]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
5da0a829254fdc6cf89c354fe3211c62e24253a9
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 testsuccessequal "Reading package lists...
50 Building dependency tree...
51 Suggested packages:
52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
53 The following NEW packages will be installed:
54 apt
55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56 After this operation, 5808 kB of additional disk space will be used.
57 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58 Download complete and in download only mode" aptget install apt -dy
59 }
60
61 failaptold() {
62 testfailureequal 'Reading package lists...
63 Building dependency tree...
64 Suggested packages:
65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
66 The following NEW packages will be installed:
67 apt
68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69 After this operation, 5370 kB of additional disk space will be used.
70 WARNING: The following packages cannot be authenticated!
71 apt
72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
73 }
74
75 failaptnew() {
76 testfailureequal 'Reading package lists...
77 Building dependency tree...
78 Suggested packages:
79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
80 The following NEW packages will be installed:
81 apt
82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83 After this operation, 5808 kB of additional disk space will be used.
84 WARNING: The following packages cannot be authenticated!
85 apt
86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
87 }
88
89 # fake our downloadable file
90 touch aptarchive/apt.deb
91
92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
93
94 updatewithwarnings() {
95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
97 }
98
99 runtest() {
100 local DELETEFILE="$1"
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 find aptarchive/ -name "$DELETEFILE" -delete
106 successfulaptgetupdate
107 testsuccessequal "$(cat "${PKGFILE}")
108 " aptcache show apt
109 installaptold
110
111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
112 prepare "${PKGFILE}-new"
113 signreleasefiles 'Joe Sixpack'
114 find aptarchive/ -name "$DELETEFILE" -delete
115 successfulaptgetupdate
116 testsuccessequal "$(cat "${PKGFILE}-new")
117 " aptcache show apt
118 installaptnew
119
120 msgmsg 'Cold archive signed by' 'Rex Expired'
121 prepare "${PKGFILE}"
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 find aptarchive/ -name "$DELETEFILE" -delete
126 updatewithwarnings '^W: .* EXPKEYSIG'
127 testsuccessequal "$(cat "${PKGFILE}")
128 " aptcache show apt
129 failaptold
130 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
131
132 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
133 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
134 touch rootdir/etc/apt/apt.conf.d/99gnupg2
135 elif gpg2 --version >/dev/null 2>&1; then
136 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
137 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
138 rm rootdir/etc/apt/apt.conf.d/99gnupg2
139 fi
140 fi
141 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
142 prepare "${PKGFILE}"
143 rm -rf rootdir/var/lib/apt/lists
144 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
145 find aptarchive/ -name "$DELETEFILE" -delete
146 updatewithwarnings '^W: .* EXPSIG'
147 testsuccessequal "$(cat "${PKGFILE}")
148 " aptcache show apt
149 failaptold
150 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
151 else
152 msgskip 'Not a new enough gpg available providing --fake-system-time'
153 fi
154
155 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
156 prepare "${PKGFILE}"
157 rm -rf rootdir/var/lib/apt/lists
158 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
159 find aptarchive/ -name "$DELETEFILE" -delete
160 successfulaptgetupdate 'NO_PUBKEY'
161 testsuccessequal "$(cat "${PKGFILE}")
162 " aptcache show apt
163 installaptold
164
165 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
166 prepare "${PKGFILE}"
167 rm -rf rootdir/var/lib/apt/lists
168 signreleasefiles 'Joe Sixpack,Rex Expired'
169 find aptarchive/ -name "$DELETEFILE" -delete
170 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
171 successfulaptgetupdate 'EXPKEYSIG'
172 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
173 testsuccessequal "$(cat "${PKGFILE}")
174 " aptcache show apt
175 installaptold
176
177 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
178 prepare "${PKGFILE}"
179 rm -rf rootdir/var/lib/apt/lists
180 signreleasefiles 'Marvin Paranoid'
181 find aptarchive/ -name "$DELETEFILE" -delete
182 updatewithwarnings '^W: .* NO_PUBKEY'
183 testsuccessequal "$(cat "${PKGFILE}")
184 " aptcache show apt
185 failaptold
186
187 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
188 prepare "${PKGFILE}-new"
189 signreleasefiles 'Joe Sixpack'
190 find aptarchive/ -name "$DELETEFILE" -delete
191 successfulaptgetupdate
192 testsuccessequal "$(cat "${PKGFILE}-new")
193 " aptcache show apt
194 installaptnew
195
196 msgmsg 'Cold archive signed by' 'Joe Sixpack'
197 prepare "${PKGFILE}"
198 rm -rf rootdir/var/lib/apt/lists
199 signreleasefiles 'Joe Sixpack'
200 find aptarchive/ -name "$DELETEFILE" -delete
201 successfulaptgetupdate
202 testsuccessequal "$(cat "${PKGFILE}")
203 " aptcache show apt
204 installaptold
205
206 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
207 prepare "${PKGFILE}-new"
208 signreleasefiles 'Marvin Paranoid'
209 find aptarchive/ -name "$DELETEFILE" -delete
210 updatewithwarnings '^W: .* NO_PUBKEY'
211 testsuccessequal "$(cat "${PKGFILE}")
212 " aptcache show apt
213 installaptold
214
215 msgmsg 'Good warm archive signed by' 'Rex Expired'
216 prepare "${PKGFILE}-new"
217 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
218 signreleasefiles 'Rex Expired'
219 find aptarchive/ -name "$DELETEFILE" -delete
220 updatewithwarnings '^W: .* EXPKEYSIG'
221 testsuccessequal "$(cat "${PKGFILE}")
222 " aptcache show apt
223 installaptold
224 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
225
226 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
227 prepare "${PKGFILE}-new"
228 signreleasefiles
229 find aptarchive/ -name "$DELETEFILE" -delete
230 successfulaptgetupdate
231 testsuccessequal "$(cat "${PKGFILE}-new")
232 " aptcache show apt
233 installaptnew
234
235 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
236 prepare "${PKGFILE}"
237 rm -rf rootdir/var/lib/apt/lists
238 signreleasefiles 'Marvin Paranoid'
239 find aptarchive/ -name "$DELETEFILE" -delete
240 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
241 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
242 successfulaptgetupdate
243 testsuccessequal "$(cat "${PKGFILE}")
244 " aptcache show apt
245 installaptold
246
247 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
248 rm -rf rootdir/var/lib/apt/lists
249 signreleasefiles 'Joe Sixpack'
250 find aptarchive/ -name "$DELETEFILE" -delete
251 updatewithwarnings '^W: .* NO_PUBKEY'
252
253 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
254 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
255
256 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
257 prepare "${PKGFILE}"
258 rm -rf rootdir/var/lib/apt/lists
259 signreleasefiles 'Marvin Paranoid'
260 find aptarchive/ -name "$DELETEFILE" -delete
261 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
262 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
263 successfulaptgetupdate
264 testsuccessequal "$(cat "${PKGFILE}")
265 " aptcache show apt
266 installaptold
267 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
268
269 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
270 rm -rf rootdir/var/lib/apt/lists
271 signreleasefiles 'Joe Sixpack'
272 find aptarchive/ -name "$DELETEFILE" -delete
273 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
274
275 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
276 }
277
278 runtest2() {
279 msgmsg 'Cold archive signed by' 'Joe Sixpack'
280 prepare "${PKGFILE}"
281 rm -rf rootdir/var/lib/apt/lists
282 signreleasefiles 'Joe Sixpack'
283 successfulaptgetupdate
284
285 # New .deb but now an unsigned archive. For example MITM to circumvent
286 # package verification.
287 msgmsg 'Warm archive signed by' 'nobody'
288 prepare "${PKGFILE}-new"
289 find aptarchive/ -name InRelease -delete
290 find aptarchive/ -name Release.gpg -delete
291 updatewithwarnings 'W: .* no longer signed.'
292 testsuccessequal "$(cat "${PKGFILE}-new")
293 " aptcache show apt
294 failaptnew
295
296 # Unsigned archive from the beginning must also be detected.
297 msgmsg 'Cold archive signed by' 'nobody'
298 rm -rf rootdir/var/lib/apt/lists
299 updatewithwarnings 'W: .* is not signed.'
300 testsuccessequal "$(cat "${PKGFILE}-new")
301 " aptcache show apt
302 failaptnew
303 }
304
305 runtest3() {
306 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
307 msgmsg "Running base test with $1 digest"
308 runtest2
309
310 for DELETEFILE in 'InRelease' 'Release.gpg'; do
311 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
312 runtest "$DELETEFILE"
313 done
314 }
315
316 # diable some protection by default and ensure we still do the verification
317 # correctly
318 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
319 Acquire::AllowInsecureRepositories "1";
320 Acquire::AllowDowngradeToInsecureRepositories "1";
321 EOF
322 # the hash marked as configureable in our gpgv method
323 export APT_TESTS_DIGEST_ALGO='SHA224'
324
325 successfulaptgetupdate() {
326 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
327 if [ -n "$1" ]; then
328 cp rootdir/tmp/testsuccess.output aptupdate.output
329 testsuccess grep "$1" aptupdate.output
330 fi
331 }
332 runtest3 'Trusted'
333
334 successfulaptgetupdate() {
335 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
336 if [ -n "$1" ]; then
337 testsuccess grep "$1" rootdir/tmp/testwarning.output
338 fi
339 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
340 }
341 runtest3 'Weak'
342
343 msgmsg "Running test with apt-untrusted digest"
344 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
345 runfailure() {
346 for DELETEFILE in 'InRelease' 'Release.gpg'; do
347 msgmsg 'Cold archive signed by' 'Joe Sixpack'
348 prepare "${PKGFILE}"
349 rm -rf rootdir/var/lib/apt/lists
350 signreleasefiles 'Joe Sixpack'
351 find aptarchive/ -name "$DELETEFILE" -delete
352 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
353 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
354 testnopackage 'apt'
355 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
356 failaptold
357
358 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
359 prepare "${PKGFILE}"
360 rm -rf rootdir/var/lib/apt/lists
361 signreleasefiles 'Marvin Paranoid'
362 find aptarchive/ -name "$DELETEFILE" -delete
363 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
364 testnopackage 'apt'
365 updatewithwarnings '^W: .* NO_PUBKEY'
366 testsuccessequal "$(cat "${PKGFILE}")
367 " aptcache show apt
368 failaptold
369 done
370 }
371 runfailure
372
373 msgmsg "Running test with gpgv-untrusted digest"
374 export APT_TESTS_DIGEST_ALGO='MD5'
375 runfailure