]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:


e2e1b5b76a92ec2c2fd926a1d0b5af693e67dd4c
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 buildaptarchive
11 setupflataptarchive
12 changetowebserver
13
14 webserverconfig 'aptwebserver::support::range' 'false'
15
16 prepare() {
17 local DATE="${2:-now}"
18 if [ "$DATE" = 'now' ]; then
19 if [ "$1" = "${PKGFILE}-new" ]; then
20 DATE='now - 1 day'
21 else
22 DATE='now - 7 day'
23 fi
24 fi
25 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
26 touch -d 'now - 1 year' "$release"
27 done
28 aptget clean
29 cp "$1" aptarchive/Packages
30 find aptarchive -name 'Release' -delete
31 compressfile 'aptarchive/Packages' "$DATE"
32 generatereleasefiles "$DATE"
33 }
34
35 installaptold() {
36 rm -rf rootdir/var/cache/apt/archives
37 testsuccessequal "Reading package lists...
38 Building dependency tree...
39 Suggested packages:
40 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
41 The following NEW packages will be installed:
42 apt
43 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
44 After this operation, 5370 kB of additional disk space will be used.
45 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
46 Download complete and in download only mode" aptget install apt -dy
47 }
48
49 installaptnew() {
50 testsuccessequal "Reading package lists...
51 Building dependency tree...
52 Suggested packages:
53 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
54 The following NEW packages will be installed:
55 apt
56 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
57 After this operation, 5808 kB of additional disk space will be used.
58 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
59 Download complete and in download only mode" aptget install apt -dy
60 }
61
62 failaptold() {
63 testfailureequal 'Reading package lists...
64 Building dependency tree...
65 Suggested packages:
66 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
67 The following NEW packages will be installed:
68 apt
69 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
70 After this operation, 5370 kB of additional disk space will be used.
71 WARNING: The following packages cannot be authenticated!
72 apt
73 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
74 }
75
76 failaptnew() {
77 testfailureequal 'Reading package lists...
78 Building dependency tree...
79 Suggested packages:
80 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
81 The following NEW packages will be installed:
82 apt
83 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
84 After this operation, 5808 kB of additional disk space will be used.
85 WARNING: The following packages cannot be authenticated!
86 apt
87 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
88 }
89
90 # fake our downloadable file
91 touch aptarchive/apt.deb
92
93 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
94
95 updatewithwarnings() {
96 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
97 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
98 }
99
100 runtest() {
101 local DELETEFILE="$1"
102 msgmsg 'Cold archive signed by' 'Joe Sixpack'
103 prepare "${PKGFILE}"
104 rm -rf rootdir/var/lib/apt/lists
105 signreleasefiles 'Joe Sixpack'
106 find aptarchive/ -name "$DELETEFILE" -delete
107 successfulaptgetupdate
108 testsuccessequal "$(cat "${PKGFILE}")
109 " aptcache show apt
110 installaptold
111
112 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
113 prepare "${PKGFILE}-new"
114 signreleasefiles 'Joe Sixpack'
115 find aptarchive/ -name "$DELETEFILE" -delete
116 successfulaptgetupdate
117 testsuccessequal "$(cat "${PKGFILE}-new")
118 " aptcache show apt
119 installaptnew
120
121 msgmsg 'Cold archive signed by' 'Rex Expired'
122 prepare "${PKGFILE}"
123 rm -rf rootdir/var/lib/apt/lists
124 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
125 signreleasefiles 'Rex Expired'
126 find aptarchive/ -name "$DELETEFILE" -delete
127 updatewithwarnings '^W: .* EXPKEYSIG'
128 testsuccessequal "$(cat "${PKGFILE}")
129 " aptcache show apt
130 failaptold
131 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
132
133 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
134 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
135 touch rootdir/etc/apt/apt.conf.d/99gnupg2
136 elif gpg2 --version >/dev/null 2>&1; then
137 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
138 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
139 rm rootdir/etc/apt/apt.conf.d/99gnupg2
140 fi
141 fi
142 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
143 prepare "${PKGFILE}"
144 rm -rf rootdir/var/lib/apt/lists
145 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
146 find aptarchive/ -name "$DELETEFILE" -delete
147 updatewithwarnings '^W: .* EXPSIG'
148 testsuccessequal "$(cat "${PKGFILE}")
149 " aptcache show apt
150 failaptold
151 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
152 else
153 msgskip 'Not a new enough gpg available providing --fake-system-time'
154 fi
155
156 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
157 prepare "${PKGFILE}"
158 rm -rf rootdir/var/lib/apt/lists
159 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
160 find aptarchive/ -name "$DELETEFILE" -delete
161 successfulaptgetupdate 'NO_PUBKEY'
162 testsuccessequal "$(cat "${PKGFILE}")
163 " aptcache show apt
164 installaptold
165
166 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
167 prepare "${PKGFILE}"
168 rm -rf rootdir/var/lib/apt/lists
169 signreleasefiles 'Joe Sixpack,Rex Expired'
170 find aptarchive/ -name "$DELETEFILE" -delete
171 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
172 successfulaptgetupdate 'EXPKEYSIG'
173 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
174 testsuccessequal "$(cat "${PKGFILE}")
175 " aptcache show apt
176 installaptold
177
178 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
179 prepare "${PKGFILE}"
180 rm -rf rootdir/var/lib/apt/lists
181 signreleasefiles 'Marvin Paranoid'
182 find aptarchive/ -name "$DELETEFILE" -delete
183 updatewithwarnings '^W: .* NO_PUBKEY'
184 testsuccessequal "$(cat "${PKGFILE}")
185 " aptcache show apt
186 failaptold
187
188 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
189 prepare "${PKGFILE}-new"
190 signreleasefiles 'Joe Sixpack'
191 find aptarchive/ -name "$DELETEFILE" -delete
192 successfulaptgetupdate
193 testsuccessequal "$(cat "${PKGFILE}-new")
194 " aptcache show apt
195 installaptnew
196
197 msgmsg 'Cold archive signed by' 'Joe Sixpack'
198 prepare "${PKGFILE}"
199 rm -rf rootdir/var/lib/apt/lists
200 signreleasefiles 'Joe Sixpack'
201 find aptarchive/ -name "$DELETEFILE" -delete
202 successfulaptgetupdate
203 testsuccessequal "$(cat "${PKGFILE}")
204 " aptcache show apt
205 installaptold
206
207 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
208 prepare "${PKGFILE}-new"
209 signreleasefiles 'Marvin Paranoid'
210 find aptarchive/ -name "$DELETEFILE" -delete
211 updatewithwarnings '^W: .* NO_PUBKEY'
212 testsuccessequal "$(cat "${PKGFILE}")
213 " aptcache show apt
214 installaptold
215
216 msgmsg 'Good warm archive signed by' 'Rex Expired'
217 prepare "${PKGFILE}-new"
218 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
219 signreleasefiles 'Rex Expired'
220 find aptarchive/ -name "$DELETEFILE" -delete
221 updatewithwarnings '^W: .* EXPKEYSIG'
222 testsuccessequal "$(cat "${PKGFILE}")
223 " aptcache show apt
224 installaptold
225 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
226
227 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
228 prepare "${PKGFILE}-new"
229 signreleasefiles
230 find aptarchive/ -name "$DELETEFILE" -delete
231 successfulaptgetupdate
232 testsuccessequal "$(cat "${PKGFILE}-new")
233 " aptcache show apt
234 installaptnew
235
236 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
237 prepare "${PKGFILE}"
238 rm -rf rootdir/var/lib/apt/lists
239 signreleasefiles 'Marvin Paranoid'
240 find aptarchive/ -name "$DELETEFILE" -delete
241 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
242 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
243 successfulaptgetupdate
244 testsuccessequal "$(cat "${PKGFILE}")
245 " aptcache show apt
246 installaptold
247
248 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
249 rm -rf rootdir/var/lib/apt/lists
250 signreleasefiles 'Joe Sixpack'
251 find aptarchive/ -name "$DELETEFILE" -delete
252 updatewithwarnings '^W: .* NO_PUBKEY'
253 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
254
255 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
256 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
257 rm -rf rootdir/var/lib/apt/lists
258 signreleasefiles 'Joe Sixpack'
259 find aptarchive/ -name "$DELETEFILE" -delete
260 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
261 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
262
263 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
264 rm -rf rootdir/var/lib/apt/lists
265 signreleasefiles 'Marvin Paranoid'
266 find aptarchive/ -name "$DELETEFILE" -delete
267 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
268 successfulaptgetupdate
269 testsuccessequal "$(cat "${PKGFILE}")
270 " aptcache show apt
271 installaptold
272
273 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
274 rm -rf rootdir/var/lib/apt/lists
275 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
276 find aptarchive/ -name "$DELETEFILE" -delete
277 successfulaptgetupdate 'NoPubKey: GOODSIG'
278 testsuccessequal "$(cat "${PKGFILE}")
279 " aptcache show apt
280 installaptold
281
282 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
283 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
284 rm -rf rootdir/var/lib/apt/lists
285 signreleasefiles 'Joe Sixpack'
286 find aptarchive/ -name "$DELETEFILE" -delete
287 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
288 successfulaptgetupdate
289 testsuccessequal "$(cat "${PKGFILE}")
290 " aptcache show apt
291 installaptold
292
293 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
294 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
295 rm -rf rootdir/var/lib/apt/lists
296 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
297 successfulaptgetupdate
298 testsuccessequal "$(cat "${PKGFILE}")
299 " aptcache show apt
300 installaptold
301 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
302 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
303
304 }
305
306 runtest2() {
307 msgmsg 'Cold archive signed by' 'Joe Sixpack'
308 prepare "${PKGFILE}"
309 rm -rf rootdir/var/lib/apt/lists
310 signreleasefiles 'Joe Sixpack'
311 successfulaptgetupdate
312
313 # New .deb but now an unsigned archive. For example MITM to circumvent
314 # package verification.
315 msgmsg 'Warm archive signed by' 'nobody'
316 prepare "${PKGFILE}-new"
317 find aptarchive/ -name InRelease -delete
318 find aptarchive/ -name Release.gpg -delete
319 updatewithwarnings 'W: .* no longer signed.'
320 testsuccessequal "$(cat "${PKGFILE}-new")
321 " aptcache show apt
322 failaptnew
323
324 # Unsigned archive from the beginning must also be detected.
325 msgmsg 'Cold archive signed by' 'nobody'
326 rm -rf rootdir/var/lib/apt/lists
327 updatewithwarnings 'W: .* is not signed.'
328 testsuccessequal "$(cat "${PKGFILE}-new")
329 " aptcache show apt
330 failaptnew
331 }
332
333 runtest3() {
334 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
335 msgmsg "Running base test with $1 digest"
336 runtest2
337
338 for DELETEFILE in 'InRelease' 'Release.gpg'; do
339 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
340 runtest "$DELETEFILE"
341 done
342 }
343
344 # diable some protection by default and ensure we still do the verification
345 # correctly
346 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
347 Acquire::AllowInsecureRepositories "1";
348 Acquire::AllowDowngradeToInsecureRepositories "1";
349 EOF
350 # the hash marked as configureable in our gpgv method
351 export APT_TESTS_DIGEST_ALGO='SHA224'
352
353 successfulaptgetupdate() {
354 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
355 if [ -n "$1" ]; then
356 cp rootdir/tmp/testsuccess.output aptupdate.output
357 testsuccess grep "$1" aptupdate.output
358 fi
359 }
360 runtest3 'Trusted'
361
362 successfulaptgetupdate() {
363 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
364 if [ -n "$1" ]; then
365 testsuccess grep "$1" rootdir/tmp/testwarning.output
366 fi
367 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
368 }
369 runtest3 'Weak'
370
371 msgmsg "Running test with apt-untrusted digest"
372 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
373 runfailure() {
374 for DELETEFILE in 'InRelease' 'Release.gpg'; do
375 msgmsg 'Cold archive signed by' 'Joe Sixpack'
376 prepare "${PKGFILE}"
377 rm -rf rootdir/var/lib/apt/lists
378 signreleasefiles 'Joe Sixpack'
379 find aptarchive/ -name "$DELETEFILE" -delete
380 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
381 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
382 testnopackage 'apt'
383 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
384 failaptold
385
386 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
387 prepare "${PKGFILE}"
388 rm -rf rootdir/var/lib/apt/lists
389 signreleasefiles 'Marvin Paranoid'
390 find aptarchive/ -name "$DELETEFILE" -delete
391 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
392 testnopackage 'apt'
393 updatewithwarnings '^W: .* NO_PUBKEY'
394 testsuccessequal "$(cat "${PKGFILE}")
395 " aptcache show apt
396 failaptold
397 done
398 }
399 runfailure
400
401 msgmsg "Running test with gpgv-untrusted digest"
402 export APT_TESTS_DIGEST_ALGO='MD5'
403 runfailure
APT (for Cydia)