]> git.saurik.com Git - apt.git/blob - test/integration/test-apt-update-weak-hashes
methods: read config in most to least specific order
[apt.git] / test / integration / test-apt-update-weak-hashes
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture 'i386'
9 confighashes 'MD5'
10 export APT_DONT_SIGN=''
11
12 insertpackage 'unstable' 'foo' 'i386' '1.0'
13 insertsource 'unstable' 'foo' 'any' '1.0'
14
15 setupaptarchive --no-update
16 APTARCHIVE="$(readlink -f ./aptarchive)"
17
18 testnopkg() {
19 testnopackage "$@"
20 testnosrcpackage "$@"
21 }
22 testbadpkg() {
23 testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
24 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release'
25 testnotempty apt show "$@"
26 testnotempty apt showsrc "$@"
27 testfailureequal "WARNING: The following packages cannot be authenticated!
28 $*
29 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@"
30 testfailureequal "WARNING: The following packages cannot be authenticated!
31 $*
32 E: Some packages could not be authenticated" aptget source -qq "$@"
33 }
34
35 testrun() {
36 local TYPE="$1"
37 local FILENAME="$2"
38 shift 2
39 local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')"
40 msgmsg "$TYPE contains only weak hashes"
41 confighashes 'MD5'
42 generatereleasefiles
43 signreleasefiles
44 preparetest
45 if [ -z "$1" ]; then
46 listcurrentlistsdirectory > lists.before
47 testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
48 E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
49 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
50 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
51 testfileequal lists.before "$(listcurrentlistsdirectory)"
52 testnopkg 'foo'
53 else
54 testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
55 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
56 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
57 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
58 testbadpkg 'foo'
59 fi
60
61 msgmsg "$TYPE contains only weak hashes, but source allows weak"
62 sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/*
63 genericprepare
64 testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
65 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
66 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
67 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
68 testbadpkg 'foo'
69 sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
70
71 msgmsg "$TYPE contains no hashes"
72 generatereleasefiles
73 sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release"
74 signreleasefiles
75 preparetest
76 if [ -z "$1" ]; then
77 listcurrentlistsdirectory > lists.before
78 testfailuremsg "W: No Hash entry in Release file ${MANGLED}
79 E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
80 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
81 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
82 testfileequal lists.before "$(listcurrentlistsdirectory)"
83 testnopkg 'foo'
84 else
85 testwarningmsg "W: No Hash entry in Release file ${MANGLED}
86 W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
87 N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
88 N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
89 testbadpkg 'foo'
90 fi
91
92 msgmsg "$TYPE contains only weak hashes for some files"
93 confighashes 'MD5' 'SHA256'
94 generatereleasefiles
95 sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release"
96 signreleasefiles
97 preparetest
98 if [ -z "$1" ]; then
99 testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update
100 testnosrcpackage foo
101 else
102 rm -f rootdir/var/lib/apt/lists/partial/*
103 testsuccess apt update "$@"
104 testnotempty apt showsrc foo
105 fi
106 testsuccess apt show foo
107 }
108
109 genericprepare() {
110 rm -rf rootdir/var/lib/apt/lists
111 mkdir -p rootdir/var/lib/apt/lists/partial
112 touch rootdir/var/lib/apt/lists/lock
113 local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')"
114 touch "$RELEASEGPG"
115 chmod 644 "$RELEASEGPG"
116 local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')"
117 touch "$INRELEASE"
118 chmod 644 "$INRELEASE"
119 }
120 preparetest() {
121 rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg"
122 genericprepare
123 }
124 testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease"
125 testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0
126
127 preparetest() {
128 rm -f "${APTARCHIVE}/dists/unstable/InRelease"
129 genericprepare
130 }
131 testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release"
132 testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0
133
134 preparetest() {
135 rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg"
136 genericprepare
137 }
138
139 msgmsg 'Moving between Release files with good and bad hashes'
140 rm -rf rootdir/var/lib/apt/lists
141 confighashes 'MD5'
142 generatereleasefiles 'now - 7 days'
143 signreleasefiles
144 testfailure apt update
145 testnopkg 'foo'
146 testwarning apt update --allow-weak-repositories
147 testbadpkg 'foo'
148
149 confighashes 'MD5' 'SHA256'
150 rm -rf aptarchive/dists
151 insertpackage 'unstable' 'foo2' 'i386' '1.0'
152 insertsource 'unstable' 'foo2' 'any' '1.0'
153 setupaptarchive --no-update 'now - 5 days'
154 testsuccess apt update
155 testnopkg foo
156 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
157 testnotempty apt show foo2
158 testnotempty apt showsrc foo2
159
160 confighashes 'MD5'
161 rm -rf aptarchive/dists
162 insertpackage 'unstable' 'foo3' 'i386' '1.0'
163 insertsource 'unstable' 'foo3' 'any' '1.0'
164 setupaptarchive --no-update 'now - 3 days'
165 testfailure apt update
166 testnopkg foo
167 testnopkg foo3
168 testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
169 testnotempty apt show foo2
170 testnotempty apt showsrc foo2
171 testwarning apt update --allow-weak-repositories
172 testnopkg foo2
173 testbadpkg foo3
174
175 msgmsg 'Working with packages guarded only by weak hashes'
176 confighashes 'MD5'
177 rm -rf aptarchive/dists
178 buildsimplenativepackage 'foo4' 'i386' '1' 'unstable'
179 setupaptarchive --no-update
180 testfailure apt update
181 confighashes 'SHA256'
182 generatereleasefiles 'now - 1 day'
183 signreleasefiles
184 testsuccess apt update
185 cd downloaded
186 testfailure apt download foo4
187 cp ../rootdir/tmp/testfailure.output download.output
188 testfailure grep 'Hash Sum mismatch' download.output
189 testsuccess grep 'Insufficient information' download.output
190
191 testsuccess apt install foo4 -s
192 testfailure apt install foo4 -dy
193 cp ../rootdir/tmp/testfailure.output install.output
194 testfailure grep 'Hash Sum mismatch' install.output
195 testsuccess grep 'Insufficient information' download.output
196
197 testsuccess apt source foo4
198 cp ../rootdir/tmp/testsuccess.output source.output
199 testsuccess grep 'Skipping download of file' source.output
200 testfailure test -e foo4_1.dsc
201 testsuccess test -e foo4_1.tar.*
202 cd ..