]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | set -e | |
3 | ||
4 | TESTDIR="$(readlink -f "$(dirname "$0")")" | |
5 | . "$TESTDIR/framework" | |
6 | ||
7 | setupenvironment | |
8 | configarchitecture 'i386' | |
9 | confighashes 'MD5' | |
10 | export APT_DONT_SIGN='' | |
11 | ||
12 | insertpackage 'unstable' 'foo' 'i386' '1.0' | |
13 | insertsource 'unstable' 'foo' 'any' '1.0' | |
14 | ||
15 | setupaptarchive --no-update | |
16 | APTARCHIVE="$(readlink -f ./aptarchive)" | |
17 | ||
18 | testnopkg() { | |
19 | testnopackage "$@" | |
20 | testnosrcpackage "$@" | |
21 | } | |
22 | testbadpkg() { | |
23 | testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' | |
24 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release' | |
25 | testnotempty apt show "$@" | |
26 | testnotempty apt showsrc "$@" | |
27 | testfailureequal "WARNING: The following packages cannot be authenticated! | |
28 | $* | |
29 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@" | |
30 | testfailureequal "WARNING: The following packages cannot be authenticated! | |
31 | $* | |
32 | E: Some packages could not be authenticated" aptget source -qq "$@" | |
33 | } | |
34 | ||
35 | testrun() { | |
36 | local TYPE="$1" | |
37 | local FILENAME="$2" | |
38 | shift 2 | |
39 | local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')" | |
40 | msgmsg "$TYPE contains only weak hashes" | |
41 | confighashes 'MD5' | |
42 | generatereleasefiles | |
43 | signreleasefiles | |
44 | preparetest | |
45 | if [ -z "$1" ]; then | |
46 | listcurrentlistsdirectory > lists.before | |
47 | testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes | |
48 | E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. | |
49 | N: Updating from such a repository can't be done securely, and is therefore disabled by default. | |
50 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update | |
51 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
52 | testnopkg 'foo' | |
53 | else | |
54 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes | |
55 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. | |
56 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. | |
57 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" | |
58 | testbadpkg 'foo' | |
59 | fi | |
60 | ||
61 | msgmsg "$TYPE contains only weak hashes, but source allows weak" | |
62 | sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/* | |
63 | genericprepare | |
64 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes | |
65 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. | |
66 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. | |
67 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" | |
68 | testbadpkg 'foo' | |
69 | sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/* | |
70 | ||
71 | msgmsg "$TYPE contains no hashes" | |
72 | generatereleasefiles | |
73 | sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release" | |
74 | signreleasefiles | |
75 | preparetest | |
76 | if [ -z "$1" ]; then | |
77 | listcurrentlistsdirectory > lists.before | |
78 | testfailuremsg "W: No Hash entry in Release file ${MANGLED} | |
79 | E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. | |
80 | N: Updating from such a repository can't be done securely, and is therefore disabled by default. | |
81 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update | |
82 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
83 | testnopkg 'foo' | |
84 | else | |
85 | testwarningmsg "W: No Hash entry in Release file ${MANGLED} | |
86 | W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information. | |
87 | N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. | |
88 | N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@" | |
89 | testbadpkg 'foo' | |
90 | fi | |
91 | ||
92 | msgmsg "$TYPE contains only weak hashes for some files" | |
93 | confighashes 'MD5' 'SHA256' | |
94 | generatereleasefiles | |
95 | sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release" | |
96 | signreleasefiles | |
97 | preparetest | |
98 | if [ -z "$1" ]; then | |
99 | testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update | |
100 | testnosrcpackage foo | |
101 | else | |
102 | rm -f rootdir/var/lib/apt/lists/partial/* | |
103 | testsuccess apt update "$@" | |
104 | testnotempty apt showsrc foo | |
105 | fi | |
106 | testsuccess apt show foo | |
107 | } | |
108 | ||
109 | genericprepare() { | |
110 | rm -rf rootdir/var/lib/apt/lists | |
111 | mkdir -p rootdir/var/lib/apt/lists/partial | |
112 | touch rootdir/var/lib/apt/lists/lock | |
113 | local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')" | |
114 | touch "$RELEASEGPG" | |
115 | chmod 644 "$RELEASEGPG" | |
116 | local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')" | |
117 | touch "$INRELEASE" | |
118 | chmod 644 "$INRELEASE" | |
119 | } | |
120 | preparetest() { | |
121 | rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg" | |
122 | genericprepare | |
123 | } | |
124 | testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" | |
125 | testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0 | |
126 | ||
127 | preparetest() { | |
128 | rm -f "${APTARCHIVE}/dists/unstable/InRelease" | |
129 | genericprepare | |
130 | } | |
131 | testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" | |
132 | testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0 | |
133 | ||
134 | preparetest() { | |
135 | rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg" | |
136 | genericprepare | |
137 | } | |
138 | ||
139 | msgmsg 'Moving between Release files with good and bad hashes' | |
140 | rm -rf rootdir/var/lib/apt/lists | |
141 | confighashes 'MD5' | |
142 | generatereleasefiles 'now - 7 days' | |
143 | signreleasefiles | |
144 | testfailure apt update | |
145 | testnopkg 'foo' | |
146 | testwarning apt update --allow-weak-repositories | |
147 | testbadpkg 'foo' | |
148 | ||
149 | confighashes 'MD5' 'SHA256' | |
150 | rm -rf aptarchive/dists | |
151 | insertpackage 'unstable' 'foo2' 'i386' '1.0' | |
152 | insertsource 'unstable' 'foo2' 'any' '1.0' | |
153 | setupaptarchive --no-update 'now - 5 days' | |
154 | testsuccess apt update | |
155 | testnopkg foo | |
156 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' | |
157 | testnotempty apt show foo2 | |
158 | testnotempty apt showsrc foo2 | |
159 | ||
160 | confighashes 'MD5' | |
161 | rm -rf aptarchive/dists | |
162 | insertpackage 'unstable' 'foo3' 'i386' '1.0' | |
163 | insertsource 'unstable' 'foo3' 'any' '1.0' | |
164 | setupaptarchive --no-update 'now - 3 days' | |
165 | testfailure apt update | |
166 | testnopkg foo | |
167 | testnopkg foo3 | |
168 | testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg' | |
169 | testnotempty apt show foo2 | |
170 | testnotempty apt showsrc foo2 | |
171 | testwarning apt update --allow-weak-repositories | |
172 | testnopkg foo2 | |
173 | testbadpkg foo3 | |
174 | ||
175 | msgmsg 'Working with packages guarded only by weak hashes' | |
176 | confighashes 'MD5' | |
177 | rm -rf aptarchive/dists | |
178 | buildsimplenativepackage 'foo4' 'i386' '1' 'unstable' | |
179 | setupaptarchive --no-update | |
180 | testfailure apt update | |
181 | confighashes 'SHA256' | |
182 | generatereleasefiles 'now - 1 day' | |
183 | signreleasefiles | |
184 | testsuccess apt update | |
185 | cd downloaded | |
186 | testfailure apt download foo4 | |
187 | cp ../rootdir/tmp/testfailure.output download.output | |
188 | testfailure grep 'Hash Sum mismatch' download.output | |
189 | testsuccess grep 'Insufficient information' download.output | |
190 | ||
191 | testsuccess apt install foo4 -s | |
192 | testfailure apt install foo4 -dy | |
193 | cp ../rootdir/tmp/testfailure.output install.output | |
194 | testfailure grep 'Hash Sum mismatch' install.output | |
195 | testsuccess grep 'Insufficient information' download.output | |
196 | ||
197 | testsuccess apt source foo4 | |
198 | cp ../rootdir/tmp/testsuccess.output source.output | |
199 | testsuccess grep 'Skipping download of file' source.output | |
200 | testfailure test -e foo4_1.dsc | |
201 | testsuccess test -e foo4_1.tar.* | |
202 | cd .. |