]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
Don't download "optional" files not in Release :/.
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 export APT_DONT_SIGN='Release.gpg'
11 buildaptarchive
12 setupflataptarchive
13 changetowebserver
14
15 prepare() {
16 local DATE="${2:-now}"
17 if [ "$DATE" = 'now' ]; then
18 if [ "$1" = "${PKGFILE}-new" ]; then
19 DATE='now - 1 day'
20 else
21 DATE='now - 7 day'
22 fi
23 fi
24 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
25 touch -d 'now - 1 year' "$release"
26 done
27 aptget clean
28 cp "$1" aptarchive/Packages
29 find aptarchive -name 'Release' -delete
30 compressfile 'aptarchive/Packages' "$DATE"
31 generatereleasefiles "$DATE" 'now + 1 month'
32 }
33
34 installaptold() {
35 rm -rf rootdir/var/cache/apt/archives
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 rm -rf rootdir/var/cache/apt/archives
50 testsuccessequal "Reading package lists...
51 Building dependency tree...
52 Suggested packages:
53 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
54 The following NEW packages will be installed:
55 apt
56 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
57 After this operation, 5808 kB of additional disk space will be used.
58 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
59 Download complete and in download only mode" aptget install apt -dy
60 }
61
62 failaptold() {
63 testfailureequal 'Reading package lists...
64 Building dependency tree...
65 Suggested packages:
66 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
67 The following NEW packages will be installed:
68 apt
69 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
70 After this operation, 5370 kB of additional disk space will be used.
71 WARNING: The following packages cannot be authenticated!
72 apt
73 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
74 }
75
76 failaptnew() {
77 testfailureequal 'Reading package lists...
78 Building dependency tree...
79 Suggested packages:
80 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
81 The following NEW packages will be installed:
82 apt
83 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
84 After this operation, 5808 kB of additional disk space will be used.
85 WARNING: The following packages cannot be authenticated!
86 apt
87 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
88 }
89
90 # fake our downloadable file
91 touch aptarchive/apt.deb
92
93 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
94
95 updatewithwarnings() {
96 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
97 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
98 }
99
100 runtest() {
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 successfulaptgetupdate
106 testsuccessequal "$(cat "${PKGFILE}")
107 " aptcache show apt
108 installaptold
109
110 if [ "$(id -u)" != '0' ]; then
111 msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
112 rm -rf rootdir/var/lib/apt/lists
113 echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
114 chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
115 updatewithwarnings '^W: .* is not readable by user'
116 chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
117 rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
118 testsuccessequal "$(cat "${PKGFILE}")
119 " aptcache show apt
120 installaptold
121 fi
122
123 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
124 prepare "${PKGFILE}-new"
125 signreleasefiles 'Joe Sixpack'
126 successfulaptgetupdate
127 testsuccessequal "$(cat "${PKGFILE}-new")
128 " aptcache show apt
129 installaptnew
130
131 msgmsg 'Cold archive signed by' 'Rex Expired'
132 prepare "${PKGFILE}"
133 rm -rf rootdir/var/lib/apt/lists
134 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
135 signreleasefiles 'Rex Expired'
136 updatewithwarnings '^W: .* EXPKEYSIG'
137 testsuccessequal "$(cat "${PKGFILE}")
138 " aptcache show apt
139 failaptold
140 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
141
142 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
143 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
144 touch rootdir/etc/apt/apt.conf.d/99gnupg2
145 elif gpg2 --version >/dev/null 2>&1; then
146 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
147 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
148 rm rootdir/etc/apt/apt.conf.d/99gnupg2
149 fi
150 fi
151 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
152 prepare "${PKGFILE}"
153 rm -rf rootdir/var/lib/apt/lists
154 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
155 updatewithwarnings '^W: .* EXPSIG'
156 testsuccessequal "$(cat "${PKGFILE}")
157 " aptcache show apt
158 failaptold
159 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
160 else
161 msgskip 'Not a new enough gpg available providing --fake-system-time'
162 fi
163
164 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
165 prepare "${PKGFILE}"
166 rm -rf rootdir/var/lib/apt/lists
167 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
168 successfulaptgetupdate 'NO_PUBKEY'
169 testsuccessequal "$(cat "${PKGFILE}")
170 " aptcache show apt
171 installaptold
172
173 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
174 prepare "${PKGFILE}"
175 rm -rf rootdir/var/lib/apt/lists
176 signreleasefiles 'Joe Sixpack,Rex Expired'
177 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
178 successfulaptgetupdate 'EXPKEYSIG'
179 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
180 testsuccessequal "$(cat "${PKGFILE}")
181 " aptcache show apt
182 installaptold
183
184 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
185 prepare "${PKGFILE}"
186 rm -rf rootdir/var/lib/apt/lists
187 signreleasefiles 'Marvin Paranoid'
188 updatewithwarnings '^W: .* NO_PUBKEY'
189 testsuccessequal "$(cat "${PKGFILE}")
190 " aptcache show apt
191 failaptold
192
193 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
194 prepare "${PKGFILE}-new"
195 signreleasefiles 'Joe Sixpack'
196 successfulaptgetupdate
197 testsuccessequal "$(cat "${PKGFILE}-new")
198 " aptcache show apt
199 installaptnew
200
201 msgmsg 'Cold archive signed by' 'Joe Sixpack'
202 prepare "${PKGFILE}"
203 rm -rf rootdir/var/lib/apt/lists
204 signreleasefiles 'Joe Sixpack'
205 successfulaptgetupdate
206 testsuccessequal "$(cat "${PKGFILE}")
207 " aptcache show apt
208 installaptold
209
210 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
211 prepare "${PKGFILE}-new"
212 signreleasefiles 'Marvin Paranoid'
213 updatewithwarnings '^W: .* NO_PUBKEY'
214 testsuccessequal "$(cat "${PKGFILE}")
215 " aptcache show apt
216 installaptold
217
218 msgmsg 'Good warm archive signed by' 'Rex Expired'
219 prepare "${PKGFILE}-new"
220 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
221 signreleasefiles 'Rex Expired'
222 updatewithwarnings '^W: .* EXPKEYSIG'
223 testsuccessequal "$(cat "${PKGFILE}")
224 " aptcache show apt
225 installaptold
226 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
227
228 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
229 prepare "${PKGFILE}-new"
230 signreleasefiles
231 successfulaptgetupdate
232 testsuccessequal "$(cat "${PKGFILE}-new")
233 " aptcache show apt
234 installaptnew
235
236 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
237 prepare "${PKGFILE}"
238 rm -rf rootdir/var/lib/apt/lists
239 signreleasefiles 'Marvin Paranoid'
240 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
241 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
242 successfulaptgetupdate
243 testsuccessequal "$(cat "${PKGFILE}")
244 " aptcache show apt
245 installaptold
246
247 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
248 rm -rf rootdir/var/lib/apt/lists
249 signreleasefiles 'Joe Sixpack'
250 updatewithwarnings '^W: .* NO_PUBKEY'
251 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
252
253 local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
254 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
255 rm -rf rootdir/var/lib/apt/lists
256 signreleasefiles 'Joe Sixpack'
257 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
258 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
259
260 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
261 rm -rf rootdir/var/lib/apt/lists
262 signreleasefiles 'Marvin Paranoid'
263 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
264 successfulaptgetupdate
265 testsuccessequal "$(cat "${PKGFILE}")
266 " aptcache show apt
267 installaptold
268
269 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
270 rm -rf rootdir/var/lib/apt/lists
271 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
272 successfulaptgetupdate 'NoPubKey: GOODSIG'
273 testsuccessequal "$(cat "${PKGFILE}")
274 " aptcache show apt
275 installaptold
276
277 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
278 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
279 rm -rf rootdir/var/lib/apt/lists
280 signreleasefiles 'Joe Sixpack'
281 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
282 successfulaptgetupdate
283 testsuccessequal "$(cat "${PKGFILE}")
284 " aptcache show apt
285 installaptold
286
287 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
288 rm -rf rootdir/var/lib/apt/lists
289 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
290 successfulaptgetupdate
291 testsuccessequal "$(cat "${PKGFILE}")
292 " aptcache show apt
293 installaptold
294 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
295 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
296
297 rm -rf rootdir/var/lib/apt/lists-bak
298 cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
299 prepare "${PKGFILE}-new"
300 signreleasefiles 'Joe Sixpack'
301
302 msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
303 sed -i "/^Valid-Until: / a\
304 Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
305 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
306 successfulaptgetupdate
307 testsuccessequal "$(cat "${PKGFILE}-new")
308 " aptcache show apt
309 installaptnew
310
311 msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
312 rm -rf rootdir/var/lib/apt/lists
313 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
314 sed -i "/^Valid-Until: / a\
315 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
316 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
317 updatewithwarnings 'W: .* public key is not available: GOODSIG'
318 testsuccessequal "$(cat "${PKGFILE}")
319 " aptcache show apt
320 installaptold
321
322 msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
323 rm -rf rootdir/var/lib/apt/lists
324 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
325 sed -i "/^Valid-Until: / a\
326 Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
327 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
328 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
329 successfulaptgetupdate
330 testsuccessequal "$(cat "${PKGFILE}-new")
331 " aptcache show apt
332 installaptnew
333
334 msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
335 rm -rf rootdir/var/lib/apt/lists
336 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
337 sed -i "/^Valid-Until: / a\
338 Signed-By: ${MARVIN} ${MARVIN}, \\
339 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
340 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
341 successfulaptgetupdate
342 testsuccessequal "$(cat "${PKGFILE}-new")
343 " aptcache show apt
344 installaptnew
345 }
346
347 runtest2() {
348 msgmsg 'Cold archive signed by' 'Joe Sixpack'
349 prepare "${PKGFILE}"
350 rm -rf rootdir/var/lib/apt/lists
351 signreleasefiles 'Joe Sixpack'
352 successfulaptgetupdate
353
354 # New .deb but now an unsigned archive. For example MITM to circumvent
355 # package verification.
356 msgmsg 'Warm archive signed by' 'nobody'
357 prepare "${PKGFILE}-new"
358 find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
359 updatewithwarnings 'W: .* no longer signed.'
360 testsuccessequal "$(cat "${PKGFILE}-new")
361 " aptcache show apt
362 failaptnew
363
364 # Unsigned archive from the beginning must also be detected.
365 msgmsg 'Cold archive signed by' 'nobody'
366 rm -rf rootdir/var/lib/apt/lists
367 updatewithwarnings 'W: .* is not signed.'
368 testsuccessequal "$(cat "${PKGFILE}-new")
369 " aptcache show apt
370 failaptnew
371 }
372
373 runtest3() {
374 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
375 msgmsg "Running base test with $1 digest"
376 runtest2
377
378 for DELETEFILE in 'InRelease' 'Release.gpg'; do
379 export APT_DONT_SIGN="$DELETEFILE"
380 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
381 runtest
382 export APT_DONT_SIGN='Release.gpg'
383 done
384 }
385
386 # diable some protection by default and ensure we still do the verification
387 # correctly
388 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
389 Acquire::AllowInsecureRepositories "1";
390 Acquire::AllowDowngradeToInsecureRepositories "1";
391 EOF
392 # the hash marked as configurable in our gpgv method
393 export APT_TESTS_DIGEST_ALGO='SHA224'
394
395 successfulaptgetupdate() {
396 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
397 if [ -n "$1" ]; then
398 cp rootdir/tmp/testsuccess.output aptupdate.output
399 testsuccess grep "$1" aptupdate.output
400 fi
401 }
402 runtest3 'Trusted'
403
404 successfulaptgetupdate() {
405 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
406 if [ -n "$1" ]; then
407 testsuccess grep "$1" rootdir/tmp/testwarning.output
408 fi
409 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
410 }
411 runtest3 'Weak'
412
413 msgmsg "Running test with apt-untrusted digest"
414 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
415 runfailure() {
416 for DELETEFILE in 'InRelease' 'Release.gpg'; do
417 export APT_DONT_SIGN="$DELETEFILE"
418 msgmsg 'Cold archive signed by' 'Joe Sixpack'
419 prepare "${PKGFILE}"
420 rm -rf rootdir/var/lib/apt/lists
421 signreleasefiles 'Joe Sixpack'
422 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
423 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
424 testnopackage 'apt'
425 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
426 failaptold
427 rm -rf rootdir/var/lib/apt/lists
428 sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
429 testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
430 failaptold
431 sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
432
433 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
434 prepare "${PKGFILE}"
435 rm -rf rootdir/var/lib/apt/lists
436 signreleasefiles 'Marvin Paranoid'
437 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
438 testnopackage 'apt'
439 updatewithwarnings '^W: .* NO_PUBKEY'
440 testsuccessequal "$(cat "${PKGFILE}")
441 " aptcache show apt
442 failaptold
443 export APT_DONT_SIGN='Release.gpg'
444 done
445 }
446 runfailure
447
448 msgmsg "Running test with gpgv-untrusted digest"
449 export APT_TESTS_DIGEST_ALGO='MD5'
450 runfailure