]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: allow to disable generation of InRelease/Release.gpg file
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE" 'now + 1 month'
33 }
34
35 installaptold() {
36 rm -rf rootdir/var/cache/apt/archives
37 testsuccessequal "Reading package lists...
38 Building dependency tree...
39 Suggested packages:
40 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
41 The following NEW packages will be installed:
42 apt
43 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
44 After this operation, 5370 kB of additional disk space will be used.
45 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
46 Download complete and in download only mode" aptget install apt -dy
47 }
48
49 installaptnew() {
50 rm -rf rootdir/var/cache/apt/archives
51 testsuccessequal "Reading package lists...
52 Building dependency tree...
53 Suggested packages:
54 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
55 The following NEW packages will be installed:
56 apt
57 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
58 After this operation, 5808 kB of additional disk space will be used.
59 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
60 Download complete and in download only mode" aptget install apt -dy
61 }
62
63 failaptold() {
64 testfailureequal 'Reading package lists...
65 Building dependency tree...
66 Suggested packages:
67 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
68 The following NEW packages will be installed:
69 apt
70 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
71 After this operation, 5370 kB of additional disk space will be used.
72 WARNING: The following packages cannot be authenticated!
73 apt
74 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
75 }
76
77 failaptnew() {
78 testfailureequal 'Reading package lists...
79 Building dependency tree...
80 Suggested packages:
81 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
82 The following NEW packages will be installed:
83 apt
84 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
85 After this operation, 5808 kB of additional disk space will be used.
86 WARNING: The following packages cannot be authenticated!
87 apt
88 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
89 }
90
91 # fake our downloadable file
92 touch aptarchive/apt.deb
93
94 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
95
96 updatewithwarnings() {
97 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
98 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
99 }
100
101 runtest() {
102 msgmsg 'Cold archive signed by' 'Joe Sixpack'
103 prepare "${PKGFILE}"
104 rm -rf rootdir/var/lib/apt/lists
105 signreleasefiles 'Joe Sixpack'
106 successfulaptgetupdate
107 testsuccessequal "$(cat "${PKGFILE}")
108 " aptcache show apt
109 installaptold
110
111 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
112 prepare "${PKGFILE}-new"
113 signreleasefiles 'Joe Sixpack'
114 successfulaptgetupdate
115 testsuccessequal "$(cat "${PKGFILE}-new")
116 " aptcache show apt
117 installaptnew
118
119 msgmsg 'Cold archive signed by' 'Rex Expired'
120 prepare "${PKGFILE}"
121 rm -rf rootdir/var/lib/apt/lists
122 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
123 signreleasefiles 'Rex Expired'
124 updatewithwarnings '^W: .* EXPKEYSIG'
125 testsuccessequal "$(cat "${PKGFILE}")
126 " aptcache show apt
127 failaptold
128 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
129
130 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
131 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
132 touch rootdir/etc/apt/apt.conf.d/99gnupg2
133 elif gpg2 --version >/dev/null 2>&1; then
134 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
135 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
136 rm rootdir/etc/apt/apt.conf.d/99gnupg2
137 fi
138 fi
139 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
140 prepare "${PKGFILE}"
141 rm -rf rootdir/var/lib/apt/lists
142 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
143 updatewithwarnings '^W: .* EXPSIG'
144 testsuccessequal "$(cat "${PKGFILE}")
145 " aptcache show apt
146 failaptold
147 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
148 else
149 msgskip 'Not a new enough gpg available providing --fake-system-time'
150 fi
151
152 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
153 prepare "${PKGFILE}"
154 rm -rf rootdir/var/lib/apt/lists
155 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
156 successfulaptgetupdate 'NO_PUBKEY'
157 testsuccessequal "$(cat "${PKGFILE}")
158 " aptcache show apt
159 installaptold
160
161 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
162 prepare "${PKGFILE}"
163 rm -rf rootdir/var/lib/apt/lists
164 signreleasefiles 'Joe Sixpack,Rex Expired'
165 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
166 successfulaptgetupdate 'EXPKEYSIG'
167 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
168 testsuccessequal "$(cat "${PKGFILE}")
169 " aptcache show apt
170 installaptold
171
172 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
173 prepare "${PKGFILE}"
174 rm -rf rootdir/var/lib/apt/lists
175 signreleasefiles 'Marvin Paranoid'
176 updatewithwarnings '^W: .* NO_PUBKEY'
177 testsuccessequal "$(cat "${PKGFILE}")
178 " aptcache show apt
179 failaptold
180
181 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
182 prepare "${PKGFILE}-new"
183 signreleasefiles 'Joe Sixpack'
184 successfulaptgetupdate
185 testsuccessequal "$(cat "${PKGFILE}-new")
186 " aptcache show apt
187 installaptnew
188
189 msgmsg 'Cold archive signed by' 'Joe Sixpack'
190 prepare "${PKGFILE}"
191 rm -rf rootdir/var/lib/apt/lists
192 signreleasefiles 'Joe Sixpack'
193 successfulaptgetupdate
194 testsuccessequal "$(cat "${PKGFILE}")
195 " aptcache show apt
196 installaptold
197
198 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
199 prepare "${PKGFILE}-new"
200 signreleasefiles 'Marvin Paranoid'
201 updatewithwarnings '^W: .* NO_PUBKEY'
202 testsuccessequal "$(cat "${PKGFILE}")
203 " aptcache show apt
204 installaptold
205
206 msgmsg 'Good warm archive signed by' 'Rex Expired'
207 prepare "${PKGFILE}-new"
208 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
209 signreleasefiles 'Rex Expired'
210 updatewithwarnings '^W: .* EXPKEYSIG'
211 testsuccessequal "$(cat "${PKGFILE}")
212 " aptcache show apt
213 installaptold
214 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
215
216 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
217 prepare "${PKGFILE}-new"
218 signreleasefiles
219 successfulaptgetupdate
220 testsuccessequal "$(cat "${PKGFILE}-new")
221 " aptcache show apt
222 installaptnew
223
224 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
225 prepare "${PKGFILE}"
226 rm -rf rootdir/var/lib/apt/lists
227 signreleasefiles 'Marvin Paranoid'
228 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
229 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
230 successfulaptgetupdate
231 testsuccessequal "$(cat "${PKGFILE}")
232 " aptcache show apt
233 installaptold
234
235 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
236 rm -rf rootdir/var/lib/apt/lists
237 signreleasefiles 'Joe Sixpack'
238 updatewithwarnings '^W: .* NO_PUBKEY'
239 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
240
241 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
242 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
243 rm -rf rootdir/var/lib/apt/lists
244 signreleasefiles 'Joe Sixpack'
245 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
246 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
247
248 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
249 rm -rf rootdir/var/lib/apt/lists
250 signreleasefiles 'Marvin Paranoid'
251 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
252 successfulaptgetupdate
253 testsuccessequal "$(cat "${PKGFILE}")
254 " aptcache show apt
255 installaptold
256
257 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
258 rm -rf rootdir/var/lib/apt/lists
259 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
260 successfulaptgetupdate 'NoPubKey: GOODSIG'
261 testsuccessequal "$(cat "${PKGFILE}")
262 " aptcache show apt
263 installaptold
264
265 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
266 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
267 rm -rf rootdir/var/lib/apt/lists
268 signreleasefiles 'Joe Sixpack'
269 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
270 successfulaptgetupdate
271 testsuccessequal "$(cat "${PKGFILE}")
272 " aptcache show apt
273 installaptold
274
275 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
276 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
277 rm -rf rootdir/var/lib/apt/lists
278 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
279 successfulaptgetupdate
280 testsuccessequal "$(cat "${PKGFILE}")
281 " aptcache show apt
282 installaptold
283 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
284 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
285
286 rm -rf rootdir/var/lib/apt/lists-bak
287 cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
288 prepare "${PKGFILE}-new"
289 signreleasefiles 'Joe Sixpack'
290
291 msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
292 sed -i "/^Valid-Until: / a\
293 Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
294 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
295 successfulaptgetupdate
296 testsuccessequal "$(cat "${PKGFILE}-new")
297 " aptcache show apt
298 installaptnew
299
300 msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
301 rm -rf rootdir/var/lib/apt/lists
302 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
303 sed -i "/^Valid-Until: / a\
304 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
305 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
306 updatewithwarnings 'W: .* public key is not available: GOODSIG'
307 testsuccessequal "$(cat "${PKGFILE}")
308 " aptcache show apt
309 installaptold
310
311 msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
312 rm -rf rootdir/var/lib/apt/lists
313 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
314 sed -i "/^Valid-Until: / a\
315 Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
316 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
317 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
318 successfulaptgetupdate
319 testsuccessequal "$(cat "${PKGFILE}-new")
320 " aptcache show apt
321 installaptnew
322
323 msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
324 rm -rf rootdir/var/lib/apt/lists
325 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
326 sed -i "/^Valid-Until: / a\
327 Signed-By: ${MARVIN} ${MARVIN}, \\
328 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
329 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
330 successfulaptgetupdate
331 testsuccessequal "$(cat "${PKGFILE}-new")
332 " aptcache show apt
333 installaptnew
334 }
335
336 runtest2() {
337 msgmsg 'Cold archive signed by' 'Joe Sixpack'
338 prepare "${PKGFILE}"
339 rm -rf rootdir/var/lib/apt/lists
340 signreleasefiles 'Joe Sixpack'
341 successfulaptgetupdate
342
343 # New .deb but now an unsigned archive. For example MITM to circumvent
344 # package verification.
345 msgmsg 'Warm archive signed by' 'nobody'
346 prepare "${PKGFILE}-new"
347 find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
348 updatewithwarnings 'W: .* no longer signed.'
349 testsuccessequal "$(cat "${PKGFILE}-new")
350 " aptcache show apt
351 failaptnew
352
353 # Unsigned archive from the beginning must also be detected.
354 msgmsg 'Cold archive signed by' 'nobody'
355 rm -rf rootdir/var/lib/apt/lists
356 updatewithwarnings 'W: .* is not signed.'
357 testsuccessequal "$(cat "${PKGFILE}-new")
358 " aptcache show apt
359 failaptnew
360 }
361
362 runtest3() {
363 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
364 msgmsg "Running base test with $1 digest"
365 runtest2
366
367 for DELETEFILE in 'InRelease' 'Release.gpg'; do
368 export APT_DONT_SIGN="$DELETEFILE"
369 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
370 runtest
371 unset APT_DONT_SIGN
372 done
373 }
374
375 # diable some protection by default and ensure we still do the verification
376 # correctly
377 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
378 Acquire::AllowInsecureRepositories "1";
379 Acquire::AllowDowngradeToInsecureRepositories "1";
380 EOF
381 # the hash marked as configureable in our gpgv method
382 export APT_TESTS_DIGEST_ALGO='SHA224'
383
384 successfulaptgetupdate() {
385 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
386 if [ -n "$1" ]; then
387 cp rootdir/tmp/testsuccess.output aptupdate.output
388 testsuccess grep "$1" aptupdate.output
389 fi
390 }
391 runtest3 'Trusted'
392
393 successfulaptgetupdate() {
394 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
395 if [ -n "$1" ]; then
396 testsuccess grep "$1" rootdir/tmp/testwarning.output
397 fi
398 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
399 }
400 runtest3 'Weak'
401
402 msgmsg "Running test with apt-untrusted digest"
403 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
404 runfailure() {
405 for DELETEFILE in 'InRelease' 'Release.gpg'; do
406 export APT_DONT_SIGN="$DELETEFILE"
407 msgmsg 'Cold archive signed by' 'Joe Sixpack'
408 prepare "${PKGFILE}"
409 rm -rf rootdir/var/lib/apt/lists
410 signreleasefiles 'Joe Sixpack'
411 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
412 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
413 testnopackage 'apt'
414 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
415 failaptold
416
417 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
418 prepare "${PKGFILE}"
419 rm -rf rootdir/var/lib/apt/lists
420 signreleasefiles 'Marvin Paranoid'
421 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
422 testnopackage 'apt'
423 updatewithwarnings '^W: .* NO_PUBKEY'
424 testsuccessequal "$(cat "${PKGFILE}")
425 " aptcache show apt
426 failaptold
427 unset APT_DONT_SIGN
428 done
429 }
430 runfailure
431
432 msgmsg "Running test with gpgv-untrusted digest"
433 export APT_TESTS_DIGEST_ALGO='MD5'
434 runfailure
APT (for Cydia)