]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add insecure (and weak) allow-options for sources.list
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 export APT_DONT_SIGN='Release.gpg'
11 buildaptarchive
12 setupflataptarchive
13 changetowebserver
14
15 webserverconfig 'aptwebserver::support::range' 'false'
16
17 prepare() {
18 local DATE="${2:-now}"
19 if [ "$DATE" = 'now' ]; then
20 if [ "$1" = "${PKGFILE}-new" ]; then
21 DATE='now - 1 day'
22 else
23 DATE='now - 7 day'
24 fi
25 fi
26 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
27 touch -d 'now - 1 year' "$release"
28 done
29 aptget clean
30 cp "$1" aptarchive/Packages
31 find aptarchive -name 'Release' -delete
32 compressfile 'aptarchive/Packages' "$DATE"
33 generatereleasefiles "$DATE" 'now + 1 month'
34 }
35
36 installaptold() {
37 rm -rf rootdir/var/cache/apt/archives
38 testsuccessequal "Reading package lists...
39 Building dependency tree...
40 Suggested packages:
41 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
42 The following NEW packages will be installed:
43 apt
44 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
45 After this operation, 5370 kB of additional disk space will be used.
46 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
47 Download complete and in download only mode" aptget install apt -dy
48 }
49
50 installaptnew() {
51 rm -rf rootdir/var/cache/apt/archives
52 testsuccessequal "Reading package lists...
53 Building dependency tree...
54 Suggested packages:
55 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
56 The following NEW packages will be installed:
57 apt
58 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
59 After this operation, 5808 kB of additional disk space will be used.
60 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
61 Download complete and in download only mode" aptget install apt -dy
62 }
63
64 failaptold() {
65 testfailureequal 'Reading package lists...
66 Building dependency tree...
67 Suggested packages:
68 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
69 The following NEW packages will be installed:
70 apt
71 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
72 After this operation, 5370 kB of additional disk space will be used.
73 WARNING: The following packages cannot be authenticated!
74 apt
75 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
76 }
77
78 failaptnew() {
79 testfailureequal 'Reading package lists...
80 Building dependency tree...
81 Suggested packages:
82 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
83 The following NEW packages will be installed:
84 apt
85 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
86 After this operation, 5808 kB of additional disk space will be used.
87 WARNING: The following packages cannot be authenticated!
88 apt
89 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
90 }
91
92 # fake our downloadable file
93 touch aptarchive/apt.deb
94
95 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
96
97 updatewithwarnings() {
98 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
99 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
100 }
101
102 runtest() {
103 msgmsg 'Cold archive signed by' 'Joe Sixpack'
104 prepare "${PKGFILE}"
105 rm -rf rootdir/var/lib/apt/lists
106 signreleasefiles 'Joe Sixpack'
107 successfulaptgetupdate
108 testsuccessequal "$(cat "${PKGFILE}")
109 " aptcache show apt
110 installaptold
111
112 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
113 prepare "${PKGFILE}-new"
114 signreleasefiles 'Joe Sixpack'
115 successfulaptgetupdate
116 testsuccessequal "$(cat "${PKGFILE}-new")
117 " aptcache show apt
118 installaptnew
119
120 msgmsg 'Cold archive signed by' 'Rex Expired'
121 prepare "${PKGFILE}"
122 rm -rf rootdir/var/lib/apt/lists
123 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
124 signreleasefiles 'Rex Expired'
125 updatewithwarnings '^W: .* EXPKEYSIG'
126 testsuccessequal "$(cat "${PKGFILE}")
127 " aptcache show apt
128 failaptold
129 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
130
131 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
132 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
133 touch rootdir/etc/apt/apt.conf.d/99gnupg2
134 elif gpg2 --version >/dev/null 2>&1; then
135 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
136 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
137 rm rootdir/etc/apt/apt.conf.d/99gnupg2
138 fi
139 fi
140 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
141 prepare "${PKGFILE}"
142 rm -rf rootdir/var/lib/apt/lists
143 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
144 updatewithwarnings '^W: .* EXPSIG'
145 testsuccessequal "$(cat "${PKGFILE}")
146 " aptcache show apt
147 failaptold
148 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
149 else
150 msgskip 'Not a new enough gpg available providing --fake-system-time'
151 fi
152
153 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
154 prepare "${PKGFILE}"
155 rm -rf rootdir/var/lib/apt/lists
156 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
157 successfulaptgetupdate 'NO_PUBKEY'
158 testsuccessequal "$(cat "${PKGFILE}")
159 " aptcache show apt
160 installaptold
161
162 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
163 prepare "${PKGFILE}"
164 rm -rf rootdir/var/lib/apt/lists
165 signreleasefiles 'Joe Sixpack,Rex Expired'
166 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
167 successfulaptgetupdate 'EXPKEYSIG'
168 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
169 testsuccessequal "$(cat "${PKGFILE}")
170 " aptcache show apt
171 installaptold
172
173 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
174 prepare "${PKGFILE}"
175 rm -rf rootdir/var/lib/apt/lists
176 signreleasefiles 'Marvin Paranoid'
177 updatewithwarnings '^W: .* NO_PUBKEY'
178 testsuccessequal "$(cat "${PKGFILE}")
179 " aptcache show apt
180 failaptold
181
182 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
183 prepare "${PKGFILE}-new"
184 signreleasefiles 'Joe Sixpack'
185 successfulaptgetupdate
186 testsuccessequal "$(cat "${PKGFILE}-new")
187 " aptcache show apt
188 installaptnew
189
190 msgmsg 'Cold archive signed by' 'Joe Sixpack'
191 prepare "${PKGFILE}"
192 rm -rf rootdir/var/lib/apt/lists
193 signreleasefiles 'Joe Sixpack'
194 successfulaptgetupdate
195 testsuccessequal "$(cat "${PKGFILE}")
196 " aptcache show apt
197 installaptold
198
199 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
200 prepare "${PKGFILE}-new"
201 signreleasefiles 'Marvin Paranoid'
202 updatewithwarnings '^W: .* NO_PUBKEY'
203 testsuccessequal "$(cat "${PKGFILE}")
204 " aptcache show apt
205 installaptold
206
207 msgmsg 'Good warm archive signed by' 'Rex Expired'
208 prepare "${PKGFILE}-new"
209 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
210 signreleasefiles 'Rex Expired'
211 updatewithwarnings '^W: .* EXPKEYSIG'
212 testsuccessequal "$(cat "${PKGFILE}")
213 " aptcache show apt
214 installaptold
215 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
216
217 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
218 prepare "${PKGFILE}-new"
219 signreleasefiles
220 successfulaptgetupdate
221 testsuccessequal "$(cat "${PKGFILE}-new")
222 " aptcache show apt
223 installaptnew
224
225 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
226 prepare "${PKGFILE}"
227 rm -rf rootdir/var/lib/apt/lists
228 signreleasefiles 'Marvin Paranoid'
229 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
230 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
231 successfulaptgetupdate
232 testsuccessequal "$(cat "${PKGFILE}")
233 " aptcache show apt
234 installaptold
235
236 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
237 rm -rf rootdir/var/lib/apt/lists
238 signreleasefiles 'Joe Sixpack'
239 updatewithwarnings '^W: .* NO_PUBKEY'
240 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
241
242 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
243 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
244 rm -rf rootdir/var/lib/apt/lists
245 signreleasefiles 'Joe Sixpack'
246 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
247 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
248
249 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
250 rm -rf rootdir/var/lib/apt/lists
251 signreleasefiles 'Marvin Paranoid'
252 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
253 successfulaptgetupdate
254 testsuccessequal "$(cat "${PKGFILE}")
255 " aptcache show apt
256 installaptold
257
258 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
259 rm -rf rootdir/var/lib/apt/lists
260 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
261 successfulaptgetupdate 'NoPubKey: GOODSIG'
262 testsuccessequal "$(cat "${PKGFILE}")
263 " aptcache show apt
264 installaptold
265
266 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
267 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
268 rm -rf rootdir/var/lib/apt/lists
269 signreleasefiles 'Joe Sixpack'
270 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
271 successfulaptgetupdate
272 testsuccessequal "$(cat "${PKGFILE}")
273 " aptcache show apt
274 installaptold
275
276 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
277 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
278 rm -rf rootdir/var/lib/apt/lists
279 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
280 successfulaptgetupdate
281 testsuccessequal "$(cat "${PKGFILE}")
282 " aptcache show apt
283 installaptold
284 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
285 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
286
287 rm -rf rootdir/var/lib/apt/lists-bak
288 cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
289 prepare "${PKGFILE}-new"
290 signreleasefiles 'Joe Sixpack'
291
292 msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
293 sed -i "/^Valid-Until: / a\
294 Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
295 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
296 successfulaptgetupdate
297 testsuccessequal "$(cat "${PKGFILE}-new")
298 " aptcache show apt
299 installaptnew
300
301 msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
302 rm -rf rootdir/var/lib/apt/lists
303 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
304 sed -i "/^Valid-Until: / a\
305 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
306 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
307 updatewithwarnings 'W: .* public key is not available: GOODSIG'
308 testsuccessequal "$(cat "${PKGFILE}")
309 " aptcache show apt
310 installaptold
311
312 msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
313 rm -rf rootdir/var/lib/apt/lists
314 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
315 sed -i "/^Valid-Until: / a\
316 Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
317 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
318 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
319 successfulaptgetupdate
320 testsuccessequal "$(cat "${PKGFILE}-new")
321 " aptcache show apt
322 installaptnew
323
324 msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
325 rm -rf rootdir/var/lib/apt/lists
326 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
327 sed -i "/^Valid-Until: / a\
328 Signed-By: ${MARVIN} ${MARVIN}, \\
329 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
330 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
331 successfulaptgetupdate
332 testsuccessequal "$(cat "${PKGFILE}-new")
333 " aptcache show apt
334 installaptnew
335 }
336
337 runtest2() {
338 msgmsg 'Cold archive signed by' 'Joe Sixpack'
339 prepare "${PKGFILE}"
340 rm -rf rootdir/var/lib/apt/lists
341 signreleasefiles 'Joe Sixpack'
342 successfulaptgetupdate
343
344 # New .deb but now an unsigned archive. For example MITM to circumvent
345 # package verification.
346 msgmsg 'Warm archive signed by' 'nobody'
347 prepare "${PKGFILE}-new"
348 find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
349 updatewithwarnings 'W: .* no longer signed.'
350 testsuccessequal "$(cat "${PKGFILE}-new")
351 " aptcache show apt
352 failaptnew
353
354 # Unsigned archive from the beginning must also be detected.
355 msgmsg 'Cold archive signed by' 'nobody'
356 rm -rf rootdir/var/lib/apt/lists
357 updatewithwarnings 'W: .* is not signed.'
358 testsuccessequal "$(cat "${PKGFILE}-new")
359 " aptcache show apt
360 failaptnew
361 }
362
363 runtest3() {
364 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
365 msgmsg "Running base test with $1 digest"
366 runtest2
367
368 for DELETEFILE in 'InRelease' 'Release.gpg'; do
369 export APT_DONT_SIGN="$DELETEFILE"
370 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
371 runtest
372 export APT_DONT_SIGN='Release.gpg'
373 done
374 }
375
376 # diable some protection by default and ensure we still do the verification
377 # correctly
378 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
379 Acquire::AllowInsecureRepositories "1";
380 Acquire::AllowDowngradeToInsecureRepositories "1";
381 EOF
382 # the hash marked as configureable in our gpgv method
383 export APT_TESTS_DIGEST_ALGO='SHA224'
384
385 successfulaptgetupdate() {
386 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
387 if [ -n "$1" ]; then
388 cp rootdir/tmp/testsuccess.output aptupdate.output
389 testsuccess grep "$1" aptupdate.output
390 fi
391 }
392 runtest3 'Trusted'
393
394 successfulaptgetupdate() {
395 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
396 if [ -n "$1" ]; then
397 testsuccess grep "$1" rootdir/tmp/testwarning.output
398 fi
399 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
400 }
401 runtest3 'Weak'
402
403 msgmsg "Running test with apt-untrusted digest"
404 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
405 runfailure() {
406 for DELETEFILE in 'InRelease' 'Release.gpg'; do
407 export APT_DONT_SIGN="$DELETEFILE"
408 msgmsg 'Cold archive signed by' 'Joe Sixpack'
409 prepare "${PKGFILE}"
410 rm -rf rootdir/var/lib/apt/lists
411 signreleasefiles 'Joe Sixpack'
412 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
413 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
414 testnopackage 'apt'
415 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
416 failaptold
417 rm -rf rootdir/var/lib/apt/lists
418 sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
419 testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
420 failaptold
421 sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
422
423 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
424 prepare "${PKGFILE}"
425 rm -rf rootdir/var/lib/apt/lists
426 signreleasefiles 'Marvin Paranoid'
427 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
428 testnopackage 'apt'
429 updatewithwarnings '^W: .* NO_PUBKEY'
430 testsuccessequal "$(cat "${PKGFILE}")
431 " aptcache show apt
432 failaptold
433 export APT_DONT_SIGN='Release.gpg'
434 done
435 }
436 runfailure
437
438 msgmsg "Running test with gpgv-untrusted digest"
439 export APT_TESTS_DIGEST_ALGO='MD5'
440 runfailure
APT (for Cydia)