]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gpgv: handle expired sig as worthless
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 testsuccessequal "Reading package lists...
50 Building dependency tree...
51 Suggested packages:
52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
53 The following NEW packages will be installed:
54 apt
55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56 After this operation, 5808 kB of additional disk space will be used.
57 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58 Download complete and in download only mode" aptget install apt -dy
59 }
60
61 failaptold() {
62 testfailureequal 'Reading package lists...
63 Building dependency tree...
64 Suggested packages:
65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
66 The following NEW packages will be installed:
67 apt
68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69 After this operation, 5370 kB of additional disk space will be used.
70 WARNING: The following packages cannot be authenticated!
71 apt
72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
73 }
74
75 failaptnew() {
76 testfailureequal 'Reading package lists...
77 Building dependency tree...
78 Suggested packages:
79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
80 The following NEW packages will be installed:
81 apt
82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83 After this operation, 5808 kB of additional disk space will be used.
84 WARNING: The following packages cannot be authenticated!
85 apt
86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
87 }
88
89 # fake our downloadable file
90 touch aptarchive/apt.deb
91
92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
93
94 updatewithwarnings() {
95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
97 }
98
99 runtest() {
100 local DELETEFILE="$1"
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 find aptarchive/ -name "$DELETEFILE" -delete
106 successfulaptgetupdate
107 testsuccessequal "$(cat "${PKGFILE}")
108 " aptcache show apt
109 installaptold
110
111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
112 prepare "${PKGFILE}-new"
113 signreleasefiles 'Joe Sixpack'
114 find aptarchive/ -name "$DELETEFILE" -delete
115 successfulaptgetupdate
116 testsuccessequal "$(cat "${PKGFILE}-new")
117 " aptcache show apt
118 installaptnew
119
120 msgmsg 'Cold archive signed by' 'Rex Expired'
121 prepare "${PKGFILE}"
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 find aptarchive/ -name "$DELETEFILE" -delete
126 updatewithwarnings '^W: .* EXPKEYSIG'
127 testsuccessequal "$(cat "${PKGFILE}")
128 " aptcache show apt
129 failaptold
130 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
131
132 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
133 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
134 touch rootdir/etc/apt/apt.conf.d/99gnupg2
135 elif gpg2 --version >/dev/null 2>&1; then
136 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
137 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
138 rm rootdir/etc/apt/apt.conf.d/99gnupg2
139 fi
140 fi
141 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
142 prepare "${PKGFILE}"
143 rm -rf rootdir/var/lib/apt/lists
144 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
145 find aptarchive/ -name "$DELETEFILE" -delete
146 updatewithwarnings '^W: .* EXPSIG'
147 testsuccessequal "$(cat "${PKGFILE}")
148 " aptcache show apt
149 failaptold
150 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
151 else
152 msgskip 'Not a new enough gpg available providing --fake-system-time'
153 fi
154
155 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
156 prepare "${PKGFILE}"
157 rm -rf rootdir/var/lib/apt/lists
158 signreleasefiles 'Marvin Paranoid'
159 find aptarchive/ -name "$DELETEFILE" -delete
160 updatewithwarnings '^W: .* NO_PUBKEY'
161 testsuccessequal "$(cat "${PKGFILE}")
162 " aptcache show apt
163 failaptold
164
165 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
166 prepare "${PKGFILE}-new"
167 signreleasefiles 'Joe Sixpack'
168 find aptarchive/ -name "$DELETEFILE" -delete
169 successfulaptgetupdate
170 testsuccessequal "$(cat "${PKGFILE}-new")
171 " aptcache show apt
172 installaptnew
173
174 msgmsg 'Cold archive signed by' 'Joe Sixpack'
175 prepare "${PKGFILE}"
176 rm -rf rootdir/var/lib/apt/lists
177 signreleasefiles 'Joe Sixpack'
178 find aptarchive/ -name "$DELETEFILE" -delete
179 successfulaptgetupdate
180 testsuccessequal "$(cat "${PKGFILE}")
181 " aptcache show apt
182 installaptold
183
184 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
185 prepare "${PKGFILE}-new"
186 signreleasefiles 'Marvin Paranoid'
187 find aptarchive/ -name "$DELETEFILE" -delete
188 updatewithwarnings '^W: .* NO_PUBKEY'
189 testsuccessequal "$(cat "${PKGFILE}")
190 " aptcache show apt
191 installaptold
192
193 msgmsg 'Good warm archive signed by' 'Rex Expired'
194 prepare "${PKGFILE}-new"
195 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
196 signreleasefiles 'Rex Expired'
197 find aptarchive/ -name "$DELETEFILE" -delete
198 updatewithwarnings '^W: .* EXPKEYSIG'
199 testsuccessequal "$(cat "${PKGFILE}")
200 " aptcache show apt
201 installaptold
202 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
203
204 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
205 prepare "${PKGFILE}-new"
206 signreleasefiles
207 find aptarchive/ -name "$DELETEFILE" -delete
208 successfulaptgetupdate
209 testsuccessequal "$(cat "${PKGFILE}-new")
210 " aptcache show apt
211 installaptnew
212
213 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
214 prepare "${PKGFILE}"
215 rm -rf rootdir/var/lib/apt/lists
216 signreleasefiles 'Marvin Paranoid'
217 find aptarchive/ -name "$DELETEFILE" -delete
218 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
219 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
220 successfulaptgetupdate
221 testsuccessequal "$(cat "${PKGFILE}")
222 " aptcache show apt
223 installaptold
224
225 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
226 rm -rf rootdir/var/lib/apt/lists
227 signreleasefiles 'Joe Sixpack'
228 find aptarchive/ -name "$DELETEFILE" -delete
229 updatewithwarnings '^W: .* NO_PUBKEY'
230
231 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
232 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
233
234 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
235 prepare "${PKGFILE}"
236 rm -rf rootdir/var/lib/apt/lists
237 signreleasefiles 'Marvin Paranoid'
238 find aptarchive/ -name "$DELETEFILE" -delete
239 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
240 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
241 successfulaptgetupdate
242 testsuccessequal "$(cat "${PKGFILE}")
243 " aptcache show apt
244 installaptold
245 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
246
247 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
248 rm -rf rootdir/var/lib/apt/lists
249 signreleasefiles 'Joe Sixpack'
250 find aptarchive/ -name "$DELETEFILE" -delete
251 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
252
253 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
254 }
255
256 runtest2() {
257 msgmsg 'Cold archive signed by' 'Joe Sixpack'
258 prepare "${PKGFILE}"
259 rm -rf rootdir/var/lib/apt/lists
260 signreleasefiles 'Joe Sixpack'
261 successfulaptgetupdate
262
263 # New .deb but now an unsigned archive. For example MITM to circumvent
264 # package verification.
265 msgmsg 'Warm archive signed by' 'nobody'
266 prepare "${PKGFILE}-new"
267 find aptarchive/ -name InRelease -delete
268 find aptarchive/ -name Release.gpg -delete
269 updatewithwarnings 'W: .* no longer signed.'
270 testsuccessequal "$(cat "${PKGFILE}-new")
271 " aptcache show apt
272 failaptnew
273
274 # Unsigned archive from the beginning must also be detected.
275 msgmsg 'Cold archive signed by' 'nobody'
276 rm -rf rootdir/var/lib/apt/lists
277 updatewithwarnings 'W: .* is not signed.'
278 testsuccessequal "$(cat "${PKGFILE}-new")
279 " aptcache show apt
280 failaptnew
281 }
282
283 runtest3() {
284 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
285 msgmsg "Running base test with $1 digest"
286 runtest2
287
288 for DELETEFILE in 'InRelease' 'Release.gpg'; do
289 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
290 runtest "$DELETEFILE"
291 done
292 }
293
294 # diable some protection by default and ensure we still do the verification
295 # correctly
296 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
297 Acquire::AllowInsecureRepositories "1";
298 Acquire::AllowDowngradeToInsecureRepositories "1";
299 EOF
300 # the hash marked as configureable in our gpgv method
301 export APT_TESTS_DIGEST_ALGO='SHA224'
302
303 successfulaptgetupdate() {
304 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
305 }
306 runtest3 'Trusted'
307
308 successfulaptgetupdate() {
309 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
310 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
311 }
312 runtest3 'Weak'
313
314 msgmsg "Running test with apt-untrusted digest"
315 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
316 runfailure() {
317 for DELETEFILE in 'InRelease' 'Release.gpg'; do
318 msgmsg 'Cold archive signed by' 'Joe Sixpack'
319 prepare "${PKGFILE}"
320 rm -rf rootdir/var/lib/apt/lists
321 signreleasefiles 'Joe Sixpack'
322 find aptarchive/ -name "$DELETEFILE" -delete
323 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
324 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
325 testnopackage 'apt'
326 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
327 failaptold
328
329 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
330 prepare "${PKGFILE}"
331 rm -rf rootdir/var/lib/apt/lists
332 signreleasefiles 'Marvin Paranoid'
333 find aptarchive/ -name "$DELETEFILE" -delete
334 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
335 testnopackage 'apt'
336 updatewithwarnings '^W: .* NO_PUBKEY'
337 testsuccessequal "$(cat "${PKGFILE}")
338 " aptcache show apt
339 failaptold
340 done
341 }
342 runfailure
343
344 msgmsg "Running test with gpgv-untrusted digest"
345 export APT_TESTS_DIGEST_ALGO='MD5'
346 runfailure
APT (for Cydia)