]> git.saurik.com Git - apt.git/blob - test/integration/test-releasefile-verification
projects / apt.git / blob
? search:


fec7b1302cd859be629b013102075a13605e99ce
[apt.git] / test / integration / test-releasefile-verification
1 #!/bin/sh
2 set -e
3
4 TESTDIR="$(readlink -f "$(dirname "$0")")"
5 . "$TESTDIR/framework"
6
7 setupenvironment
8 configarchitecture "i386"
9
10 export APT_DONT_SIGN='Release.gpg'
11 buildaptarchive
12 setupflataptarchive
13 changetowebserver
14
15 prepare() {
16 local DATE="${2:-now}"
17 if [ "$DATE" = 'now' ]; then
18 if [ "$1" = "${PKGFILE}-new" ]; then
19 DATE='now - 1 day'
20 else
21 DATE='now - 7 day'
22 fi
23 fi
24 for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
25 touch -d 'now - 1 year' "$release"
26 done
27 aptget clean
28 cp "$1" aptarchive/Packages
29 find aptarchive -name 'Release' -delete
30 compressfile 'aptarchive/Packages' "$DATE"
31 generatereleasefiles "$DATE" 'now + 1 month'
32 }
33
34 installaptold() {
35 rm -rf rootdir/var/cache/apt/archives
36 testsuccessequal "Reading package lists...
37 Building dependency tree...
38 Suggested packages:
39 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
40 The following NEW packages will be installed:
41 apt
42 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
43 After this operation, 5370 kB of additional disk space will be used.
44 Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
45 Download complete and in download only mode" aptget install apt -dy
46 }
47
48 installaptnew() {
49 rm -rf rootdir/var/cache/apt/archives
50 testsuccessequal "Reading package lists...
51 Building dependency tree...
52 Suggested packages:
53 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
54 The following NEW packages will be installed:
55 apt
56 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
57 After this operation, 5808 kB of additional disk space will be used.
58 Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
59 Download complete and in download only mode" aptget install apt -dy
60 }
61
62 failaptold() {
63 testfailureequal 'Reading package lists...
64 Building dependency tree...
65 Suggested packages:
66 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
67 The following NEW packages will be installed:
68 apt
69 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
70 After this operation, 5370 kB of additional disk space will be used.
71 WARNING: The following packages cannot be authenticated!
72 apt
73 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
74 }
75
76 failaptnew() {
77 testfailureequal 'Reading package lists...
78 Building dependency tree...
79 Suggested packages:
80 aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
81 The following NEW packages will be installed:
82 apt
83 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
84 After this operation, 5808 kB of additional disk space will be used.
85 WARNING: The following packages cannot be authenticated!
86 apt
87 E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
88 }
89
90 # fake our downloadable file
91 touch aptarchive/apt.deb
92
93 PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
94
95 updatewithwarnings() {
96 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
97 testsuccess grep -E "$1" rootdir/tmp/testwarning.output
98 }
99
100 runtest() {
101 msgmsg 'Cold archive signed by' 'Joe Sixpack'
102 prepare "${PKGFILE}"
103 rm -rf rootdir/var/lib/apt/lists
104 signreleasefiles 'Joe Sixpack'
105 successfulaptgetupdate
106 testsuccessequal "$(cat "${PKGFILE}")
107 " aptcache show apt
108 installaptold
109
110 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
111 prepare "${PKGFILE}-new"
112 signreleasefiles 'Joe Sixpack'
113 successfulaptgetupdate
114 testsuccessequal "$(cat "${PKGFILE}-new")
115 " aptcache show apt
116 installaptnew
117
118 msgmsg 'Cold archive signed by' 'Rex Expired'
119 prepare "${PKGFILE}"
120 rm -rf rootdir/var/lib/apt/lists
121 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
122 signreleasefiles 'Rex Expired'
123 updatewithwarnings '^W: .* EXPKEYSIG'
124 testsuccessequal "$(cat "${PKGFILE}")
125 " aptcache show apt
126 failaptold
127 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
128
129 msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
130 if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
131 touch rootdir/etc/apt/apt.conf.d/99gnupg2
132 elif gpg2 --version >/dev/null 2>&1; then
133 echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
134 if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
135 rm rootdir/etc/apt/apt.conf.d/99gnupg2
136 fi
137 fi
138 if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
139 prepare "${PKGFILE}"
140 rm -rf rootdir/var/lib/apt/lists
141 signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
142 updatewithwarnings '^W: .* EXPSIG'
143 testsuccessequal "$(cat "${PKGFILE}")
144 " aptcache show apt
145 failaptold
146 rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
147 else
148 msgskip 'Not a new enough gpg available providing --fake-system-time'
149 fi
150
151 msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
152 prepare "${PKGFILE}"
153 rm -rf rootdir/var/lib/apt/lists
154 signreleasefiles 'Joe Sixpack,Marvin Paranoid'
155 successfulaptgetupdate 'NO_PUBKEY'
156 testsuccessequal "$(cat "${PKGFILE}")
157 " aptcache show apt
158 installaptold
159
160 msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
161 prepare "${PKGFILE}"
162 rm -rf rootdir/var/lib/apt/lists
163 signreleasefiles 'Joe Sixpack,Rex Expired'
164 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
165 successfulaptgetupdate 'EXPKEYSIG'
166 rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
167 testsuccessequal "$(cat "${PKGFILE}")
168 " aptcache show apt
169 installaptold
170
171 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
172 prepare "${PKGFILE}"
173 rm -rf rootdir/var/lib/apt/lists
174 signreleasefiles 'Marvin Paranoid'
175 updatewithwarnings '^W: .* NO_PUBKEY'
176 testsuccessequal "$(cat "${PKGFILE}")
177 " aptcache show apt
178 failaptold
179
180 msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
181 prepare "${PKGFILE}-new"
182 signreleasefiles 'Joe Sixpack'
183 successfulaptgetupdate
184 testsuccessequal "$(cat "${PKGFILE}-new")
185 " aptcache show apt
186 installaptnew
187
188 msgmsg 'Cold archive signed by' 'Joe Sixpack'
189 prepare "${PKGFILE}"
190 rm -rf rootdir/var/lib/apt/lists
191 signreleasefiles 'Joe Sixpack'
192 successfulaptgetupdate
193 testsuccessequal "$(cat "${PKGFILE}")
194 " aptcache show apt
195 installaptold
196
197 msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
198 prepare "${PKGFILE}-new"
199 signreleasefiles 'Marvin Paranoid'
200 updatewithwarnings '^W: .* NO_PUBKEY'
201 testsuccessequal "$(cat "${PKGFILE}")
202 " aptcache show apt
203 installaptold
204
205 msgmsg 'Good warm archive signed by' 'Rex Expired'
206 prepare "${PKGFILE}-new"
207 cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
208 signreleasefiles 'Rex Expired'
209 updatewithwarnings '^W: .* EXPKEYSIG'
210 testsuccessequal "$(cat "${PKGFILE}")
211 " aptcache show apt
212 installaptold
213 rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
214
215 msgmsg 'Good warm archive signed by' 'Joe Sixpack'
216 prepare "${PKGFILE}-new"
217 signreleasefiles
218 successfulaptgetupdate
219 testsuccessequal "$(cat "${PKGFILE}-new")
220 " aptcache show apt
221 installaptnew
222
223 msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
224 prepare "${PKGFILE}"
225 rm -rf rootdir/var/lib/apt/lists
226 signreleasefiles 'Marvin Paranoid'
227 local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
228 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
229 successfulaptgetupdate
230 testsuccessequal "$(cat "${PKGFILE}")
231 " aptcache show apt
232 installaptold
233
234 msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
235 rm -rf rootdir/var/lib/apt/lists
236 signreleasefiles 'Joe Sixpack'
237 updatewithwarnings '^W: .* NO_PUBKEY'
238 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
239
240 local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
241 msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
242 rm -rf rootdir/var/lib/apt/lists
243 signreleasefiles 'Joe Sixpack'
244 sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
245 updatewithwarnings '^W: .* be verified because the public key is not available: .*'
246
247 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
248 rm -rf rootdir/var/lib/apt/lists
249 signreleasefiles 'Marvin Paranoid'
250 cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
251 successfulaptgetupdate
252 testsuccessequal "$(cat "${PKGFILE}")
253 " aptcache show apt
254 installaptold
255
256 msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
257 rm -rf rootdir/var/lib/apt/lists
258 signreleasefiles 'Marvin Paranoid,Joe Sixpack'
259 successfulaptgetupdate 'NoPubKey: GOODSIG'
260 testsuccessequal "$(cat "${PKGFILE}")
261 " aptcache show apt
262 installaptold
263
264 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
265 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
266 rm -rf rootdir/var/lib/apt/lists
267 signreleasefiles 'Joe Sixpack'
268 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
269 successfulaptgetupdate
270 testsuccessequal "$(cat "${PKGFILE}")
271 " aptcache show apt
272 installaptold
273
274 local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
275 msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
276 rm -rf rootdir/var/lib/apt/lists
277 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
278 successfulaptgetupdate
279 testsuccessequal "$(cat "${PKGFILE}")
280 " aptcache show apt
281 installaptold
282 rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
283 sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
284
285 rm -rf rootdir/var/lib/apt/lists-bak
286 cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
287 prepare "${PKGFILE}-new"
288 signreleasefiles 'Joe Sixpack'
289
290 msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
291 sed -i "/^Valid-Until: / a\
292 Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
293 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
294 successfulaptgetupdate
295 testsuccessequal "$(cat "${PKGFILE}-new")
296 " aptcache show apt
297 installaptnew
298
299 msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
300 rm -rf rootdir/var/lib/apt/lists
301 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
302 sed -i "/^Valid-Until: / a\
303 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
304 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
305 updatewithwarnings 'W: .* public key is not available: GOODSIG'
306 testsuccessequal "$(cat "${PKGFILE}")
307 " aptcache show apt
308 installaptold
309
310 msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
311 rm -rf rootdir/var/lib/apt/lists
312 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
313 sed -i "/^Valid-Until: / a\
314 Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
315 Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
316 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
317 successfulaptgetupdate
318 testsuccessequal "$(cat "${PKGFILE}-new")
319 " aptcache show apt
320 installaptnew
321
322 msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
323 rm -rf rootdir/var/lib/apt/lists
324 cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
325 sed -i "/^Valid-Until: / a\
326 Signed-By: ${MARVIN} ${MARVIN}, \\
327 ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
328 touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
329 successfulaptgetupdate
330 testsuccessequal "$(cat "${PKGFILE}-new")
331 " aptcache show apt
332 installaptnew
333 }
334
335 runtest2() {
336 msgmsg 'Cold archive signed by' 'Joe Sixpack'
337 prepare "${PKGFILE}"
338 rm -rf rootdir/var/lib/apt/lists
339 signreleasefiles 'Joe Sixpack'
340 successfulaptgetupdate
341
342 # New .deb but now an unsigned archive. For example MITM to circumvent
343 # package verification.
344 msgmsg 'Warm archive signed by' 'nobody'
345 prepare "${PKGFILE}-new"
346 find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
347 updatewithwarnings 'W: .* no longer signed.'
348 testsuccessequal "$(cat "${PKGFILE}-new")
349 " aptcache show apt
350 failaptnew
351
352 # Unsigned archive from the beginning must also be detected.
353 msgmsg 'Cold archive signed by' 'nobody'
354 rm -rf rootdir/var/lib/apt/lists
355 updatewithwarnings 'W: .* is not signed.'
356 testsuccessequal "$(cat "${PKGFILE}-new")
357 " aptcache show apt
358 failaptnew
359 }
360
361 runtest3() {
362 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
363 msgmsg "Running base test with $1 digest"
364 runtest2
365
366 for DELETEFILE in 'InRelease' 'Release.gpg'; do
367 export APT_DONT_SIGN="$DELETEFILE"
368 msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
369 runtest
370 export APT_DONT_SIGN='Release.gpg'
371 done
372 }
373
374 # diable some protection by default and ensure we still do the verification
375 # correctly
376 cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
377 Acquire::AllowInsecureRepositories "1";
378 Acquire::AllowDowngradeToInsecureRepositories "1";
379 EOF
380 # the hash marked as configurable in our gpgv method
381 export APT_TESTS_DIGEST_ALGO='SHA224'
382
383 successfulaptgetupdate() {
384 testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
385 if [ -n "$1" ]; then
386 cp rootdir/tmp/testsuccess.output aptupdate.output
387 testsuccess grep "$1" aptupdate.output
388 fi
389 }
390 runtest3 'Trusted'
391
392 successfulaptgetupdate() {
393 testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
394 if [ -n "$1" ]; then
395 testsuccess grep "$1" rootdir/tmp/testwarning.output
396 fi
397 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
398 }
399 runtest3 'Weak'
400
401 msgmsg "Running test with apt-untrusted digest"
402 echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
403 runfailure() {
404 for DELETEFILE in 'InRelease' 'Release.gpg'; do
405 export APT_DONT_SIGN="$DELETEFILE"
406 msgmsg 'Cold archive signed by' 'Joe Sixpack'
407 prepare "${PKGFILE}"
408 rm -rf rootdir/var/lib/apt/lists
409 signreleasefiles 'Joe Sixpack'
410 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
411 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
412 testnopackage 'apt'
413 testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
414 failaptold
415 rm -rf rootdir/var/lib/apt/lists
416 sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
417 testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
418 failaptold
419 sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
420
421 msgmsg 'Cold archive signed by' 'Marvin Paranoid'
422 prepare "${PKGFILE}"
423 rm -rf rootdir/var/lib/apt/lists
424 signreleasefiles 'Marvin Paranoid'
425 testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
426 testnopackage 'apt'
427 updatewithwarnings '^W: .* NO_PUBKEY'
428 testsuccessequal "$(cat "${PKGFILE}")
429 " aptcache show apt
430 failaptold
431 export APT_DONT_SIGN='Release.gpg'
432 done
433 }
434 runfailure
435
436 msgmsg "Running test with gpgv-untrusted digest"
437 export APT_TESTS_DIGEST_ALGO='MD5'
438 runfailure
APT (for Cydia)