]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
tests: don't use hardcoded port for http and https
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR=$(readlink -f $(dirname $0))
5 . $TESTDIR/framework
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 testsuccessequal "Reading package lists...
50 Building dependency tree...
51 Suggested packages:
52 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
53 The following NEW packages will be installed:
54 apt
55 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
56 After this operation, 5808 kB of additional disk space will be used.
57 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
58 Download complete and in download only mode" aptget install apt -dy
59 }
60
61 failaptold() {
62 testfailureequal 'Reading package lists...
63 Building dependency tree...
64 Suggested packages:
65 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
66 The following NEW packages will be installed:
67 apt
68 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
69 After this operation, 5370 kB of additional disk space will be used.
70 WARNING: The following packages cannot be authenticated!
71 apt
72 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
73 }
74
75 failaptnew() {
76 testfailureequal 'Reading package lists...
77 Building dependency tree...
78 Suggested packages:
79 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
80 The following NEW packages will be installed:
81 apt
82 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
83 After this operation, 5808 kB of additional disk space will be used.
84 WARNING: The following packages cannot be authenticated!
85 apt
86 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
87 }
88
89 # fake our downloadable file
90 touch aptarchive/apt.deb
91
92 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
93
94 updatewithwarnings() {
95 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
96 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
97 }
98
99 runtest() {
100 prepare "${PKGFILE}"
101 rm -rf rootdir/var/lib/apt/lists
102 signreleasefiles 'Joe Sixpack'
103 find aptarchive/ -name "$DELETEFILE" -delete
104 msgmsg 'Cold archive signed by' 'Joe Sixpack'
105 testsuccess aptget update
106 testsuccessequal "$(cat "${PKGFILE}")
107 " aptcache show apt
108 installaptold
109
110 prepare "${PKGFILE}-new"
111 signreleasefiles 'Joe Sixpack'
112 find aptarchive/ -name "$DELETEFILE" -delete
113 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
114 testsuccess aptget update
115 testsuccessequal "$(cat "${PKGFILE}-new")
116 " aptcache show apt
117 installaptnew
118
119 prepare "${PKGFILE}"
120 rm -rf rootdir/var/lib/apt/lists
121 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
122 signreleasefiles 'Rex Expired'
123 find aptarchive/ -name "$DELETEFILE" -delete
124 msgmsg 'Cold archive signed by' 'Rex Expired'
125 updatewithwarnings '^W: .* KEYEXPIRED'
126 testsuccessequal "$(cat "${PKGFILE}")
127 " aptcache show apt
128 failaptold
129 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
130
131 prepare "${PKGFILE}"
132 rm -rf rootdir/var/lib/apt/lists
133 signreleasefiles 'Marvin Paranoid'
134 find aptarchive/ -name "$DELETEFILE" -delete
135 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
136 updatewithwarnings '^W: .* NO_PUBKEY'
137 testsuccessequal "$(cat "${PKGFILE}")
138 " aptcache show apt
139 failaptold
140
141 prepare "${PKGFILE}-new"
142 signreleasefiles 'Joe Sixpack'
143 find aptarchive/ -name "$DELETEFILE" -delete
144 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
145 testsuccess aptget update
146 testsuccessequal "$(cat "${PKGFILE}-new")
147 " aptcache show apt
148 installaptnew
149
150
151 prepare "${PKGFILE}"
152 rm -rf rootdir/var/lib/apt/lists
153 signreleasefiles 'Joe Sixpack'
154 find aptarchive/ -name "$DELETEFILE" -delete
155 msgmsg 'Cold archive signed by' 'Joe Sixpack'
156 testsuccess aptget update
157 testsuccessequal "$(cat "${PKGFILE}")
158 " aptcache show apt
159 installaptold
160
161 prepare "${PKGFILE}-new"
162 signreleasefiles 'Marvin Paranoid'
163 find aptarchive/ -name "$DELETEFILE" -delete
164 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
165 updatewithwarnings '^W: .* NO_PUBKEY'
166 testsuccessequal "$(cat "${PKGFILE}")
167 " aptcache show apt
168 installaptold
169
170 prepare "${PKGFILE}-new"
171 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
172 signreleasefiles 'Rex Expired'
173 find aptarchive/ -name "$DELETEFILE" -delete
174 msgmsg 'Good warm archive signed by' 'Rex Expired'
175 updatewithwarnings '^W: .* KEYEXPIRED'
176 testsuccessequal "$(cat "${PKGFILE}")
177 " aptcache show apt
178 installaptold
179 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
180
181 prepare "${PKGFILE}-new"
182 signreleasefiles
183 find aptarchive/ -name "$DELETEFILE" -delete
184 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
185 testsuccess aptget update
186 testsuccessequal "$(cat "${PKGFILE}-new")
187 " aptcache show apt
188 installaptnew
189
190 prepare "${PKGFILE}"
191 rm -rf rootdir/var/lib/apt/lists
192 signreleasefiles 'Marvin Paranoid'
193 find aptarchive/ -name "$DELETEFILE" -delete
194 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
195 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
196 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
197 testsuccess aptget update -o Debug::pkgAcquire::Worker=1
198 testsuccessequal "$(cat "${PKGFILE}")
199 " aptcache show apt
200 installaptold
201
202 rm -rf rootdir/var/lib/apt/lists
203 signreleasefiles 'Joe Sixpack'
204 find aptarchive/ -name "$DELETEFILE" -delete
205 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
206 updatewithwarnings '^W: .* NO_PUBKEY'
207
208 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
209 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
210
211 prepare "${PKGFILE}"
212 rm -rf rootdir/var/lib/apt/lists
213 signreleasefiles 'Marvin Paranoid'
214 find aptarchive/ -name "$DELETEFILE" -delete
215 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
216 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
217 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
218 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
219 testsuccessequal "$(cat "${PKGFILE}")
220 " aptcache show apt
221 installaptold
222 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
223
224 rm -rf rootdir/var/lib/apt/lists
225 signreleasefiles 'Joe Sixpack'
226 find aptarchive/ -name "$DELETEFILE" -delete
227 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
228 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
229
230 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
231 }
232
233 runtest2() {
234 prepare "${PKGFILE}"
235 rm -rf rootdir/var/lib/apt/lists
236 signreleasefiles 'Joe Sixpack'
237 msgmsg 'Cold archive signed by' 'Joe Sixpack'
238 testsuccess aptget update
239
240 # New .deb but now an unsigned archive. For example MITM to circumvent
241 # package verification.
242 prepare "${PKGFILE}-new"
243 find aptarchive/ -name InRelease -delete
244 find aptarchive/ -name Release.gpg -delete
245 msgmsg 'Warm archive signed by' 'nobody'
246 updatewithwarnings 'W: .* no longer signed.'
247 testsuccessequal "$(cat "${PKGFILE}-new")
248 " aptcache show apt
249 failaptnew
250
251 # Unsigned archive from the beginning must also be detected.
252 rm -rf rootdir/var/lib/apt/lists
253 msgmsg 'Cold archive signed by' 'nobody'
254 updatewithwarnings 'W: .* is not signed.'
255 testsuccessequal "$(cat "${PKGFILE}-new")
256 " aptcache show apt
257 failaptnew
258 }
259
260 # diable some protection by default and ensure we still do the verification
261 # correctly
262 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
263 Acquire::AllowInsecureRepositories "1";
264 Acquire::AllowDowngradeToInsecureRepositories "1";
265 EOF
266
267 msgmsg "Running base test"
268 runtest2
269
270 DELETEFILE="InRelease"
271 msgmsg "Running test with deletion of $DELETEFILE"
272 runtest
273
274 DELETEFILE="Release.gpg"
275 msgmsg "Running test with deletion of $DELETEFILE"
276 runtest