3 # ensure we never fallback from a signed to a unsigned repo
5 # hash checks are done in
9 simulate_mitm_and_inject_evil_package
()
11 rm -f $APTARCHIVE/dists
/unstable
/InRelease
12 rm -f $APTARCHIVE/dists
/unstable
/Release.gpg
18 cat > $APTARCHIVE/dists
/unstable
/main
/binary
-i386/Packages
<<EOF
21 Maintainer: Joe Sixpack <joe@example.org>
24 Filename: pool/evil_1.0_all.deb
26 Description: an autogenerated evil package
29 touch -d '+1hour' aptarchive
/dists
/unstable
/main
/binary
-i386/Packages
32 assert_update_is_refused_and_last_good_state_used
()
34 testequal
"E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update
-qq
39 assert_repo_is_intact
()
41 testequal
"foo/unstable 2.0 all" apt list
-q
42 testsuccess
"" aptget
install -y -s foo
43 testfailure
"" aptget
install -y evil
45 LISTDIR
=rootdir
/var
/lib
/apt
/lists
46 if ! ( ls $LISTDIR/*InRelease
>/dev
/null
2>&1 ||
47 ls $LISTDIR/*Release.gpg
>/dev
/null
2>&1 ); then
48 echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)"
53 setupaptarchive_with_lists_clean
()
55 setupaptarchive
--no-update
56 rm -f rootdir
/var
/lib
/apt
/lists
/_
*
57 #rm -rf rootdir/var/lib/apt/lists
60 test_from_inrelease_to_unsigned
()
62 # setup archive with InRelease file
63 setupaptarchive_with_lists_clean
64 testsuccess aptget update
66 simulate_mitm_and_inject_evil_package
67 assert_update_is_refused_and_last_good_state_used
70 test_from_release_gpg_to_unsigned
()
72 # setup archive with Release/Release.gpg (but no InRelease)
73 setupaptarchive_with_lists_clean
74 rm $APTARCHIVE/dists
/unstable
/InRelease
75 testsuccess aptget update
77 simulate_mitm_and_inject_evil_package
78 assert_update_is_refused_and_last_good_state_used
81 test_from_inrelease_to_unsigned_with_override
()
83 # setup archive with InRelease file
84 setupaptarchive_with_lists_clean
85 testsuccess aptget update
87 # simulate moving to a unsigned but otherwise valid repo
88 simulate_mitm_and_inject_evil_package
91 # and ensure we can update to it (with enough force)
92 testsuccess aptget update
--allow-insecure-repositories \
93 -o Acquire
::AllowDowngradeToInsecureRepositories
=1
94 # but that the individual packages are still considered untrusted
95 testequal
"WARNING: The following packages cannot be authenticated!
97 E: There are problems and -y was used without --force-yes" aptget
install -qq -y evil
102 # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
104 # it was possible to MITM the download so that InRelease/Release.gpg
105 # are not delivered (404) and a altered Release file was send
107 # apt left the old InRelease file in /var/lib/apt/lists and downloaded
108 # the unauthenticated Release file too giving the false impression that
109 # Release was authenticated
111 # Note that this is pretty much impossible nowdays because:
112 # a) InRelease is left as is, not split to InRelease/Release as it was
114 # b) we refuse to go from signed->unsigned
116 # Still worth having a regression test the simulates the condition
118 # setup archive with InRelease
119 setupaptarchive_with_lists_clean
120 testsuccess aptget update
122 # do what CVE-2012-0214 did
123 rm $APTARCHIVE/dists
/unstable
/InRelease
124 rm $APTARCHIVE/dists
/unstable
/Release.gpg
126 # build valid Release file
127 aptftparchive
-qq release .
/aptarchive
> aptarchive
/dists
/unstable
/Release
129 assert_update_is_refused_and_last_good_state_used
131 # ensure there is no _Release file downloaded
132 testfailure
ls rootdir
/var
/lib
/apt
/lists
/*_Release
135 test_subvert_inrelease
()
137 # setup archive with InRelease
138 setupaptarchive_with_lists_clean
139 testsuccess aptget update
141 # replace InRelease with something else
142 mv $APTARCHIVE/dists
/unstable
/Release
$APTARCHIVE/dists
/unstable
/InRelease
144 testequal
"W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature
146 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
-qq
148 # ensure we keep the repo
149 assert_repo_is_intact
152 test_inrelease_to_invalid_inrelease
()
154 # setup archive with InRelease
155 setupaptarchive_with_lists_clean
156 testsuccess aptget update
158 # now remove InRelease and subvert Release do no longer verify
159 sed -i 's/Codename.*/Codename: evil!'/ $APTARCHIVE/dists
/unstable
/InRelease
162 testequal
"W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
164 W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
166 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
-qq
168 # ensure we keep the repo
169 assert_repo_is_intact
170 testfailure
grep "evil" rootdir
/var
/lib
/apt
/lists
/*InRelease
173 test_release_gpg_to_invalid_release_release_gpg
()
175 # setup archive with InRelease
176 setupaptarchive_with_lists_clean
177 rm $APTARCHIVE/dists
/unstable
/InRelease
178 testsuccess aptget update
180 # now subvert Release do no longer verify
181 echo "Some evil data" >> $APTARCHIVE/dists
/unstable
/Release
184 testequal
"W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release.gpg: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
186 W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg
188 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update
-qq
190 assert_repo_is_intact
191 testfailure
grep "evil" rootdir
/var
/lib
/apt
/lists
/*Release
195 TESTDIR
=$(readlink -f $(dirname $0))
199 configarchitecture
"i386"
201 # a "normal" package with source and binary
202 buildsimplenativepackage
'foo' 'all' '2.0'
204 # setup the archive and ensure we have a single package that installs fine
206 APTARCHIVE
=$(readlink -f ./aptarchive)
207 assert_repo_is_intact
209 # test the various cases where a repo may go from signed->unsigned
210 msgmsg
"test_from_inrelease_to_unsigned"
211 test_from_inrelease_to_unsigned
213 msgmsg
"test_from_release_gpg_to_unsigned"
214 test_from_release_gpg_to_unsigned
216 # ensure we do not regress on CVE-2012-0214
217 msgmsg
"test_cve_2012_0214"
220 # ensure InRelase can not be subverted
221 msgmsg
"test_subvert_inrelease"
222 test_subvert_inrelease
224 # ensure we revert to last good state if InRelease does not verify
225 msgmsg
"test_inrelease_to_invalid_inrelease"
226 test_inrelease_to_invalid_inrelease
228 # ensure we revert to last good state if Release/Release.gpg does not verify
229 msgmsg
"test_release_gpg_to_invalid_release_release_gpg"
230 test_release_gpg_to_invalid_release_release_gpg
232 # ensure we can ovveride the downgrade error
233 msgmsg
"test_from_inrelease_to_unsigned"
234 test_from_inrelease_to_unsigned_with_override