gpgv: handle expired sig as worthless

Signatures on data can have an expiration date, too, which we hadn't
handled previously explicitly (no problem – gpg still has a non-zero
exit code so apt notices the invalid signature) so the error message
wasn't as helpful as it could be (aka mentioning the key signing it).

diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 2ab8b9c9750a5314cdcff1bec2ecc43b2dbb3612..53c3ff80e2c59287be8c082e9794bac51e6cfd36 100644 (file)
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -37,6 +37,7 @@ using std::vector;
 #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
 #define GNUPGGOODSIG "[GNUPG:] GOODSIG"
 #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG"
+#define GNUPGEXPSIG "[GNUPG:] EXPSIG"
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
 
@@ -188,6 +189,12 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
             std::clog << "Got EXPKEYSIG! " << std::endl;
          WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
+      else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0)
+      {
+         if (Debug == true)
+            std::clog << "Got EXPSIG!" << std::endl;
+         WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
+      }
       else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
       {
          if (Debug == true)

diff --git a/test/integration/framework b/test/integration/framework
index a68209326ab5f623f32f513ccafafe599f3f81f5..a5cc842bab0ef9ef37984ef9fb838a47f549c7d9 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1084,6 +1084,8 @@ setupaptarchive() {
 signreleasefiles() {
        local SIGNER="${1:-Joe Sixpack}"
        local REPODIR="${2:-aptarchive}"
+       if [ -n "$1" ]; then shift; fi
+       if [ -n "$1" ]; then shift; fi
        local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
        local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
        msgninfo "\tSign archive with $SIGNER key $KEY… "
@@ -1111,9 +1113,9 @@ signreleasefiles() {
                fi
        fi
        for RELEASE in $(find "${REPODIR}/" -name Release); do
-               testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
+               testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
                local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
-               testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
+               testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
                # we might have set a specific date for the Release file, so copy it
                touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
        done

diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 10b830449b119ec334df4e67fd849f875ef900fc..a061832b632dc2e3f0ad902bf85b8bbd42380653 100755 (executable)
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -129,6 +129,29 @@ runtest() {
        failaptold
        rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 
+       msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
+       if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+               touch rootdir/etc/apt/apt.conf.d/99gnupg2
+       elif gpg2 --version >/dev/null 2>&1; then
+               echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
+               if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+                       rm rootdir/etc/apt/apt.conf.d/99gnupg2
+               fi
+       fi
+       if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
+               prepare "${PKGFILE}"
+               rm -rf rootdir/var/lib/apt/lists
+               signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
+               find aptarchive/ -name "$DELETEFILE" -delete
+               updatewithwarnings '^W: .* EXPSIG'
+               testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+               failaptold
+               rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
+       else
+               msgskip 'Not a new enough gpg available providing --fake-system-time'
+       fi
+
        msgmsg 'Cold archive signed by' 'Marvin Paranoid'
        prepare "${PKGFILE}"
        rm -rf rootdir/var/lib/apt/lists