| 1 | #!/bin/sh |
| 2 | set -e |
| 3 | |
| 4 | TESTDIR="$(readlink -f "$(dirname "$0")")" |
| 5 | . "$TESTDIR/framework" |
| 6 | |
| 7 | setupenvironment |
| 8 | configarchitecture 'i386' |
| 9 | confighashes 'MD5' |
| 10 | export APT_DONT_SIGN='' |
| 11 | |
| 12 | insertpackage 'unstable' 'foo' 'i386' '1.0' |
| 13 | insertsource 'unstable' 'foo' 'any' '1.0' |
| 14 | |
| 15 | setupaptarchive --no-update |
| 16 | APTARCHIVE="$(readlink -f ./aptarchive)" |
| 17 | |
| 18 | testnopkg() { |
| 19 | testnopackage "$@" |
| 20 | testnosrcpackage "$@" |
| 21 | } |
| 22 | testbadpkg() { |
| 23 | testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' |
| 24 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release' |
| 25 | testnotempty apt show "$@" |
| 26 | testnotempty apt showsrc "$@" |
| 27 | testfailureequal "WARNING: The following packages cannot be authenticated! |
| 28 | $* |
| 29 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@" |
| 30 | testfailureequal "WARNING: The following packages cannot be authenticated! |
| 31 | $* |
| 32 | E: Some packages could not be authenticated" aptget source -qq "$@" |
| 33 | } |
| 34 | |
| 35 | testrun() { |
| 36 | local TYPE="$1" |
| 37 | local FILENAME="$2" |
| 38 | shift 2 |
| 39 | local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')" |
| 40 | msgmsg "$TYPE contains only weak hashes" |
| 41 | confighashes 'MD5' |
| 42 | generatereleasefiles |
| 43 | signreleasefiles |
| 44 | preparetest |
| 45 | if [ -z "$1" ]; then |
| 46 | listcurrentlistsdirectory > lists.before |
| 47 | testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes |
| 48 | E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. |
| 49 | N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
| 50 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update |
| 51 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 52 | testnopkg 'foo' |
| 53 | else |
| 54 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes |
| 55 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. |
| 56 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. |
| 57 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" |
| 58 | testbadpkg 'foo' |
| 59 | fi |
| 60 | |
| 61 | msgmsg "$TYPE contains only weak hashes, but source allows weak" |
| 62 | sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/* |
| 63 | genericprepare |
| 64 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes |
| 65 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. |
| 66 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. |
| 67 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" |
| 68 | testbadpkg 'foo' |
| 69 | sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/* |
| 70 | |
| 71 | msgmsg "$TYPE contains no hashes" |
| 72 | generatereleasefiles |
| 73 | sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release" |
| 74 | signreleasefiles |
| 75 | preparetest |
| 76 | if [ -z "$1" ]; then |
| 77 | listcurrentlistsdirectory > lists.before |
| 78 | testfailuremsg "W: No Hash entry in Release file ${MANGLED} |
| 79 | E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. |
| 80 | N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
| 81 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update |
| 82 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 83 | testnopkg 'foo' |
| 84 | else |
| 85 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} |
| 86 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. |
| 87 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. |
| 88 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" |
| 89 | testbadpkg 'foo' |
| 90 | fi |
| 91 | |
| 92 | msgmsg "$TYPE contains only weak hashes for some files" |
| 93 | confighashes 'MD5' 'SHA256' |
| 94 | generatereleasefiles |
| 95 | sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release" |
| 96 | signreleasefiles |
| 97 | preparetest |
| 98 | if [ -z "$1" ]; then |
| 99 | testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update |
| 100 | testnosrcpackage foo |
| 101 | else |
| 102 | rm -f rootdir/var/lib/apt/lists/partial/* |
| 103 | testsuccess apt update "$@" |
| 104 | testnotempty apt showsrc foo |
| 105 | fi |
| 106 | testsuccess apt show foo |
| 107 | } |
| 108 | |
| 109 | genericprepare() { |
| 110 | rm -rf rootdir/var/lib/apt/lists |
| 111 | mkdir -p rootdir/var/lib/apt/lists/partial |
| 112 | touch rootdir/var/lib/apt/lists/lock |
| 113 | local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')" |
| 114 | touch "$RELEASEGPG" |
| 115 | chmod 644 "$RELEASEGPG" |
| 116 | local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')" |
| 117 | touch "$INRELEASE" |
| 118 | chmod 644 "$INRELEASE" |
| 119 | } |
| 120 | preparetest() { |
| 121 | rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg" |
| 122 | genericprepare |
| 123 | } |
| 124 | testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" |
| 125 | testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0 |
| 126 | |
| 127 | preparetest() { |
| 128 | rm -f "${APTARCHIVE}/dists/unstable/InRelease" |
| 129 | genericprepare |
| 130 | } |
| 131 | testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" |
| 132 | testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0 |
| 133 | |
| 134 | preparetest() { |
| 135 | rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg" |
| 136 | genericprepare |
| 137 | } |
| 138 | |
| 139 | msgmsg 'Moving between Release files with good and bad hashes' |
| 140 | rm -rf rootdir/var/lib/apt/lists |
| 141 | confighashes 'MD5' |
| 142 | generatereleasefiles 'now - 7 days' |
| 143 | signreleasefiles |
| 144 | testfailure apt update |
| 145 | testnopkg 'foo' |
| 146 | testwarning apt update --allow-weak-repositories |
| 147 | testbadpkg 'foo' |
| 148 | |
| 149 | confighashes 'MD5' 'SHA256' |
| 150 | rm -rf aptarchive/dists |
| 151 | insertpackage 'unstable' 'foo2' 'i386' '1.0' |
| 152 | insertsource 'unstable' 'foo2' 'any' '1.0' |
| 153 | setupaptarchive --no-update 'now - 5 days' |
| 154 | testsuccess apt update |
| 155 | testnopkg foo |
| 156 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' |
| 157 | testnotempty apt show foo2 |
| 158 | testnotempty apt showsrc foo2 |
| 159 | |
| 160 | confighashes 'MD5' |
| 161 | rm -rf aptarchive/dists |
| 162 | insertpackage 'unstable' 'foo3' 'i386' '1.0' |
| 163 | insertsource 'unstable' 'foo3' 'any' '1.0' |
| 164 | setupaptarchive --no-update 'now - 3 days' |
| 165 | testfailure apt update |
| 166 | testnopkg foo |
| 167 | testnopkg foo3 |
| 168 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' |
| 169 | testnotempty apt show foo2 |
| 170 | testnotempty apt showsrc foo2 |
| 171 | testwarning apt update --allow-weak-repositories |
| 172 | testnopkg foo2 |
| 173 | testbadpkg foo3 |
| 174 | |
| 175 | msgmsg 'Working with packages guarded only by weak hashes' |
| 176 | confighashes 'MD5' |
| 177 | rm -rf aptarchive/dists |
| 178 | buildsimplenativepackage 'foo4' 'i386' '1' 'unstable' |
| 179 | setupaptarchive --no-update |
| 180 | testfailure apt update |
| 181 | confighashes 'SHA256' |
| 182 | generatereleasefiles 'now - 1 day' |
| 183 | signreleasefiles |
| 184 | testsuccess apt update |
| 185 | cd downloaded |
| 186 | testfailure apt download foo4 |
| 187 | cp ../rootdir/tmp/testfailure.output download.output |
| 188 | testfailure grep 'Hash Sum mismatch' download.output |
| 189 | testsuccess grep 'Insufficient information' download.output |
| 190 | |
| 191 | testsuccess apt install foo4 -s |
| 192 | testfailure apt install foo4 -dy |
| 193 | cp ../rootdir/tmp/testfailure.output install.output |
| 194 | testfailure grep 'Hash Sum mismatch' install.output |
| 195 | testsuccess grep 'Insufficient information' download.output |
| 196 | |
| 197 | testsuccess apt source foo4 |
| 198 | cp ../rootdir/tmp/testsuccess.output source.output |
| 199 | testsuccess grep 'Skipping download of file' source.output |
| 200 | testfailure test -e foo4_1.dsc |
| 201 | testsuccess test -e foo4_1.tar.* |
| 202 | cd .. |