X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/761a5ad2ec07f097b05c32427bd0ebddfd587987..71e22da91ff888cf645e5083fbac7839846111d2:/test/integration/test-apt-update-nofallback?ds=inline diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 4db67ee5d..60f329a4a 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -58,7 +58,7 @@ setupaptarchive_with_lists_clean() test_from_inrelease_to_unsigned() { - # setup archive with InRelease file + export APT_DONT_SIGN='Release.gpg' setupaptarchive_with_lists_clean testsuccess aptget update listcurrentlistsdirectory > lists.before @@ -70,9 +70,8 @@ test_from_inrelease_to_unsigned() test_from_release_gpg_to_unsigned() { - # setup archive with Release/Release.gpg (but no InRelease) + export APT_DONT_SIGN='InRelease' setupaptarchive_with_lists_clean - rm "$APTARCHIVE/dists/unstable/InRelease" testsuccess aptget update listcurrentlistsdirectory > lists.before @@ -83,6 +82,7 @@ test_from_release_gpg_to_unsigned() test_from_inrelease_to_unsigned_with_override() { + export APT_DONT_SIGN='Release.gpg' # setup archive with InRelease file setupaptarchive_with_lists_clean testsuccess aptget update @@ -93,6 +93,36 @@ test_from_inrelease_to_unsigned_with_override() find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \; # and ensure we can update to it (with enough force) + testfailure apt update + testfailure aptget update + testfailure aptget update --allow-insecure-repositories + testfailure aptget update --no-allow-insecure-repositories + sed -i 's#^deb\(-src\)\? #deb\1 [allow-downgrade-to-insecure=yes] #' rootdir/etc/apt/sources.list.d/* + testfailure aptget update --no-allow-insecure-repositories + testfailure apt update + testwarning apt update --allow-insecure-repositories \ + -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 + sed -i 's#^deb\(-src\)\? \[allow-downgrade-to-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/* + # but that the individual packages are still considered untrusted + testfailureequal "WARNING: The following packages cannot be authenticated! + evil +E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil +} + +test_from_inrelease_to_norelease_with_override() +{ + # setup archive with InRelease file + setupaptarchive_with_lists_clean + testsuccess aptget update + + # simulate moving to a unsigned but otherwise valid repo + simulate_mitm_and_inject_evil_package + find "$APTARCHIVE" -name '*Release*' -delete + find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \; + + # and ensure we can update to it (with enough force) + testfailure aptget update + testfailure aptget update --allow-insecure-repositories testwarning aptget update --allow-insecure-repositories \ -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 # but that the individual packages are still considered untrusted @@ -119,13 +149,13 @@ test_cve_2012_0214() # # Still worth having a regression test the simulates the condition - # setup archive with InRelease + export APT_DONT_SIGN='Release.gpg' setupaptarchive_with_lists_clean testsuccess aptget update listcurrentlistsdirectory > lists.before # do what CVE-2012-0214 did - rm "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg" + rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg" inject_evil_package # build valid Release file aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release @@ -139,7 +169,7 @@ test_cve_2012_0214() test_subvert_inrelease() { - # setup archive with InRelease + export APT_DONT_SIGN='Release.gpg' setupaptarchive_with_lists_clean testsuccess aptget update listcurrentlistsdirectory > lists.before @@ -157,7 +187,7 @@ E: Some index files failed to download. They have been ignored, or old ones used test_inrelease_to_invalid_inrelease() { - # setup archive with InRelease + export APT_DONT_SIGN='Release.gpg' setupaptarchive_with_lists_clean testsuccess aptget update listcurrentlistsdirectory > lists.before @@ -178,9 +208,8 @@ W: Some index files failed to download. They have been ignored, or old ones used test_release_gpg_to_invalid_release_release_gpg() { - # setup archive with InRelease + export APT_DONT_SIGN='InRelease' setupaptarchive_with_lists_clean - rm "$APTARCHIVE/dists/unstable/InRelease" testsuccess aptget update listcurrentlistsdirectory > lists.before @@ -238,3 +267,5 @@ test_release_gpg_to_invalid_release_release_gpg # ensure we can override the downgrade error msgmsg "test_from_inrelease_to_unsigned_with_override" test_from_inrelease_to_unsigned_with_override +msgmsg "test_from_inrelease_to_norelease_with_override" +test_from_inrelease_to_norelease_with_override