]> git.saurik.com Git - apt.git/blob - test/integration/test-apt-key-net-update
fix test/integration/test-apt-key-net-update
[apt.git] / test / integration / test-apt-key-net-update
1 #!/bin/sh
2 set -e
3
4 TESTDIR=$(readlink -f $(dirname $0))
5 . $TESTDIR/framework
6
7 setupenvironment
8 configarchitecture "i386"
9
10 # mock
11 requires_root() {
12 return 0
13 }
14
15 # extract net_update() and import it
16 func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key )
17 eval "$func"
18
19 mkdir -p ./etc/apt
20 TRUSTEDFILE=./etc/apt/trusted.gpg
21 mkdir -p ./var/lib/apt/keyrings
22 TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg
23 GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
24
25 # FIXME: instead of copying this use apt-key and the buildin apt webserver
26 # to do a real test
27
28 # COPYIED from apt-key.in --------------
29
30 # gpg needs a trustdb to function, but it can't be invalid (not even empty)
31 # so we create a temporary directory to store our fresh readable trustdb in
32 TRUSTDBDIR="$(mktemp -d)"
33 CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
34 trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
35 chmod 700 "$TRUSTDBDIR"
36 # We also don't use a secret keyring, of course, but gpg panics and
37 # implodes if there isn't one available - and writeable for imports
38 SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
39 touch $SECRETKEYRING
40 GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
41 GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
42 #----------------------------------------- END COPY
43
44 GPG="$GPG_CMD --keyring $TRUSTEDFILE"
45 MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
46
47 msgtest "add_keys_with_verify_against_master_keyring"
48 if [ ! -e $MASTER_KEYRING ]; then
49 echo -n "No $MASTER_KEYRING found"
50 msgskip
51 exit 0
52 fi
53
54 # test bad keyring and ensure its not added (LP: #857472)
55 ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub
56 if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
57 msgfail
58 else
59 msgpass
60 fi
61
62 # ensure the keyring is still empty
63 gpg_out=$($GPG --list-keys)
64 msgtest "Test if keyring is empty"
65 if [ -n "" ]; then
66 msgfail
67 else
68 msgpass
69 fi
70
71
72 # test another possible attack vector using subkeys (LP: #1013128)
73 msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
74 ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
75 if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
76 msgfail
77 else
78 msgpass
79 fi
80
81 # ensure the keyring is still empty
82 gpg_out=$($GPG --list-keys)
83 msgtest "Test if keyring is empty"
84 if [ -n "" ]; then
85 msgfail
86 else
87 msgpass
88 fi
89
90
91 # test good keyring and ensure we get no errors
92 ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
93 if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
94 msgpass
95 else
96 msgfail
97 fi
98
99 testequal './etc/apt/trusted.gpg
100 ---------------------
101 pub 1024D/437D05B5 2004-09-12
102 uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
103 sub 2048g/79164387 2004-09-12
104
105 pub 1024D/FBB75451 2004-12-30
106 uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
107
108 pub 4096R/C0B21F32 2012-05-11
109 uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
110
111 pub 4096R/EFE21092 2012-05-11
112 uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
113 ' $GPG --list-keys
114