# destroys coverage reporting though, so we disable changing user for the calling gpgv
echo "Dir::Bin::apt-key \"${BUILDDIRECTORY}/apt-key\";" >> aptconfig.conf
if [ "$(id -u)" = '0' ]; then
- echo 'Binary::gpgv::Debug::NoDropPrivs "true";' >>aptconfig.conf
+ echo 'Binary::gpgv::APT::Sandbox::User "root";' >> aptconfig.conf
+ # same for the solver executables
+ echo 'APT::Solver::RunAsUser "root";' >> aptconfig.conf
fi
cat > "${TMPWORKINGDIRECTORY}/rootdir/usr/bin/dpkg" <<EOF
echo 'Acquire::gpgv::Options { "--weak-digest"; "sha1"; };' > rootdir/etc/apt/apt.conf.d/no-sha1
fi
+ # most tests just need one signed Release file, not both
+ export APT_DONT_SIGN='Release.gpg'
+
msgdone "info"
}
testempty --nomsg gcc -Wall -Wextra -fPIC -shared -o noopchroot.so noopchroot.c -ldl
}
configcompression() {
+ if [ "$1" = 'ALL' ]; then
+ configcompression '.' $(aptconfig dump APT::Compressor --format '%t %v%n' | sed -n 's#^Extension \.\(.*\)$#\1#p')
+ return
+ fi
local CMD='apthelper cat-file -C'
while [ -n "$1" ]; do
case "$1" in
}
compressfile() {
- cat "${TMPWORKINGDIRECTORY}/rootdir/etc/testcase-compressor.conf" | while read compressor extension command; do
+ while read compressor extension command; do
if [ "$compressor" = '.' ]; then
if [ -n "$2" ]; then
touch -d "$2" "$1"
if [ -n "$2" ]; then
touch -d "$2" "${1}.${extension}"
fi
- done
+ done < "${TMPWORKINGDIRECTORY}/rootdir/etc/testcase-compressor.conf"
}
# can be overridden by testcases for their pleasure
}
signreleasefiles() {
- local SIGNER="${1:-Joe Sixpack}"
+ local SIGNERS="${1:-Joe Sixpack}"
local REPODIR="${2:-aptarchive}"
- local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
- local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
- msgninfo "\tSign archive with $SIGNER key $KEY… "
+ if [ -n "$1" ]; then shift; fi
+ if [ -n "$1" ]; then shift; fi
+ local KEY="keys/$(echo "$SIGNERS" | tr 'A-Z' 'a-z' | tr -d ' ,')"
+ msgninfo "\tSign archive with $SIGNERS key $KEY… "
local REXKEY='keys/rexexpired'
local SECEXPIREBAK="${REXKEY}.sec.bak"
local PUBEXPIREBAK="${REXKEY}.pub.bak"
- if [ "${SIGNER}" = 'Rex Expired' ]; then
- # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
- # option doesn't exist anymore (and using faketime would add a new obscure dependency)
- # therefore we 'temporary' make the key not expired and restore a backup after signing
- cp "${REXKEY}.sec" "$SECEXPIREBAK"
- cp "${REXKEY}.pub" "$PUBEXPIREBAK"
- local SECUNEXPIRED="${REXKEY}.sec.unexpired"
- local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
- if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
- cp "$SECUNEXPIRED" "${REXKEY}.sec"
- cp "$PUBUNEXPIRED" "${REXKEY}.pub"
- else
- if ! printf "expire\n1w\nsave\n" | $GPG --default-key "$SIGNER" --command-fd 0 --edit-key "${SIGNER}" >setexpire.gpg 2>&1; then
- cat setexpire.gpg
- exit 1
+ local SIGUSERS=""
+ while [ -n "${SIGNERS%%,*}" ]; do
+ local SIGNER="${SIGNERS%%,*}"
+ if [ "${SIGNERS}" = "${SIGNER}" ]; then
+ SIGNERS=""
+ fi
+ SIGNERS="${SIGNERS#*,}"
+ # FIXME: This should be the full name, but we can't encode the space properly currently
+ SIGUSERS="${SIGUSERS} -u ${SIGNER#* }"
+ if [ "${SIGNER}" = 'Rex Expired' ]; then
+ # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
+ # option doesn't exist anymore (and using faketime would add a new obscure dependency)
+ # therefore we 'temporary' make the key not expired and restore a backup after signing
+ cp "${REXKEY}.sec" "$SECEXPIREBAK"
+ cp "${REXKEY}.pub" "$PUBEXPIREBAK"
+ local SECUNEXPIRED="${REXKEY}.sec.unexpired"
+ local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
+ if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
+ cp "$SECUNEXPIRED" "${REXKEY}.sec"
+ cp "$PUBUNEXPIRED" "${REXKEY}.pub"
+ else
+ if ! printf "expire\n1w\nsave\n" | aptkey --quiet --keyring "${REXKEY}.pub" --secret-keyring "${REXKEY}.sec" \
+ --readonly adv --batch --yes --digest-algo "${APT_TESTS_DIGEST_ALGO:-SHA512}" \
+ --default-key "$SIGNER" --command-fd 0 --edit-key "${SIGNER}" >setexpire.gpg 2>&1; then
+ cat setexpire.gpg
+ exit 1
+ fi
+ cp "${REXKEY}.sec" "$SECUNEXPIRED"
+ cp "${REXKEY}.pub" "$PUBUNEXPIRED"
fi
- cp "${REXKEY}.sec" "$SECUNEXPIRED"
- cp "${REXKEY}.pub" "$PUBUNEXPIRED"
fi
+ if [ ! -e "${KEY}.pub" ]; then
+ local K="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | tr -d ' ,')"
+ cat "${K}.pub" >> "${KEY}.new.pub"
+ cat "${K}.sec" >> "${KEY}.new.sec"
+ fi
+ done
+ if [ ! -e "${KEY}.pub" ]; then
+ mv "${KEY}.new.pub" "${KEY}.pub"
+ mv "${KEY}.new.sec" "${KEY}.sec"
fi
+ local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
for RELEASE in $(find "${REPODIR}/" -name Release); do
- testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
- local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
- testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
# we might have set a specific date for the Release file, so copy it
- touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
+ local DATE="$(stat --format "%y" "${RELEASE}")"
+ if [ "$APT_DONT_SIGN" = 'Release.gpg' ]; then
+ rm -f "${RELEASE}.gpg"
+ else
+ testsuccess $GPG "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
+ touch -d "$DATE" "${RELEASE}.gpg"
+ fi
+ local INRELEASE="${RELEASE%/*}/InRelease"
+ if [ "$APT_DONT_SIGN" = 'InRelease' ]; then
+ rm -f "$INRELEASE"
+ else
+ testsuccess $GPG "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE"
+ touch -d "$DATE" "${INRELEASE}"
+ fi
done
if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
mv -f "$SECEXPIREBAK" "${REXKEY}.sec"
local EXITCODE=$?
if expr match "$1" '^apt.*' >/dev/null; then
if [ "$1" = 'aptkey' ]; then
- if grep -q -E " Can't check signature: " "$OUTPUT" || \
- grep -q -E " BAD signature from " "$OUTPUT"; then
+ if grep -q " Can't check signature:
+ BAD signature from
+ signature could not be verified" "$OUTPUT"; then
msgpass
else
msgfailoutput "run failed with exitcode ${EXITCODE}, but no signature error" "$OUTPUT" "$@"
projects / apt.git / blobdiff