]> git.saurik.com Git - apt.git/blame_incremental - test/integration/test-apt-update-weak-hashes
Don't download "optional" files not in Release :/.
[apt.git] / test / integration / test-apt-update-weak-hashes
... / ...
CommitLineData
1#!/bin/sh
2set -e
3
4TESTDIR="$(readlink -f "$(dirname "$0")")"
5. "$TESTDIR/framework"
6
7setupenvironment
8configarchitecture 'i386'
9confighashes 'MD5'
10export APT_DONT_SIGN=''
11
12insertpackage 'unstable' 'foo' 'i386' '1.0'
13insertsource 'unstable' 'foo' 'any' '1.0'
14
15setupaptarchive --no-update
16APTARCHIVE="$(readlink -f ./aptarchive)"
17
18testnopkg() {
19 testnopackage "$@"
20 testnosrcpackage "$@"
21}
22testbadpkg() {
23 testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
24 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release'
25 testnotempty apt show "$@"
26 testnotempty apt showsrc "$@"
27 testfailureequal "WARNING: The following packages cannot be authenticated!
28 $*
29E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@"
30 testfailureequal "WARNING: The following packages cannot be authenticated!
31 $*
32E: Some packages could not be authenticated" aptget source -qq "$@"
33}
34
35testrun() {
36 local TYPE="$1"
37 local FILENAME="$2"
38 shift 2
39 local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')"
40 msgmsg "$TYPE contains only weak hashes"
41 confighashes 'MD5'
42 generatereleasefiles
43 signreleasefiles
44 preparetest
45 if [ -z "$1" ]; then
46 listcurrentlistsdirectory > lists.before
47 testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
48E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
49N: Updating from such a repository can't be done securely, and is therefore disabled by default.
50N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
51 testfileequal lists.before "$(listcurrentlistsdirectory)"
52 testnopkg 'foo'
53 else
54 testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
55W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
56N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
57N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
58 testbadpkg 'foo'
59 fi
60
61 msgmsg "$TYPE contains only weak hashes, but source allows weak"
62 sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/*
63 genericprepare
64 testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
65W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
66N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
67N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
68 testbadpkg 'foo'
69 sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
70
71 msgmsg "$TYPE contains no hashes"
72 generatereleasefiles
73 sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release"
74 signreleasefiles
75 preparetest
76 if [ -z "$1" ]; then
77 listcurrentlistsdirectory > lists.before
78 testfailuremsg "W: No Hash entry in Release file ${MANGLED}
79E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
80N: Updating from such a repository can't be done securely, and is therefore disabled by default.
81N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
82 testfileequal lists.before "$(listcurrentlistsdirectory)"
83 testnopkg 'foo'
84 else
85 testwarningmsg "W: No Hash entry in Release file ${MANGLED}
86W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
87N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
88N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
89 testbadpkg 'foo'
90 fi
91
92 msgmsg "$TYPE contains only weak hashes for some files"
93 confighashes 'MD5' 'SHA256'
94 generatereleasefiles
95 sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release"
96 signreleasefiles
97 preparetest
98 if [ -z "$1" ]; then
99 testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update
100 testnosrcpackage foo
101 else
102 rm -f rootdir/var/lib/apt/lists/partial/*
103 testsuccess apt update "$@"
104 testnotempty apt showsrc foo
105 fi
106 testsuccess apt show foo
107}
108
109genericprepare() {
110 rm -rf rootdir/var/lib/apt/lists
111 mkdir -p rootdir/var/lib/apt/lists/partial
112 touch rootdir/var/lib/apt/lists/lock
113 local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')"
114 touch "$RELEASEGPG"
115 chmod 644 "$RELEASEGPG"
116 local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')"
117 touch "$INRELEASE"
118 chmod 644 "$INRELEASE"
119}
120preparetest() {
121 rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg"
122 genericprepare
123}
124testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease"
125testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0
126
127preparetest() {
128 rm -f "${APTARCHIVE}/dists/unstable/InRelease"
129 genericprepare
130}
131testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release"
132testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0
133
134preparetest() {
135 rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg"
136 genericprepare
137}
138
139msgmsg 'Moving between Release files with good and bad hashes'
140rm -rf rootdir/var/lib/apt/lists
141confighashes 'MD5'
142generatereleasefiles 'now - 7 days'
143signreleasefiles
144testfailure apt update
145testnopkg 'foo'
146testwarning apt update --allow-weak-repositories
147testbadpkg 'foo'
148
149confighashes 'MD5' 'SHA256'
150rm -rf aptarchive/dists
151insertpackage 'unstable' 'foo2' 'i386' '1.0'
152insertsource 'unstable' 'foo2' 'any' '1.0'
153setupaptarchive --no-update 'now - 5 days'
154testsuccess apt update
155testnopkg foo
156testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
157testnotempty apt show foo2
158testnotempty apt showsrc foo2
159
160confighashes 'MD5'
161rm -rf aptarchive/dists
162insertpackage 'unstable' 'foo3' 'i386' '1.0'
163insertsource 'unstable' 'foo3' 'any' '1.0'
164setupaptarchive --no-update 'now - 3 days'
165testfailure apt update
166testnopkg foo
167testnopkg foo3
168testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
169testnotempty apt show foo2
170testnotempty apt showsrc foo2
171testwarning apt update --allow-weak-repositories
172testnopkg foo2
173testbadpkg foo3
174
175msgmsg 'Working with packages guarded only by weak hashes'
176confighashes 'MD5'
177rm -rf aptarchive/dists
178buildsimplenativepackage 'foo4' 'i386' '1' 'unstable'
179setupaptarchive --no-update
180testfailure apt update
181confighashes 'SHA256'
182generatereleasefiles 'now - 1 day'
183signreleasefiles
184testsuccess apt update
185cd downloaded
186testfailure apt download foo4
187cp ../rootdir/tmp/testfailure.output download.output
188testfailure grep 'Hash Sum mismatch' download.output
189testsuccess grep 'Insufficient information' download.output
190
191testsuccess apt install foo4 -s
192testfailure apt install foo4 -dy
193cp ../rootdir/tmp/testfailure.output install.output
194testfailure grep 'Hash Sum mismatch' install.output
195testsuccess grep 'Insufficient information' download.output
196
197testsuccess apt source foo4
198cp ../rootdir/tmp/testsuccess.output source.output
199testsuccess grep 'Skipping download of file' source.output
200testfailure test -e foo4_1.dsc
201testsuccess test -e foo4_1.tar.*
202cd ..