKGFILE}")
	315	" aptcache show apt
	316	failaptold
	317	done
	318	}
	319	runfailure
	320
	321	msgmsg "Running test with gpgv-untrusted digest"
	322	export APT_TESTS_DIGEST_ALGO='MD5'
	323	runfailure