test/integration/test-apt-update-nofallback

   1 #!/bin/sh
   2 #
   3 # ensure we never fallback from a signed to a unsigned repo
   4 #
   5 # hash checks are done in
   6 #
   7 set -e
   8
   9 simulate_mitm_and_inject_evil_package()
  10 {
  11     redatereleasefiles '+1 hour'
  12     rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
  13     inject_evil_package
  14 }
  15
  16 inject_evil_package()
  17 {
  18     cat > "$APTARCHIVE/dists/unstable/main/binary-i386/Packages" <<EOF
  19 Package: evil
  20 Installed-Size: 29
  21 Maintainer: Joe Sixpack <joe@example.org>
  22 Architecture: all
  23 Version: 1.0
  24 Filename: pool/evil_1.0_all.deb
  25 Size: 1270
  26 Description: an autogenerated evil package
  27 EOF
  28     # avoid ims hit
  29     touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages
  30     compressfile aptarchive/dists/unstable/main/binary-i386/Packages
  31 }
  32
  33 assert_update_is_refused_and_last_good_state_used()
  34 {
  35     testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed.
  36 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  37 N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update
  38
  39     assert_repo_is_intact
  40 }
  41
  42 assert_repo_is_intact()
  43 {
  44     testsuccessequal "foo/unstable 2.0 all" apt list -qq
  45     testsuccess aptget install -y -s foo
  46     testfailure aptget install -y evil
  47     testsuccess aptget source foo --print-uris
  48
  49     LISTDIR=rootdir/var/lib/apt/lists
  50     testempty find "$LISTDIR" -name 'InRelease' -o -name 'Release.gpg'
  51 }
  52
  53 setupaptarchive_with_lists_clean()
  54 {
  55     setupaptarchive --no-update
  56     rm -rf rootdir/var/lib/apt/lists
  57 }
  58
  59 test_from_inrelease_to_unsigned()
  60 {
  61     export APT_DONT_SIGN='Release.gpg'
  62     setupaptarchive_with_lists_clean
  63     testsuccess aptget update
  64     listcurrentlistsdirectory > lists.before
  65
  66     simulate_mitm_and_inject_evil_package
  67     assert_update_is_refused_and_last_good_state_used
  68     testfileequal lists.before "$(listcurrentlistsdirectory)"
  69 }
  70
  71 test_from_release_gpg_to_unsigned()
  72 {
  73     export APT_DONT_SIGN='InRelease'
  74     setupaptarchive_with_lists_clean
  75     testsuccess aptget update
  76     listcurrentlistsdirectory > lists.before
  77
  78     simulate_mitm_and_inject_evil_package
  79     assert_update_is_refused_and_last_good_state_used
  80     testfileequal lists.before "$(listcurrentlistsdirectory)"
  81 }
  82
  83 test_from_inrelease_to_unsigned_with_override()
  84 {
  85     export APT_DONT_SIGN='Release.gpg'
  86     # setup archive with InRelease file
  87     setupaptarchive_with_lists_clean
  88     testsuccess aptget update
  89
  90     # simulate moving to a unsigned but otherwise valid repo
  91     simulate_mitm_and_inject_evil_package
  92     generatereleasefiles '+2 hours'
  93     find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \;
  94
  95     # and ensure we can update to it (with enough force)
  96     testfailure apt update
  97     testfailure aptget update
  98     testfailure aptget update --allow-insecure-repositories
  99     testfailure aptget update --no-allow-insecure-repositories
 100     sed -i 's#^deb\(-src\)\? #deb\1 [allow-downgrade-to-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
 101     testfailure aptget update --no-allow-insecure-repositories
 102     testfailure apt update
 103     testwarning apt update --allow-insecure-repositories \
 104         -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1
 105     sed -i 's#^deb\(-src\)\? \[allow-downgrade-to-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
 106     # but that the individual packages are still considered untrusted
 107     testfailureequal "WARNING: The following packages cannot be authenticated!
 108   evil
 109 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil
 110 }
 111
 112 test_from_inrelease_to_norelease_with_override()
 113 {
 114     # setup archive with InRelease file
 115     setupaptarchive_with_lists_clean
 116     testsuccess aptget update
 117
 118     # simulate moving to a unsigned but otherwise valid repo
 119     simulate_mitm_and_inject_evil_package
 120     find "$APTARCHIVE" -name '*Release*' -delete
 121     find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \;
 122
 123     # and ensure we can update to it (with enough force)
 124     testfailure aptget update
 125     testfailure aptget update --allow-insecure-repositories
 126     testwarning aptget update --allow-insecure-repositories \
 127         -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1
 128     # but that the individual packages are still considered untrusted
 129     testfailureequal "WARNING: The following packages cannot be authenticated!
 130   evil
 131 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil
 132 }
 133
 134 test_cve_2012_0214()
 135 {
 136     # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
 137     #
 138     # it was possible to MITM the download so that InRelease/Release.gpg
 139     # are not delivered (404) and a altered Release file was send
 140     #
 141     # apt left the old InRelease file in /var/lib/apt/lists and downloaded
 142     # the unauthenticated Release file too giving the false impression that
 143     # Release was authenticated
 144     #
 145     # Note that this is pretty much impossible nowadays because:
 146     # a) InRelease is left as is, not split to InRelease/Release as it was
 147     #    in the old days
 148     # b) we refuse to go from signed->unsigned
 149     #
 150     # Still worth having a regression test the simulates the condition
 151
 152     export APT_DONT_SIGN='Release.gpg'
 153     setupaptarchive_with_lists_clean
 154     testsuccess aptget update
 155     listcurrentlistsdirectory > lists.before
 156
 157     # do what CVE-2012-0214 did
 158     rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
 159     inject_evil_package
 160     # build valid Release file
 161     aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release
 162
 163     assert_update_is_refused_and_last_good_state_used
 164     testfileequal lists.before "$(listcurrentlistsdirectory)"
 165
 166     # ensure there is no _Release file downloaded
 167     testfailure ls rootdir/var/lib/apt/lists/*_Release
 168 }
 169
 170 test_subvert_inrelease()
 171 {
 172     export APT_DONT_SIGN='Release.gpg'
 173     setupaptarchive_with_lists_clean
 174     testsuccess aptget update
 175     listcurrentlistsdirectory > lists.before
 176
 177     # replace InRelease with something else
 178     mv "$APTARCHIVE/dists/unstable/Release" "$APTARCHIVE/dists/unstable/InRelease"
 179
 180     testfailuremsg "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
 181 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
 182
 183     # ensure we keep the repo
 184     testfileequal lists.before "$(listcurrentlistsdirectory)"
 185     assert_repo_is_intact
 186 }
 187
 188 test_inrelease_to_invalid_inrelease()
 189 {
 190     export APT_DONT_SIGN='Release.gpg'
 191     setupaptarchive_with_lists_clean
 192     testsuccess aptget update
 193     listcurrentlistsdirectory > lists.before
 194
 195     # now remove InRelease and subvert Release do no longer verify
 196     sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease"
 197     inject_evil_package
 198
 199     testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 200 W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease  The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 201 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 202
 203     # ensure we keep the repo
 204     testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease
 205     testfileequal lists.before "$(listcurrentlistsdirectory)"
 206     assert_repo_is_intact
 207 }
 208
 209 test_release_gpg_to_invalid_release_release_gpg()
 210 {
 211     export APT_DONT_SIGN='InRelease'
 212     setupaptarchive_with_lists_clean
 213     testsuccess aptget update
 214     listcurrentlistsdirectory > lists.before
 215
 216     # now subvert Release do no longer verify
 217     echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release"
 218     inject_evil_package
 219
 220     testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 221 W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg  The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 222 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 223
 224     testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release
 225     testfileequal lists.before "$(listcurrentlistsdirectory)"
 226     assert_repo_is_intact
 227 }
 228
 229
 230 TESTDIR="$(readlink -f "$(dirname "$0")")"
 231 . "$TESTDIR/framework"
 232
 233 setupenvironment
 234 configarchitecture "i386"
 235
 236 # a "normal" package with source and binary
 237 buildsimplenativepackage 'foo' 'all' '2.0'
 238
 239 # setup the archive and ensure we have a single package that installs fine
 240 setupaptarchive
 241 APTARCHIVE="$(readlink -f ./aptarchive)"
 242 assert_repo_is_intact
 243
 244 # test the various cases where a repo may go from signed->unsigned
 245 msgmsg "test_from_inrelease_to_unsigned"
 246 test_from_inrelease_to_unsigned
 247
 248 msgmsg "test_from_release_gpg_to_unsigned"
 249 test_from_release_gpg_to_unsigned
 250
 251 # ensure we do not regress on CVE-2012-0214
 252 msgmsg "test_cve_2012_0214"
 253 test_cve_2012_0214
 254
 255 # ensure InRelease can not be subverted
 256 msgmsg "test_subvert_inrelease"
 257 test_subvert_inrelease
 258
 259 # ensure we revert to last good state if InRelease does not verify
 260 msgmsg "test_inrelease_to_invalid_inrelease"
 261 test_inrelease_to_invalid_inrelease
 262
 263 # ensure we revert to last good state if Release/Release.gpg does not verify
 264 msgmsg "test_release_gpg_to_invalid_release_release_gpg"
 265 test_release_gpg_to_invalid_release_release_gpg
 266
 267 # ensure we can override the downgrade error
 268 msgmsg "test_from_inrelease_to_unsigned_with_override"
 269 test_from_inrelease_to_unsigned_with_override
 270 msgmsg "test_from_inrelease_to_norelease_with_override"
 271 test_from_inrelease_to_norelease_with_override