test/integration/test-apt-update-weak-hashes

   1 #!/bin/sh
   2 set -e
   3
   4 TESTDIR="$(readlink -f "$(dirname "$0")")"
   5 . "$TESTDIR/framework"
   6
   7 setupenvironment
   8 configarchitecture 'i386'
   9 confighashes 'MD5'
  10 export APT_DONT_SIGN=''
  11
  12 insertpackage 'unstable' 'foo' 'i386' '1.0'
  13 insertsource 'unstable' 'foo' 'any' '1.0'
  14
  15 setupaptarchive --no-update
  16 APTARCHIVE="$(readlink -f ./aptarchive)"
  17
  18 testnopkg() {
  19         testnopackage "$@"
  20         testnosrcpackage "$@"
  21 }
  22 testbadpkg() {
  23         testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
  24         testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release'
  25         testnotempty apt show "$@"
  26         testnotempty apt showsrc "$@"
  27         testfailureequal "WARNING: The following packages cannot be authenticated!
  28   $*
  29 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@"
  30         testfailureequal "WARNING: The following packages cannot be authenticated!
  31   $*
  32 E: Some packages could not be authenticated" aptget source -qq "$@"
  33 }
  34
  35 testrun() {
  36         local TYPE="$1"
  37         local FILENAME="$2"
  38         shift 2
  39         local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')"
  40         msgmsg "$TYPE contains only weak hashes"
  41         confighashes 'MD5'
  42         generatereleasefiles
  43         signreleasefiles
  44         preparetest
  45         if [ -z "$1" ]; then
  46                 listcurrentlistsdirectory > lists.before
  47                 testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  48 E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  49 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  50 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
  51                 testfileequal lists.before "$(listcurrentlistsdirectory)"
  52                 testnopkg 'foo'
  53         else
  54                 testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  55 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  56 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  57 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  58                 testbadpkg 'foo'
  59         fi
  60
  61         msgmsg "$TYPE contains only weak hashes, but source allows weak"
  62         sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/*
  63         genericprepare
  64         testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  65 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  66 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  67 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  68         testbadpkg 'foo'
  69         sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
  70
  71         msgmsg "$TYPE contains no hashes"
  72         generatereleasefiles
  73         sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release"
  74         signreleasefiles
  75         preparetest
  76         if [ -z "$1" ]; then
  77                 listcurrentlistsdirectory > lists.before
  78                 testfailuremsg "W: No Hash entry in Release file ${MANGLED}
  79 E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  80 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  81 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
  82                 testfileequal lists.before "$(listcurrentlistsdirectory)"
  83                 testnopkg 'foo'
  84         else
  85                 testwarningmsg "W: No Hash entry in Release file ${MANGLED}
  86 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  87 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  88 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  89                 testbadpkg 'foo'
  90         fi
  91
  92         msgmsg "$TYPE contains only weak hashes for some files"
  93         confighashes 'MD5' 'SHA256'
  94         generatereleasefiles
  95         sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release"
  96         signreleasefiles
  97         preparetest
  98         if [ -z "$1" ]; then
  99                 testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update
 100                 testnosrcpackage foo
 101         else
 102                 rm -f rootdir/var/lib/apt/lists/partial/*
 103                 testsuccess apt update "$@"
 104                 testnotempty apt showsrc foo
 105         fi
 106         testsuccess apt show foo
 107 }
 108
 109 genericprepare() {
 110         rm -rf rootdir/var/lib/apt/lists
 111         mkdir -p rootdir/var/lib/apt/lists/partial
 112         touch rootdir/var/lib/apt/lists/lock
 113         local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')"
 114         touch "$RELEASEGPG"
 115         chmod 644 "$RELEASEGPG"
 116         local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')"
 117         touch "$INRELEASE"
 118         chmod 644 "$INRELEASE"
 119 }
 120 preparetest() {
 121         rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg"
 122         genericprepare
 123 }
 124 testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease"
 125 testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0
 126
 127 preparetest() {
 128         rm -f "${APTARCHIVE}/dists/unstable/InRelease"
 129         genericprepare
 130 }
 131 testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release"
 132 testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0
 133
 134 preparetest() {
 135         rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg"
 136         genericprepare
 137 }
 138
 139 msgmsg 'Moving between Release files with good and bad hashes'
 140 rm -rf rootdir/var/lib/apt/lists
 141 confighashes 'MD5'
 142 generatereleasefiles 'now - 7 days'
 143 signreleasefiles
 144 testfailure apt update
 145 testnopkg 'foo'
 146 testwarning apt update --allow-weak-repositories
 147 testbadpkg 'foo'
 148
 149 confighashes 'MD5' 'SHA256'
 150 rm -rf aptarchive/dists
 151 insertpackage 'unstable' 'foo2' 'i386' '1.0'
 152 insertsource 'unstable' 'foo2' 'any' '1.0'
 153 setupaptarchive --no-update 'now - 5 days'
 154 testsuccess apt update
 155 testnopkg foo
 156 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
 157 testnotempty apt show foo2
 158 testnotempty apt showsrc foo2
 159
 160 confighashes 'MD5'
 161 rm -rf aptarchive/dists
 162 insertpackage 'unstable' 'foo3' 'i386' '1.0'
 163 insertsource 'unstable' 'foo3' 'any' '1.0'
 164 setupaptarchive --no-update 'now - 3 days'
 165 testfailure apt update
 166 testnopkg foo
 167 testnopkg foo3
 168 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
 169 testnotempty apt show foo2
 170 testnotempty apt showsrc foo2
 171 testwarning apt update --allow-weak-repositories
 172 testnopkg foo2
 173 testbadpkg foo3
 174
 175 msgmsg 'Working with packages guarded only by weak hashes'
 176 confighashes 'MD5'
 177 rm -rf aptarchive/dists
 178 buildsimplenativepackage 'foo4' 'i386' '1' 'unstable'
 179 setupaptarchive --no-update
 180 testfailure apt update
 181 confighashes 'SHA256'
 182 generatereleasefiles 'now - 1 day'
 183 signreleasefiles
 184 testsuccess apt update
 185 cd downloaded
 186 testfailure apt download foo4
 187 cp ../rootdir/tmp/testfailure.output download.output
 188 testfailure grep 'Hash Sum mismatch' download.output
 189 testsuccess grep 'Insufficient information' download.output
 190
 191 testsuccess apt install foo4 -s
 192 testfailure apt install foo4 -dy
 193 cp ../rootdir/tmp/testfailure.output install.output
 194 testfailure grep 'Hash Sum mismatch' install.output
 195 testsuccess grep 'Insufficient information' download.output
 196
 197 testsuccess apt source foo4
 198 cp ../rootdir/tmp/testsuccess.output source.output
 199 testsuccess grep 'Skipping download of file' source.output
 200 testfailure test -e foo4_1.dsc
 201 testsuccess test -e foo4_1.tar.*
 202 cd ..