| 1 | #!/bin/sh |
| 2 | set -e |
| 3 | |
| 4 | # apt-key is a shell script, so relatively prune to be effected by 'crazy' things: |
| 5 | # confuses config parser as there exists no way of escaping " currently. |
| 6 | #TMPDIR="$(mktemp -d)/This is \"fü\$\$ing cràzy\", \$(man man | head -n1 | cut -d' ' -f 1)\$!" |
| 7 | # gpg doesn't like | in path names – documented e.g. in the man gpg2 --agent-program |
| 8 | #TMPDIR="$(mktemp -d)/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f 1)\$!" |
| 9 | TMPDIR_ADD="This is fü\$\$ing cràzy, \$(apt -v)\$!" |
| 10 | |
| 11 | TESTDIR="$(readlink -f "$(dirname "$0")")" |
| 12 | . "$TESTDIR/framework" |
| 13 | |
| 14 | setupenvironment |
| 15 | configarchitecture 'amd64' |
| 16 | |
| 17 | # start from a clean plate again |
| 18 | cleanplate() { |
| 19 | rm -rf "${ROOTDIR}/etc/apt/trusted.gpg.d/" "${ROOTDIR}/etc/apt/trusted.gpg" |
| 20 | mkdir "${ROOTDIR}/etc/apt/trusted.gpg.d/" |
| 21 | } |
| 22 | testmultigpg() { |
| 23 | testfailure --nomsg aptkey --quiet --readonly "$@" |
| 24 | testsuccess grep "^gpgv: Can't check signature" "${ROOTDIR}/tmp/testfailure.output" |
| 25 | testsuccess grep '^gpgv: Good signature from' "${ROOTDIR}/tmp/testfailure.output" |
| 26 | } |
| 27 | |
| 28 | testrun() { |
| 29 | echo "APT::Key::ArchiveKeyring \"${KEYDIR}/joesixpack.pub\"; |
| 30 | APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub\";" > "${ROOTDIR}/etc/apt/apt.conf.d/aptkey.conf" |
| 31 | |
| 32 | cleanplate |
| 33 | ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 34 | testaptkeys 'Joe Sixpack' |
| 35 | |
| 36 | testsuccess aptkey list |
| 37 | msgtest 'Check that paths in list output are not' 'double-slashed' |
| 38 | testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output" |
| 39 | |
| 40 | testsuccess aptkey finger |
| 41 | msgtest 'Check that paths in finger output are not' 'double-slashed' |
| 42 | testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output" |
| 43 | |
| 44 | testsuccessequal 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed |
| 45 | gpg: Total number processed: 1 |
| 46 | gpg: unchanged: 1' aptkey --fakeroot update |
| 47 | |
| 48 | testaptkeys 'Joe Sixpack' |
| 49 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg" |
| 50 | |
| 51 | testsuccess aptkey --fakeroot add "${KEYDIR}/rexexpired.pub" |
| 52 | testfilestats "${ROOTDIR}/etc/apt/trusted.gpg" '%a' '=' '644' |
| 53 | |
| 54 | testaptkeys 'Rex Expired' 'Joe Sixpack' |
| 55 | |
| 56 | msgtest 'Check that Sixpack key can be' 'exported' |
| 57 | aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export" |
| 58 | aptkey --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall" |
| 59 | testsuccess --nomsg cmp "${TMPWORKINGDIRECTORY}/aptkey.export" "${TMPWORKINGDIRECTORY}/aptkey.exportall" |
| 60 | testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export" |
| 61 | testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall" |
| 62 | |
| 63 | msgtest 'Execute update again to trigger removal of' 'Rex Expired key' |
| 64 | testsuccess --nomsg aptkey --fakeroot update |
| 65 | |
| 66 | testaptkeys 'Joe Sixpack' |
| 67 | |
| 68 | msgtest "Try to remove a key which exists, but isn't in the" 'forced keyring' |
| 69 | testsuccess --nomsg aptkey --fakeroot --keyring "${ROOTDIR}/etc/apt/trusted.gpg" del DBAC8DAE |
| 70 | |
| 71 | testaptkeys 'Joe Sixpack' |
| 72 | |
| 73 | testsuccess aptkey --fakeroot del DBAC8DAE |
| 74 | testempty aptkey list |
| 75 | |
| 76 | msgtest 'Test key removal with' 'lowercase key ID' #keylength somewhere between 8byte and short |
| 77 | cleanplate |
| 78 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 79 | testsuccess --nomsg aptkey --fakeroot del d141dbac8dae |
| 80 | testempty aptkey list |
| 81 | |
| 82 | msgtest 'Test key removal with' 'single key in real file' |
| 83 | cleanplate |
| 84 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 85 | testsuccess --nomsg aptkey --fakeroot del DBAC8DAE |
| 86 | testempty aptkey list |
| 87 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 88 | testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 89 | |
| 90 | msgtest 'Test key removal with' 'different key specs' |
| 91 | cleanplate |
| 92 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 93 | cp -a "${KEYDIR}/marvinparanoid.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg" |
| 94 | testsuccess --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2 |
| 95 | testempty aptkey list |
| 96 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 97 | testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 98 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg" |
| 99 | testsuccess cmp "${KEYDIR}/marvinparanoid.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg~" |
| 100 | |
| 101 | msgtest 'Test key removal with' 'long key ID' |
| 102 | cleanplate |
| 103 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 104 | testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE |
| 105 | testempty aptkey list |
| 106 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 107 | testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 108 | |
| 109 | msgtest 'Test key removal with' 'fingerprint' |
| 110 | cleanplate |
| 111 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 112 | testsuccess --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE |
| 113 | testempty aptkey list |
| 114 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 115 | testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 116 | |
| 117 | msgtest 'Test key removal with' 'single key in softlink' |
| 118 | cleanplate |
| 119 | ln -s "$(readlink -f "${KEYDIR}/joesixpack.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 120 | testsuccess --nomsg aptkey --fakeroot del DBAC8DAE |
| 121 | testempty aptkey list |
| 122 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 123 | testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 124 | |
| 125 | cleanplate |
| 126 | testsuccess aptkey --fakeroot add "${KEYDIR}/joesixpack.pub" |
| 127 | ln -sf "$(readlink -f "${KEYDIR}/marvinparanoid.pub")" "${KEYDIR}/marvin paránöid.pub" |
| 128 | testsuccess aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub" |
| 129 | testaptkeys 'Joe Sixpack' 'Marvin Paranoid' |
| 130 | cp -a "${ROOTDIR}/etc/apt/trusted.gpg" "${KEYDIR}/testcase-multikey.pub" # store for reuse |
| 131 | |
| 132 | msgtest 'Test key removal with' 'multi key in real file' |
| 133 | cleanplate |
| 134 | cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 135 | testsuccess --nomsg aptkey --fakeroot del DBAC8DAE |
| 136 | testaptkeys 'Marvin Paranoid' |
| 137 | testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~" |
| 138 | |
| 139 | msgtest 'Test key removal with' 'multi key in softlink' |
| 140 | cleanplate |
| 141 | ln -s "$(readlink -f "${KEYDIR}/testcase-multikey.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 142 | testsuccess --nomsg aptkey --fakeroot del DBAC8DAE |
| 143 | testaptkeys 'Marvin Paranoid' |
| 144 | testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~" |
| 145 | testfailure test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 146 | testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~" |
| 147 | |
| 148 | msgtest 'Test key removal with' 'multiple files including key' |
| 149 | cleanplate |
| 150 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 151 | cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 152 | testsuccess --nomsg aptkey --fakeroot del DBAC8DAE |
| 153 | testaptkeys 'Marvin Paranoid' |
| 154 | testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 155 | testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~" |
| 156 | testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~" |
| 157 | |
| 158 | cleanplate |
| 159 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 160 | cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 161 | testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid' |
| 162 | msgtest 'Test merge-back of' 'added keys' |
| 163 | testsuccess --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub" |
| 164 | testaptkeys 'Rex Expired' 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid' |
| 165 | |
| 166 | msgtest 'Test merge-back of' 'removed keys' |
| 167 | testsuccess --nomsg aptkey adv --batch --yes --delete-keys 27CE74F9 |
| 168 | testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid' |
| 169 | |
| 170 | msgtest 'Test merge-back of' 'removed duplicate keys' |
| 171 | testsuccess --nomsg aptkey adv --batch --yes --delete-keys DBAC8DAE |
| 172 | testaptkeys 'Marvin Paranoid' |
| 173 | |
| 174 | cleanplate |
| 175 | cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" |
| 176 | cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 177 | local SIGNATURE="${TMPWORKINGDIRECTORY}/signature" |
| 178 | msgtest 'Test signing a file' 'with a key' |
| 179 | echo 'Verify me. This is my signature.' > "$SIGNATURE" |
| 180 | echo 'lalalalala' > "${SIGNATURE}2" |
| 181 | testsuccess --nomsg aptkey --quiet --keyring "${KEYDIR}/marvinparanoid.pub" --secret-keyring "${KEYDIR}/marvinparanoid.sec" --readonly \ |
| 182 | adv --batch --yes --default-key 'Marvin' --armor --detach-sign --sign --output "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 183 | testsuccess test -s "${SIGNATURE}.gpg" -a -s "${SIGNATURE}" |
| 184 | |
| 185 | msgtest 'Test verify a file' 'with no sig' |
| 186 | testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}" "${SIGNATURE}2" |
| 187 | |
| 188 | for GPGV in '' 'gpgv' 'gpgv2'; do |
| 189 | echo "APT::Key::GPGVCommand \"$GPGV\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" |
| 190 | |
| 191 | msgtest 'Test verify a file' 'with all keys' |
| 192 | testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 193 | |
| 194 | msgtest 'Test verify a file' 'with good keyring' |
| 195 | testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 196 | |
| 197 | msgtest 'Test fail verify a file' 'with bad keyring' |
| 198 | testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/joesixpack.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 199 | |
| 200 | msgtest 'Test fail verify a file' 'with non-existing keyring' |
| 201 | testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 202 | testfailure test -e "${KEYDIR}/does-not-exist.pub" |
| 203 | |
| 204 | # note: this isn't how apts gpgv method implements keyid for verify |
| 205 | msgtest 'Test verify a file' 'with good keyid' |
| 206 | testsuccess --nomsg aptkey --quiet --readonly --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 207 | |
| 208 | msgtest 'Test fail verify a file' 'with bad keyid' |
| 209 | testfailure --nomsg aptkey --quiet --readonly --keyid 'Sixpack' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 210 | |
| 211 | msgtest 'Test fail verify a file' 'with non-existing keyid' |
| 212 | testfailure --nomsg aptkey --quiet --readonly --keyid 'Kalnischkies' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 213 | |
| 214 | msgtest 'Test verify fails on' 'bad file' |
| 215 | testfailure --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}2" |
| 216 | done |
| 217 | rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" |
| 218 | |
| 219 | msgtest 'Test verify a file' 'with good keyring' |
| 220 | testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 221 | |
| 222 | cleanplate |
| 223 | cat "${KEYDIR}/joesixpack.pub" "${KEYDIR}/marvinparanoid.pub" > "${KEYDIR}/double.pub" |
| 224 | cat "${KEYDIR}/joesixpack.sec" "${KEYDIR}/marvinparanoid.sec" > "${KEYDIR}/double.sec" |
| 225 | cp -a "${KEYDIR}/double.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/double.gpg" |
| 226 | cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg" |
| 227 | rm -f "${SIGNATURE}.gpg" |
| 228 | testsuccess aptkey --quiet --keyring "${KEYDIR}/double.pub" --secret-keyring "${KEYDIR}/double.sec" --readonly \ |
| 229 | adv --batch --yes -u 'Marvin' -u 'Joe' --armor --detach-sign --sign --output "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 230 | testsuccess test -s "${SIGNATURE}.gpg" -a -s "${SIGNATURE}" |
| 231 | |
| 232 | for GPGV in '' 'gpgv' 'gpgv2'; do |
| 233 | echo "APT::Key::GPGVCommand \"$GPGV\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" |
| 234 | |
| 235 | msgtest 'Test verify a doublesigned file' 'with all keys' |
| 236 | testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 237 | |
| 238 | msgtest 'Test verify a doublesigned file' 'with good keyring joe' |
| 239 | testmultigpg --keyring "${KEYDIR}/joesixpack.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 240 | |
| 241 | msgtest 'Test verify a doublesigned file' 'with good keyring marvin' |
| 242 | testmultigpg --keyring "${KEYDIR}/marvinparanoid.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 243 | |
| 244 | msgtest 'Test fail verify a doublesigned file' 'with bad keyring' |
| 245 | testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/rexexpired.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 246 | |
| 247 | msgtest 'Test fail verify a doublesigned file' 'with non-existing keyring' |
| 248 | testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 249 | testfailure test -e "${KEYDIR}/does-not-exist.pub" |
| 250 | |
| 251 | # note: this isn't how apts gpgv method implements keyid for verify |
| 252 | msgtest 'Test verify a doublesigned file' 'with good keyid' |
| 253 | testmultigpg --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 254 | |
| 255 | msgtest 'Test fail verify a doublesigned file' 'with bad keyid' |
| 256 | testfailure --nomsg aptkey --quiet --readonly --keyid 'Rex' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 257 | |
| 258 | msgtest 'Test fail verify a doublesigned file' 'with non-existing keyid' |
| 259 | testfailure --nomsg aptkey --quiet --readonly --keyid 'Kalnischkies' verify "${SIGNATURE}.gpg" "${SIGNATURE}" |
| 260 | |
| 261 | msgtest 'Test verify fails on' 'bad doublesigned file' |
| 262 | testfailure --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}2" |
| 263 | done |
| 264 | rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" |
| 265 | } |
| 266 | |
| 267 | setupgpgcommand() { |
| 268 | echo "APT::Key::GPGCommand \"$1\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgcmd" |
| 269 | msgmsg 'Force tests to be run with' "$1" |
| 270 | testsuccess aptkey --readonly adv --version |
| 271 | cp "${ROOTDIR}/tmp/testsuccess.output" "${TMPWORKINGDIRECTORY}/aptkey.version" |
| 272 | testsuccess grep "^gpg (GnuPG) $2\." "${TMPWORKINGDIRECTORY}/aptkey.version" |
| 273 | } |
| 274 | |
| 275 | # run with default (whatever this is) in current CWD with relative paths |
| 276 | ROOTDIR="./rootdir" |
| 277 | KEYDIR="./keys" |
| 278 | testrun |
| 279 | |
| 280 | # run with … and up the game with a strange CWD & absolute paths |
| 281 | ROOTDIR="${TMPWORKINGDIRECTORY}/rootdir" |
| 282 | KEYDIR="${TMPWORKINGDIRECTORY}/keys" |
| 283 | mkdir inaccessible |
| 284 | cd inaccessible |
| 285 | chmod 600 ../inaccessible |
| 286 | testfilestats "${TMPWORKINGDIRECTORY}/inaccessible" '%a' '=' '600' |
| 287 | |
| 288 | setupgpgcommand 'gpg' '1' |
| 289 | testrun |
| 290 | setupgpgcommand 'gpg2' '2' |
| 291 | testrun |