4 TESTDIR
="$(readlink -f "$(dirname "$0")")"
8 configarchitecture "i386
"
10 export APT_DONT_SIGN='Release.gpg'
15 webserverconfig 'aptwebserver::support::range' 'false'
18 local DATE="${2:-now}"
19 if [ "$DATE" = 'now' ]; then
20 if [ "$1" = "${PKGFILE}-new" ]; then
26 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
27 touch -d 'now - 1 year' "$release"
30 cp "$1" aptarchive/Packages
31 find aptarchive -name 'Release' -delete
32 compressfile 'aptarchive/Packages' "$DATE"
33 generatereleasefiles "$DATE" 'now + 1 month'
37 rm -rf rootdir/var/cache/apt/archives
38 testsuccessequal "Reading package lists...
39 Building dependency tree...
41 aptitude
| synaptic
| wajig dpkg
-dev apt
-doc bzip2 lzma python
-apt
42 The following NEW packages will be installed
:
44 0 upgraded
, 1 newly installed
, 0 to remove and
0 not upgraded.
45 After this operation
, 5370 kB of additional disk space will be used.
46 Get
:1 http
://localhost
:${APTHTTPPORT} apt
0.7.25.3
47 Download complete and
in download only mode
" aptget install apt -dy
51 rm -rf rootdir/var/cache/apt/archives
52 testsuccessequal "Reading package lists...
53 Building dependency tree...
55 aptitude
| synaptic
| wajig dpkg
-dev apt
-doc bzip2 lzma python
-apt
56 The following NEW packages will be installed
:
58 0 upgraded
, 1 newly installed
, 0 to remove and
0 not upgraded.
59 After this operation
, 5808 kB of additional disk space will be used.
60 Get
:1 http
://localhost
:${APTHTTPPORT} apt
0.8.0~pre1
61 Download complete and
in download only mode
" aptget install apt -dy
65 testfailureequal 'Reading package lists...
66 Building dependency tree...
68 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
69 The following NEW packages will be installed:
71 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
72 After this operation, 5370 kB of additional disk space will be used.
73 WARNING: The following packages cannot be authenticated!
75 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
79 testfailureequal 'Reading package lists...
80 Building dependency tree...
82 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
83 The following NEW packages will be installed:
85 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
86 After this operation, 5808 kB of additional disk space will be used.
87 WARNING: The following packages cannot be authenticated!
89 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
92 # fake our downloadable file
93 touch aptarchive/apt.deb
95 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
97 updatewithwarnings
() {
98 testwarning aptget update
-o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
99 testsuccess
grep -E "$1" rootdir
/tmp
/testwarning.output
103 msgmsg
'Cold archive signed by' 'Joe Sixpack'
105 rm -rf rootdir
/var
/lib
/apt
/lists
106 signreleasefiles
'Joe Sixpack'
107 successfulaptgetupdate
108 testsuccessequal
"$(cat "${PKGFILE}")
112 msgmsg
'Good warm archive signed by' 'Joe Sixpack'
113 prepare
"${PKGFILE}-new"
114 signreleasefiles
'Joe Sixpack'
115 successfulaptgetupdate
116 testsuccessequal
"$(cat "${PKGFILE}-new")
120 msgmsg
'Cold archive signed by' 'Rex Expired'
122 rm -rf rootdir
/var
/lib
/apt
/lists
123 cp keys
/rexexpired.pub rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
124 signreleasefiles
'Rex Expired'
125 updatewithwarnings
'^W: .* EXPKEYSIG'
126 testsuccessequal
"$(cat "${PKGFILE}")
129 rm -f rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
131 msgmsg
'Cold archive expired signed by' 'Joe Sixpack'
132 if dpkg
--compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev
/null
2>&1; then
133 touch rootdir
/etc
/apt
/apt.conf.d
/99gnupg2
134 elif gpg2
--version >/dev
/null
2>&1; then
135 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir
/etc
/apt
/apt.conf.d
/99gnupg2
136 if ! dpkg
--compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev
/null
2>&1; then
137 rm rootdir
/etc
/apt
/apt.conf.d
/99gnupg2
140 if [ -e rootdir
/etc
/apt
/apt.conf.d
/99gnupg2
]; then
142 rm -rf rootdir
/var
/lib
/apt
/lists
143 signreleasefiles
'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
144 updatewithwarnings
'^W: .* EXPSIG'
145 testsuccessequal
"$(cat "${PKGFILE}")
148 rm -f rootdir
/etc
/apt
/apt.conf.d
/99gnupg2
150 msgskip
'Not a new enough gpg available providing --fake-system-time'
153 msgmsg
'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
155 rm -rf rootdir
/var
/lib
/apt
/lists
156 signreleasefiles
'Joe Sixpack,Marvin Paranoid'
157 successfulaptgetupdate
'NO_PUBKEY'
158 testsuccessequal
"$(cat "${PKGFILE}")
162 msgmsg
'Cold archive signed by' 'Joe Sixpack,Rex Expired'
164 rm -rf rootdir
/var
/lib
/apt
/lists
165 signreleasefiles
'Joe Sixpack,Rex Expired'
166 cp keys
/rexexpired.pub rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
167 successfulaptgetupdate
'EXPKEYSIG'
168 rm -f rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
169 testsuccessequal
"$(cat "${PKGFILE}")
173 msgmsg
'Cold archive signed by' 'Marvin Paranoid'
175 rm -rf rootdir
/var
/lib
/apt
/lists
176 signreleasefiles
'Marvin Paranoid'
177 updatewithwarnings
'^W: .* NO_PUBKEY'
178 testsuccessequal
"$(cat "${PKGFILE}")
182 msgmsg
'Bad warm archive signed by' 'Joe Sixpack'
183 prepare
"${PKGFILE}-new"
184 signreleasefiles
'Joe Sixpack'
185 successfulaptgetupdate
186 testsuccessequal
"$(cat "${PKGFILE}-new")
190 msgmsg
'Cold archive signed by' 'Joe Sixpack'
192 rm -rf rootdir
/var
/lib
/apt
/lists
193 signreleasefiles
'Joe Sixpack'
194 successfulaptgetupdate
195 testsuccessequal
"$(cat "${PKGFILE}")
199 msgmsg
'Good warm archive signed by' 'Marvin Paranoid'
200 prepare
"${PKGFILE}-new"
201 signreleasefiles
'Marvin Paranoid'
202 updatewithwarnings
'^W: .* NO_PUBKEY'
203 testsuccessequal
"$(cat "${PKGFILE}")
207 msgmsg
'Good warm archive signed by' 'Rex Expired'
208 prepare
"${PKGFILE}-new"
209 cp keys
/rexexpired.pub rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
210 signreleasefiles
'Rex Expired'
211 updatewithwarnings
'^W: .* EXPKEYSIG'
212 testsuccessequal
"$(cat "${PKGFILE}")
215 rm rootdir
/etc
/apt
/trusted.gpg.d
/rexexpired.gpg
217 msgmsg
'Good warm archive signed by' 'Joe Sixpack'
218 prepare
"${PKGFILE}-new"
220 successfulaptgetupdate
221 testsuccessequal
"$(cat "${PKGFILE}-new")
225 msgmsg
'Cold archive signed by good keyring' 'Marvin Paranoid'
227 rm -rf rootdir
/var
/lib
/apt
/lists
228 signreleasefiles
'Marvin Paranoid'
229 local MARVIN
="$(readlink -f keys/marvinparanoid.pub)"
230 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir
/etc
/apt
/sources.list.d
/*
231 successfulaptgetupdate
232 testsuccessequal
"$(cat "${PKGFILE}")
236 msgmsg
'Cold archive signed by bad keyring' 'Joe Sixpack'
237 rm -rf rootdir
/var
/lib
/apt
/lists
238 signreleasefiles
'Joe Sixpack'
239 updatewithwarnings
'^W: .* NO_PUBKEY'
240 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir
/etc
/apt
/sources.list.d
/*
242 local MARVIN
="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
243 msgmsg
'Cold archive signed by bad keyid' 'Joe Sixpack'
244 rm -rf rootdir
/var
/lib
/apt
/lists
245 signreleasefiles
'Joe Sixpack'
246 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir
/etc
/apt
/sources.list.d
/*
247 updatewithwarnings
'^W: .* be verified because the public key is not available: .*'
249 msgmsg
'Cold archive signed by good keyid' 'Marvin Paranoid'
250 rm -rf rootdir
/var
/lib
/apt
/lists
251 signreleasefiles
'Marvin Paranoid'
252 cp keys
/marvinparanoid.pub rootdir
/etc
/apt
/trusted.gpg.d
/marvinparanoid.gpg
253 successfulaptgetupdate
254 testsuccessequal
"$(cat "${PKGFILE}")
258 msgmsg
'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
259 rm -rf rootdir
/var
/lib
/apt
/lists
260 signreleasefiles
'Marvin Paranoid,Joe Sixpack'
261 successfulaptgetupdate
'NoPubKey: GOODSIG'
262 testsuccessequal
"$(cat "${PKGFILE}")
266 local SIXPACK
="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
267 msgmsg
'Cold archive signed by good keyids' 'Joe Sixpack'
268 rm -rf rootdir
/var
/lib
/apt
/lists
269 signreleasefiles
'Joe Sixpack'
270 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir
/etc
/apt
/sources.list.d
/*
271 successfulaptgetupdate
272 testsuccessequal
"$(cat "${PKGFILE}")
276 local SIXPACK
="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
277 msgmsg
'Cold archive signed by good keyids' 'Joe Sixpack'
278 rm -rf rootdir
/var
/lib
/apt
/lists
279 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir
/etc
/apt
/sources.list.d
/*
280 successfulaptgetupdate
281 testsuccessequal
"$(cat "${PKGFILE}")
284 rm -f rootdir
/etc
/apt
/trusted.gpg.d
/marvinparanoid.gpg
285 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir
/etc
/apt
/sources.list.d
/*
287 rm -rf rootdir
/var
/lib
/apt
/lists
-bak
288 cp -a rootdir
/var
/lib
/apt
/lists rootdir
/var
/lib
/apt
/lists
-bak
289 prepare
"${PKGFILE}-new"
290 signreleasefiles
'Joe Sixpack'
292 msgmsg
'Warm archive with signed-by' 'Joe Sixpack'
293 sed -i "/^Valid-Until: / a\
294 Signed-By: ${SIXPACK}" rootdir
/var
/lib
/apt
/lists
/*Release
295 touch -d 'now - 1 year' rootdir
/var
/lib
/apt
/lists
/*Release
296 successfulaptgetupdate
297 testsuccessequal
"$(cat "${PKGFILE}-new")
301 msgmsg
'Warm archive with signed-by' 'Marvin Paranoid'
302 rm -rf rootdir
/var
/lib
/apt
/lists
303 cp -a rootdir
/var
/lib
/apt
/lists
-bak rootdir
/var
/lib
/apt
/lists
304 sed -i "/^Valid-Until: / a\
305 Signed-By: ${MARVIN}" rootdir
/var
/lib
/apt
/lists
/*Release
306 touch -d 'now - 1 year' rootdir
/var
/lib
/apt
/lists
/*Release
307 updatewithwarnings
'W: .* public key is not available: GOODSIG'
308 testsuccessequal
"$(cat "${PKGFILE}")
312 msgmsg
'Warm archive with outdated signed-by' 'Marvin Paranoid'
313 rm -rf rootdir
/var
/lib
/apt
/lists
314 cp -a rootdir
/var
/lib
/apt
/lists
-bak rootdir
/var
/lib
/apt
/lists
315 sed -i "/^Valid-Until: / a\
316 Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
317 Signed-By: ${MARVIN}" rootdir
/var
/lib
/apt
/lists
/*Release
318 touch -d 'now - 1 year' rootdir
/var
/lib
/apt
/lists
/*Release
319 successfulaptgetupdate
320 testsuccessequal
"$(cat "${PKGFILE}-new")
324 msgmsg
'Warm archive with two signed-bys' 'Joe Sixpack'
325 rm -rf rootdir
/var
/lib
/apt
/lists
326 cp -a rootdir
/var
/lib
/apt
/lists
-bak rootdir
/var
/lib
/apt
/lists
327 sed -i "/^Valid-Until: / a\
328 Signed-By: ${MARVIN} ${MARVIN}, \\
329 ${SIXPACK}" rootdir
/var
/lib
/apt
/lists
/*Release
330 touch -d 'now - 1 year' rootdir
/var
/lib
/apt
/lists
/*Release
331 successfulaptgetupdate
332 testsuccessequal
"$(cat "${PKGFILE}-new")
338 msgmsg
'Cold archive signed by' 'Joe Sixpack'
340 rm -rf rootdir
/var
/lib
/apt
/lists
341 signreleasefiles
'Joe Sixpack'
342 successfulaptgetupdate
344 # New .deb but now an unsigned archive. For example MITM to circumvent
345 # package verification.
346 msgmsg
'Warm archive signed by' 'nobody'
347 prepare
"${PKGFILE}-new"
348 find aptarchive
/ \
( -name InRelease
-o -name Release.gpg \
) -delete
349 updatewithwarnings
'W: .* no longer signed.'
350 testsuccessequal
"$(cat "${PKGFILE}-new")
354 # Unsigned archive from the beginning must also be detected.
355 msgmsg
'Cold archive signed by' 'nobody'
356 rm -rf rootdir
/var
/lib
/apt
/lists
357 updatewithwarnings
'W: .* is not signed.'
358 testsuccessequal
"$(cat "${PKGFILE}-new")
364 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir
/etc
/apt
/apt.conf.d
/truststate
365 msgmsg
"Running base test with $1 digest"
368 for DELETEFILE
in 'InRelease' 'Release.gpg'; do
369 export APT_DONT_SIGN
="$DELETEFILE"
370 msgmsg
"Running test with deletion of $DELETEFILE and $1 digest"
372 export APT_DONT_SIGN
='Release.gpg'
376 # diable some protection by default and ensure we still do the verification
378 cat > rootdir
/etc
/apt
/apt.conf.d
/weaken
-security <<EOF
379 Acquire::AllowInsecureRepositories "1";
380 Acquire::AllowDowngradeToInsecureRepositories "1";
382 # the hash marked as configurable in our gpgv method
383 export APT_TESTS_DIGEST_ALGO
='SHA224'
385 successfulaptgetupdate
() {
386 testsuccess aptget update
-o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
388 cp rootdir
/tmp
/testsuccess.output aptupdate.output
389 testsuccess
grep "$1" aptupdate.output
394 successfulaptgetupdate
() {
395 testwarning aptget update
-o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
397 testsuccess
grep "$1" rootdir
/tmp
/testwarning.output
399 testsuccess
grep 'uses weak digest algorithm' rootdir
/tmp
/testwarning.output
403 msgmsg
"Running test with apt-untrusted digest"
404 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir
/etc
/apt
/apt.conf.d
/truststate
406 for DELETEFILE
in 'InRelease' 'Release.gpg'; do
407 export APT_DONT_SIGN
="$DELETEFILE"
408 msgmsg
'Cold archive signed by' 'Joe Sixpack'
410 rm -rf rootdir
/var
/lib
/apt
/lists
411 signreleasefiles
'Joe Sixpack'
412 testfailure aptget update
--no-allow-insecure-repositories -o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
413 testsuccess
grep 'The following signatures were invalid' rootdir
/tmp
/testfailure.output
415 testwarning aptget update
--allow-insecure-repositories -o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
417 rm -rf rootdir
/var
/lib
/apt
/lists
418 sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir
/etc
/apt
/sources.list.d
/*
419 testwarning aptget update
--no-allow-insecure-repositories -o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
421 sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir
/etc
/apt
/sources.list.d
/*
423 msgmsg
'Cold archive signed by' 'Marvin Paranoid'
425 rm -rf rootdir
/var
/lib
/apt
/lists
426 signreleasefiles
'Marvin Paranoid'
427 testfailure aptget update
--no-allow-insecure-repositories -o Debug
::pkgAcquire
::Worker
=1 -o Debug
::Acquire
::gpgv
=1
429 updatewithwarnings
'^W: .* NO_PUBKEY'
430 testsuccessequal
"$(cat "${PKGFILE}")
433 export APT_DONT_SIGN
='Release.gpg'
438 msgmsg
"Running test with gpgv-untrusted digest"
439 export APT_TESTS_DIGEST_ALGO
='MD5'