]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update: Run Post-Invoke-Success if not all sources failed
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 testsuccessequal "Reading package lists...
50 Building dependency tree...
51 Suggested packages:
52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
53 The following NEW packages will be installed:
54 apt
55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56 After this operation, 5808 kB of additional disk space will be used.
57 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58 Download complete and in download only mode" aptget install apt -dy
59 }
60
61 failaptold() {
62 testfailureequal 'Reading package lists...
63 Building dependency tree...
64 Suggested packages:
65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
66 The following NEW packages will be installed:
67 apt
68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69 After this operation, 5370 kB of additional disk space will be used.
70 WARNING: The following packages cannot be authenticated!
71 apt
72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
73 }
74
75 failaptnew() {
76 testfailureequal 'Reading package lists...
77 Building dependency tree...
78 Suggested packages:
79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
80 The following NEW packages will be installed:
81 apt
82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83 After this operation, 5808 kB of additional disk space will be used.
84 WARNING: The following packages cannot be authenticated!
85 apt
86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
87 }
88
89 # fake our downloadable file
90 touch aptarchive/apt.deb
91
92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
93
94 updatewithwarnings() {
95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
97 }
98
99 runtest() {
100 local DELETEFILE="$1"
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 find aptarchive/ -name "$DELETEFILE" -delete
106 successfulaptgetupdate
107 testsuccessequal "$(cat "${PKGFILE}")
108 " aptcache show apt
109 installaptold
110
111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
112 prepare "${PKGFILE}-new"
113 signreleasefiles 'Joe Sixpack'
114 find aptarchive/ -name "$DELETEFILE" -delete
115 successfulaptgetupdate
116 testsuccessequal "$(cat "${PKGFILE}-new")
117 " aptcache show apt
118 installaptnew
119
120 msgmsg 'Cold archive signed by' 'Rex Expired'
121 prepare "${PKGFILE}"
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 find aptarchive/ -name "$DELETEFILE" -delete
126 updatewithwarnings '^W: .* KEYEXPIRED'
127 testsuccessequal "$(cat "${PKGFILE}")
128 " aptcache show apt
129 failaptold
130 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
131
132 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
133 prepare "${PKGFILE}"
134 rm -rf rootdir/var/lib/apt/lists
135 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
136 find aptarchive/ -name "$DELETEFILE" -delete
137 successfulaptgetupdate 'NO_PUBKEY'
138 testsuccessequal "$(cat "${PKGFILE}")
139 " aptcache show apt
140 installaptold
141
142 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
143 prepare "${PKGFILE}"
144 rm -rf rootdir/var/lib/apt/lists
145 signreleasefiles 'Joe Sixpack,Rex Expired'
146 find aptarchive/ -name "$DELETEFILE" -delete
147 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
148 successfulaptgetupdate 'EXPKEYSIG'
149 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
150 testsuccessequal "$(cat "${PKGFILE}")
151 " aptcache show apt
152 installaptold
153
154 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
155 prepare "${PKGFILE}"
156 rm -rf rootdir/var/lib/apt/lists
157 signreleasefiles 'Marvin Paranoid'
158 find aptarchive/ -name "$DELETEFILE" -delete
159 updatewithwarnings '^W: .* NO_PUBKEY'
160 testsuccessequal "$(cat "${PKGFILE}")
161 " aptcache show apt
162 failaptold
163
164 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
165 prepare "${PKGFILE}-new"
166 signreleasefiles 'Joe Sixpack'
167 find aptarchive/ -name "$DELETEFILE" -delete
168 successfulaptgetupdate
169 testsuccessequal "$(cat "${PKGFILE}-new")
170 " aptcache show apt
171 installaptnew
172
173 msgmsg 'Cold archive signed by' 'Joe Sixpack'
174 prepare "${PKGFILE}"
175 rm -rf rootdir/var/lib/apt/lists
176 signreleasefiles 'Joe Sixpack'
177 find aptarchive/ -name "$DELETEFILE" -delete
178 successfulaptgetupdate
179 testsuccessequal "$(cat "${PKGFILE}")
180 " aptcache show apt
181 installaptold
182
183 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
184 prepare "${PKGFILE}-new"
185 signreleasefiles 'Marvin Paranoid'
186 find aptarchive/ -name "$DELETEFILE" -delete
187 updatewithwarnings '^W: .* NO_PUBKEY'
188 testsuccessequal "$(cat "${PKGFILE}")
189 " aptcache show apt
190 installaptold
191
192 msgmsg 'Good warm archive signed by' 'Rex Expired'
193 prepare "${PKGFILE}-new"
194 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
195 signreleasefiles 'Rex Expired'
196 find aptarchive/ -name "$DELETEFILE" -delete
197 updatewithwarnings '^W: .* KEYEXPIRED'
198 testsuccessequal "$(cat "${PKGFILE}")
199 " aptcache show apt
200 installaptold
201 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
202
203 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
204 prepare "${PKGFILE}-new"
205 signreleasefiles
206 find aptarchive/ -name "$DELETEFILE" -delete
207 successfulaptgetupdate
208 testsuccessequal "$(cat "${PKGFILE}-new")
209 " aptcache show apt
210 installaptnew
211
212 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
213 prepare "${PKGFILE}"
214 rm -rf rootdir/var/lib/apt/lists
215 signreleasefiles 'Marvin Paranoid'
216 find aptarchive/ -name "$DELETEFILE" -delete
217 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
218 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
219 successfulaptgetupdate
220 testsuccessequal "$(cat "${PKGFILE}")
221 " aptcache show apt
222 installaptold
223
224 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
225 rm -rf rootdir/var/lib/apt/lists
226 signreleasefiles 'Joe Sixpack'
227 find aptarchive/ -name "$DELETEFILE" -delete
228 updatewithwarnings '^W: .* NO_PUBKEY'
229
230 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
231 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
232
233 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
234 prepare "${PKGFILE}"
235 rm -rf rootdir/var/lib/apt/lists
236 signreleasefiles 'Marvin Paranoid'
237 find aptarchive/ -name "$DELETEFILE" -delete
238 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
239 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
240 successfulaptgetupdate
241 testsuccessequal "$(cat "${PKGFILE}")
242 " aptcache show apt
243 installaptold
244 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
245
246 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
247 rm -rf rootdir/var/lib/apt/lists
248 signreleasefiles 'Joe Sixpack'
249 find aptarchive/ -name "$DELETEFILE" -delete
250 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
251
252 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
253 }
254
255 runtest2() {
256 msgmsg 'Cold archive signed by' 'Joe Sixpack'
257 prepare "${PKGFILE}"
258 rm -rf rootdir/var/lib/apt/lists
259 signreleasefiles 'Joe Sixpack'
260 successfulaptgetupdate
261
262 # New .deb but now an unsigned archive. For example MITM to circumvent
263 # package verification.
264 msgmsg 'Warm archive signed by' 'nobody'
265 prepare "${PKGFILE}-new"
266 find aptarchive/ -name InRelease -delete
267 find aptarchive/ -name Release.gpg -delete
268 updatewithwarnings 'W: .* no longer signed.'
269 testsuccessequal "$(cat "${PKGFILE}-new")
270 " aptcache show apt
271 failaptnew
272
273 # Unsigned archive from the beginning must also be detected.
274 msgmsg 'Cold archive signed by' 'nobody'
275 rm -rf rootdir/var/lib/apt/lists
276 updatewithwarnings 'W: .* is not signed.'
277 testsuccessequal "$(cat "${PKGFILE}-new")
278 " aptcache show apt
279 failaptnew
280 }
281
282 runtest3() {
283 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
284 msgmsg "Running base test with $1 digest"
285 runtest2
286
287 for DELETEFILE in 'InRelease' 'Release.gpg'; do
288 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
289 runtest "$DELETEFILE"
290 done
291 }
292
293 # diable some protection by default and ensure we still do the verification
294 # correctly
295 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
296 Acquire::AllowInsecureRepositories "1";
297 Acquire::AllowDowngradeToInsecureRepositories "1";
298 EOF
299 # the hash marked as configureable in our gpgv method
300 export APT_TESTS_DIGEST_ALGO='SHA224'
301
302 successfulaptgetupdate() {
303 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
304 if [ -n "$1" ]; then
305 cp rootdir/tmp/testsuccess.output aptupdate.output
306 testsuccess grep "$1" aptupdate.output
307 fi
308 }
309 runtest3 'Trusted'
310
311 successfulaptgetupdate() {
312 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
313 if [ -n "$1" ]; then
314 testsuccess grep "$1" rootdir/tmp/testwarning.output
315 fi
316 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
317 }
318 runtest3 'Weak'
319
320 msgmsg "Running test with apt-untrusted digest"
321 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
322 runfailure() {
323 for DELETEFILE in 'InRelease' 'Release.gpg'; do
324 msgmsg 'Cold archive signed by' 'Joe Sixpack'
325 prepare "${PKGFILE}"
326 rm -rf rootdir/var/lib/apt/lists
327 signreleasefiles 'Joe Sixpack'
328 find aptarchive/ -name "$DELETEFILE" -delete
329 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
330 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
331 testnopackage 'apt'
332 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
333 failaptold
334
335 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
336 prepare "${PKGFILE}"
337 rm -rf rootdir/var/lib/apt/lists
338 signreleasefiles 'Marvin Paranoid'
339 find aptarchive/ -name "$DELETEFILE" -delete
340 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
341 testnopackage 'apt'
342 updatewithwarnings '^W: .* NO_PUBKEY'
343 testsuccessequal "$(cat "${PKGFILE}")
344 " aptcache show apt
345 failaptold
346 done
347 }
348 runfailure
349
350 msgmsg "Running test with gpgv-untrusted digest"
351 export APT_TESTS_DIGEST_ALGO='MD5'
352 runfailure
APT (for Cydia)