]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
handle gpgv's weak-digests ERRSIG
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 testsuccessequal "Reading package lists...
50 Building dependency tree...
51 Suggested packages:
52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
53 The following NEW packages will be installed:
54 apt
55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56 After this operation, 5808 kB of additional disk space will be used.
57 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58 Download complete and in download only mode" aptget install apt -dy
59 }
60
61 failaptold() {
62 testfailureequal 'Reading package lists...
63 Building dependency tree...
64 Suggested packages:
65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
66 The following NEW packages will be installed:
67 apt
68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69 After this operation, 5370 kB of additional disk space will be used.
70 WARNING: The following packages cannot be authenticated!
71 apt
72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
73 }
74
75 failaptnew() {
76 testfailureequal 'Reading package lists...
77 Building dependency tree...
78 Suggested packages:
79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
80 The following NEW packages will be installed:
81 apt
82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83 After this operation, 5808 kB of additional disk space will be used.
84 WARNING: The following packages cannot be authenticated!
85 apt
86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
87 }
88
89 # fake our downloadable file
90 touch aptarchive/apt.deb
91
92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
93
94 updatewithwarnings() {
95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
97 }
98
99 runtest() {
100 local DELETEFILE="$1"
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 find aptarchive/ -name "$DELETEFILE" -delete
106 successfulaptgetupdate
107 testsuccessequal "$(cat "${PKGFILE}")
108 " aptcache show apt
109 installaptold
110
111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
112 prepare "${PKGFILE}-new"
113 signreleasefiles 'Joe Sixpack'
114 find aptarchive/ -name "$DELETEFILE" -delete
115 successfulaptgetupdate
116 testsuccessequal "$(cat "${PKGFILE}-new")
117 " aptcache show apt
118 installaptnew
119
120 msgmsg 'Cold archive signed by' 'Rex Expired'
121 prepare "${PKGFILE}"
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 find aptarchive/ -name "$DELETEFILE" -delete
126 updatewithwarnings '^W: .* KEYEXPIRED'
127 testsuccessequal "$(cat "${PKGFILE}")
128 " aptcache show apt
129 failaptold
130 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
131
132 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
133 prepare "${PKGFILE}"
134 rm -rf rootdir/var/lib/apt/lists
135 signreleasefiles 'Marvin Paranoid'
136 find aptarchive/ -name "$DELETEFILE" -delete
137 updatewithwarnings '^W: .* NO_PUBKEY'
138 testsuccessequal "$(cat "${PKGFILE}")
139 " aptcache show apt
140 failaptold
141
142 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
143 prepare "${PKGFILE}-new"
144 signreleasefiles 'Joe Sixpack'
145 find aptarchive/ -name "$DELETEFILE" -delete
146 successfulaptgetupdate
147 testsuccessequal "$(cat "${PKGFILE}-new")
148 " aptcache show apt
149 installaptnew
150
151 msgmsg 'Cold archive signed by' 'Joe Sixpack'
152 prepare "${PKGFILE}"
153 rm -rf rootdir/var/lib/apt/lists
154 signreleasefiles 'Joe Sixpack'
155 find aptarchive/ -name "$DELETEFILE" -delete
156 successfulaptgetupdate
157 testsuccessequal "$(cat "${PKGFILE}")
158 " aptcache show apt
159 installaptold
160
161 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
162 prepare "${PKGFILE}-new"
163 signreleasefiles 'Marvin Paranoid'
164 find aptarchive/ -name "$DELETEFILE" -delete
165 updatewithwarnings '^W: .* NO_PUBKEY'
166 testsuccessequal "$(cat "${PKGFILE}")
167 " aptcache show apt
168 installaptold
169
170 msgmsg 'Good warm archive signed by' 'Rex Expired'
171 prepare "${PKGFILE}-new"
172 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
173 signreleasefiles 'Rex Expired'
174 find aptarchive/ -name "$DELETEFILE" -delete
175 updatewithwarnings '^W: .* KEYEXPIRED'
176 testsuccessequal "$(cat "${PKGFILE}")
177 " aptcache show apt
178 installaptold
179 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
180
181 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
182 prepare "${PKGFILE}-new"
183 signreleasefiles
184 find aptarchive/ -name "$DELETEFILE" -delete
185 successfulaptgetupdate
186 testsuccessequal "$(cat "${PKGFILE}-new")
187 " aptcache show apt
188 installaptnew
189
190 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
191 prepare "${PKGFILE}"
192 rm -rf rootdir/var/lib/apt/lists
193 signreleasefiles 'Marvin Paranoid'
194 find aptarchive/ -name "$DELETEFILE" -delete
195 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
196 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
197 successfulaptgetupdate
198 testsuccessequal "$(cat "${PKGFILE}")
199 " aptcache show apt
200 installaptold
201
202 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
203 rm -rf rootdir/var/lib/apt/lists
204 signreleasefiles 'Joe Sixpack'
205 find aptarchive/ -name "$DELETEFILE" -delete
206 updatewithwarnings '^W: .* NO_PUBKEY'
207
208 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
209 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
210
211 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
212 prepare "${PKGFILE}"
213 rm -rf rootdir/var/lib/apt/lists
214 signreleasefiles 'Marvin Paranoid'
215 find aptarchive/ -name "$DELETEFILE" -delete
216 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
217 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
218 successfulaptgetupdate
219 testsuccessequal "$(cat "${PKGFILE}")
220 " aptcache show apt
221 installaptold
222 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
223
224 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
225 rm -rf rootdir/var/lib/apt/lists
226 signreleasefiles 'Joe Sixpack'
227 find aptarchive/ -name "$DELETEFILE" -delete
228 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
229
230 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
231 }
232
233 runtest2() {
234 msgmsg 'Cold archive signed by' 'Joe Sixpack'
235 prepare "${PKGFILE}"
236 rm -rf rootdir/var/lib/apt/lists
237 signreleasefiles 'Joe Sixpack'
238 successfulaptgetupdate
239
240 # New .deb but now an unsigned archive. For example MITM to circumvent
241 # package verification.
242 msgmsg 'Warm archive signed by' 'nobody'
243 prepare "${PKGFILE}-new"
244 find aptarchive/ -name InRelease -delete
245 find aptarchive/ -name Release.gpg -delete
246 updatewithwarnings 'W: .* no longer signed.'
247 testsuccessequal "$(cat "${PKGFILE}-new")
248 " aptcache show apt
249 failaptnew
250
251 # Unsigned archive from the beginning must also be detected.
252 msgmsg 'Cold archive signed by' 'nobody'
253 rm -rf rootdir/var/lib/apt/lists
254 updatewithwarnings 'W: .* is not signed.'
255 testsuccessequal "$(cat "${PKGFILE}-new")
256 " aptcache show apt
257 failaptnew
258 }
259
260 runtest3() {
261 echo "Debug::Acquire::gpgv::configdigest::truststate \"$1\";" > rootdir/etc/apt/apt.conf.d/truststate
262 msgmsg "Running base test with $1 digest"
263 runtest2
264
265 for DELETEFILE in 'InRelease' 'Release.gpg'; do
266 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
267 runtest "$DELETEFILE"
268 done
269 }
270
271 # diable some protection by default and ensure we still do the verification
272 # correctly
273 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
274 Acquire::AllowInsecureRepositories "1";
275 Acquire::AllowDowngradeToInsecureRepositories "1";
276 EOF
277 # the hash marked as configureable in our gpgv method
278 export APT_TESTS_DIGEST_ALGO='SHA224'
279
280 successfulaptgetupdate() {
281 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
282 }
283 runtest3 'trusted'
284
285 successfulaptgetupdate() {
286 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
287 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
288 }
289 runtest3 'weak'
290
291 msgmsg "Running test with apt-untrusted digest"
292 echo "Debug::Acquire::gpgv::configdigest::truststate \"untrusted\";" > rootdir/etc/apt/apt.conf.d/truststate
293 runfailure() {
294 for DELETEFILE in 'InRelease' 'Release.gpg'; do
295 msgmsg 'Cold archive signed by' 'Joe Sixpack'
296 prepare "${PKGFILE}"
297 rm -rf rootdir/var/lib/apt/lists
298 signreleasefiles 'Joe Sixpack'
299 find aptarchive/ -name "$DELETEFILE" -delete
300 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
301 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
302 testnopackage 'apt'
303 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
304 failaptold
305
306 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
307 prepare "${PKGFILE}"
308 rm -rf rootdir/var/lib/apt/lists
309 signreleasefiles 'Marvin Paranoid'
310 find aptarchive/ -name "$DELETEFILE" -delete
311 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
312 testnopackage 'apt'
313 updatewithwarnings '^W: .* NO_PUBKEY'
314 testsuccessequal "$(cat "${PKGFILE}")
315 " aptcache show apt
316 failaptold
317 done
318 }
319 runfailure
320
321 msgmsg "Running test with gpgv-untrusted digest"
322 export APT_TESTS_DIGEST_ALGO='MD5'
323 runfailure
APT (for Cydia)