test/integration/test-releasefile-verification

   1 #!/bin/sh
   2 set -e
   3
   4 TESTDIR="$(readlink -f "$(dirname "$0")")"
   5 . "$TESTDIR/framework"
   6
   7 setupenvironment
   8 configarchitecture "i386"
   9
  10 buildaptarchive
  11 setupflataptarchive
  12 changetowebserver
  13
  14 webserverconfig 'aptwebserver::support::range' 'false'
  15
  16 prepare() {
  17         local DATE="${2:-now}"
  18         if [ "$DATE" = 'now' ]; then
  19                 if [ "$1" = "${PKGFILE}-new" ]; then
  20                         DATE='now - 1 day'
  21                 else
  22                         DATE='now - 7 day'
  23                 fi
  24         fi
  25         for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  26                 touch -d 'now - 1 year' "$release"
  27         done
  28         aptget clean
  29         cp "$1" aptarchive/Packages
  30         find aptarchive -name 'Release' -delete
  31         compressfile 'aptarchive/Packages' "$DATE"
  32         generatereleasefiles "$DATE"
  33 }
  34
  35 installaptold() {
  36         testsuccessequal "Reading package lists...
  37 Building dependency tree...
  38 Suggested packages:
  39   aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  40 The following NEW packages will be installed:
  41   apt
  42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  43 After this operation, 5370 kB of additional disk space will be used.
  44 Get:1 http://localhost:${APTHTTPPORT}  apt 0.7.25.3
  45 Download complete and in download only mode" aptget install apt -dy
  46 }
  47
  48 installaptnew() {
  49         testsuccessequal "Reading package lists...
  50 Building dependency tree...
  51 Suggested packages:
  52   aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  53 The following NEW packages will be installed:
  54   apt
  55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  56 After this operation, 5808 kB of additional disk space will be used.
  57 Get:1 http://localhost:${APTHTTPPORT}  apt 0.8.0~pre1
  58 Download complete and in download only mode" aptget install apt -dy
  59 }
  60
  61 failaptold() {
  62         testfailureequal 'Reading package lists...
  63 Building dependency tree...
  64 Suggested packages:
  65   aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  66 The following NEW packages will be installed:
  67   apt
  68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  69 After this operation, 5370 kB of additional disk space will be used.
  70 WARNING: The following packages cannot be authenticated!
  71   apt
  72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  73 }
  74
  75 failaptnew() {
  76         testfailureequal 'Reading package lists...
  77 Building dependency tree...
  78 Suggested packages:
  79   aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  80 The following NEW packages will be installed:
  81   apt
  82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  83 After this operation, 5808 kB of additional disk space will be used.
  84 WARNING: The following packages cannot be authenticated!
  85   apt
  86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  87 }
  88
  89 # fake our downloadable file
  90 touch aptarchive/apt.deb
  91
  92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  93
  94 updatewithwarnings() {
  95         testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  96         testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  97 }
  98
  99 runtest() {
 100         msgmsg 'Cold archive signed by' 'Joe Sixpack'
 101         prepare "${PKGFILE}"
 102         rm -rf rootdir/var/lib/apt/lists
 103         signreleasefiles 'Joe Sixpack'
 104         find aptarchive/ -name "$DELETEFILE" -delete
 105         successfulaptgetupdate
 106         testsuccessequal "$(cat "${PKGFILE}")
 107 " aptcache show apt
 108         installaptold
 109
 110         msgmsg 'Good warm archive signed by' 'Joe Sixpack'
 111         prepare "${PKGFILE}-new"
 112         signreleasefiles 'Joe Sixpack'
 113         find aptarchive/ -name "$DELETEFILE" -delete
 114         successfulaptgetupdate
 115         testsuccessequal "$(cat "${PKGFILE}-new")
 116 " aptcache show apt
 117         installaptnew
 118
 119         msgmsg 'Cold archive signed by' 'Rex Expired'
 120         prepare "${PKGFILE}"
 121         rm -rf rootdir/var/lib/apt/lists
 122         cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 123         signreleasefiles 'Rex Expired'
 124         find aptarchive/ -name "$DELETEFILE" -delete
 125         updatewithwarnings '^W: .* KEYEXPIRED'
 126         testsuccessequal "$(cat "${PKGFILE}")
 127 " aptcache show apt
 128         failaptold
 129         rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 130
 131         msgmsg 'Cold archive signed by' 'Marvin Paranoid'
 132         prepare "${PKGFILE}"
 133         rm -rf rootdir/var/lib/apt/lists
 134         signreleasefiles 'Marvin Paranoid'
 135         find aptarchive/ -name "$DELETEFILE" -delete
 136         updatewithwarnings '^W: .* NO_PUBKEY'
 137         testsuccessequal "$(cat "${PKGFILE}")
 138 " aptcache show apt
 139         failaptold
 140
 141         msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
 142         prepare "${PKGFILE}-new"
 143         signreleasefiles 'Joe Sixpack'
 144         find aptarchive/ -name "$DELETEFILE" -delete
 145         successfulaptgetupdate
 146         testsuccessequal "$(cat "${PKGFILE}-new")
 147 " aptcache show apt
 148         installaptnew
 149
 150         msgmsg 'Cold archive signed by' 'Joe Sixpack'
 151         prepare "${PKGFILE}"
 152         rm -rf rootdir/var/lib/apt/lists
 153         signreleasefiles 'Joe Sixpack'
 154         find aptarchive/ -name "$DELETEFILE" -delete
 155         successfulaptgetupdate
 156         testsuccessequal "$(cat "${PKGFILE}")
 157 " aptcache show apt
 158         installaptold
 159
 160         msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
 161         prepare "${PKGFILE}-new"
 162         signreleasefiles 'Marvin Paranoid'
 163         find aptarchive/ -name "$DELETEFILE" -delete
 164         updatewithwarnings '^W: .* NO_PUBKEY'
 165         testsuccessequal "$(cat "${PKGFILE}")
 166 " aptcache show apt
 167         installaptold
 168
 169         msgmsg 'Good warm archive signed by' 'Rex Expired'
 170         prepare "${PKGFILE}-new"
 171         cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 172         signreleasefiles 'Rex Expired'
 173         find aptarchive/ -name "$DELETEFILE" -delete
 174         updatewithwarnings '^W: .* KEYEXPIRED'
 175         testsuccessequal "$(cat "${PKGFILE}")
 176 " aptcache show apt
 177         installaptold
 178         rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 179
 180         msgmsg 'Good warm archive signed by' 'Joe Sixpack'
 181         prepare "${PKGFILE}-new"
 182         signreleasefiles
 183         find aptarchive/ -name "$DELETEFILE" -delete
 184         successfulaptgetupdate
 185         testsuccessequal "$(cat "${PKGFILE}-new")
 186 " aptcache show apt
 187         installaptnew
 188
 189         msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
 190         prepare "${PKGFILE}"
 191         rm -rf rootdir/var/lib/apt/lists
 192         signreleasefiles 'Marvin Paranoid'
 193         find aptarchive/ -name "$DELETEFILE" -delete
 194         local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
 195         sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
 196         successfulaptgetupdate
 197         testsuccessequal "$(cat "${PKGFILE}")
 198 " aptcache show apt
 199         installaptold
 200
 201         msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
 202         rm -rf rootdir/var/lib/apt/lists
 203         signreleasefiles 'Joe Sixpack'
 204         find aptarchive/ -name "$DELETEFILE" -delete
 205         updatewithwarnings '^W: .* NO_PUBKEY'
 206
 207         sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
 208         local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
 209
 210         msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
 211         prepare "${PKGFILE}"
 212         rm -rf rootdir/var/lib/apt/lists
 213         signreleasefiles 'Marvin Paranoid'
 214         find aptarchive/ -name "$DELETEFILE" -delete
 215         sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
 216         cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
 217         successfulaptgetupdate
 218         testsuccessequal "$(cat "${PKGFILE}")
 219 " aptcache show apt
 220         installaptold
 221         rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
 222
 223         msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
 224         rm -rf rootdir/var/lib/apt/lists
 225         signreleasefiles 'Joe Sixpack'
 226         find aptarchive/ -name "$DELETEFILE" -delete
 227         updatewithwarnings '^W: .* be verified because the public key is not available: .*'
 228
 229         sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
 230 }
 231
 232 runtest2() {
 233         msgmsg 'Cold archive signed by' 'Joe Sixpack'
 234         prepare "${PKGFILE}"
 235         rm -rf rootdir/var/lib/apt/lists
 236         signreleasefiles 'Joe Sixpack'
 237         successfulaptgetupdate
 238
 239         # New .deb but now an unsigned archive. For example MITM to circumvent
 240         # package verification.
 241         msgmsg 'Warm archive signed by' 'nobody'
 242         prepare "${PKGFILE}-new"
 243         find aptarchive/ -name InRelease -delete
 244         find aptarchive/ -name Release.gpg -delete
 245         updatewithwarnings 'W: .* no longer signed.'
 246         testsuccessequal "$(cat "${PKGFILE}-new")
 247 " aptcache show apt
 248         failaptnew
 249
 250         # Unsigned archive from the beginning must also be detected.
 251         msgmsg 'Cold archive signed by' 'nobody'
 252         rm -rf rootdir/var/lib/apt/lists
 253         updatewithwarnings 'W: .* is not signed.'
 254         testsuccessequal "$(cat "${PKGFILE}-new")
 255 " aptcache show apt
 256         failaptnew
 257 }
 258
 259 runtest3() {
 260         export APT_TESTS_DIGEST_ALGO="$1"
 261         msgmsg "Running base test with digest $1"
 262         runtest2
 263
 264         DELETEFILE="InRelease"
 265         msgmsg "Running test with deletion of $DELETEFILE and digest $1"
 266         runtest
 267
 268         DELETEFILE="Release.gpg"
 269         msgmsg "Running test with deletion of $DELETEFILE and digest $1"
 270         runtest
 271
 272         unset APT_TESTS_DIGEST_ALGO
 273 }
 274
 275 # diable some protection by default and ensure we still do the verification
 276 # correctly
 277 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
 278 Acquire::AllowInsecureRepositories "1";
 279 Acquire::AllowDowngradeToInsecureRepositories "1";
 280 EOF
 281
 282 # an all-round good hash
 283 successfulaptgetupdate() {
 284         testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
 285 }
 286 runtest3 'SHA512'
 287
 288 # a hash we consider weak and therefore warn about
 289 rm -f rootdir/etc/apt/apt.conf.d/no-sha1
 290 successfulaptgetupdate() {
 291         testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
 292         testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
 293 }
 294 runtest3 'SHA1'