test Release file handling with expired keys

Signing files with expired keys is not as easy as it sounds, so the
framework jumps a few loops to do it, but it might come in handy to have
an expired key around for later tests even if it is not that different
from having no key in regards to APT behaviour.

Git-Dch: Ignore

diff --git a/test/integration/framework b/test/integration/framework
index 7dd7c20a7a6fe8cab7589f580f64adbdbcb714b0..f64b8482c10d1a92adf2b09379ef482e7a829209 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -711,22 +711,45 @@ setupaptarchive() {
 
 signreleasefiles() {
        local SIGNER="${1:-Joe Sixpack}"
 
 signreleasefiles() {
        local SIGNER="${1:-Joe Sixpack}"

+       local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg"

        msgninfo "\tSign archive with $SIGNER key… "
        msgninfo "\tSign archive with $SIGNER key… "

-       local SECKEYS=""
+       local REXKEY='keys/rexexpired'
+       local SECEXPIREBAK="${REXKEY}.sec.bak"
+       local PUBEXPIREBAK="${REXKEY}.pub.bak"
+       if [ "${SIGNER}" = 'Rex Expired' ]; then
+               # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
+               # option doesn't exist anymore (and using faketime would add a new obscure dependency)
+               # therefore we 'temporary' make the key not expired and restore a backup after signing
+               cp ${REXKEY}.sec $SECEXPIREBAK
+               cp ${REXKEY}.pub $PUBEXPIREBAK
+               local SECUNEXPIRED="${REXKEY}.sec.unexpired"
+               local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
+               if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
+                       cp $SECUNEXPIRED ${REXKEY}.sec
+                       cp $PUBUNEXPIRED ${REXKEY}.pub
+               else
+                       printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true
+                       cp ${REXKEY}.sec $SECUNEXPIRED
+                       cp ${REXKEY}.pub $PUBUNEXPIRED
+               fi
+       fi

        for KEY in $(find keys/ -name '*.sec'); do
        for KEY in $(find keys/ -name '*.sec'); do

-               SECKEYS="$SECKEYS --secret-keyring $KEY"
+               GPG="$GPG --secret-keyring $KEY"

        done
        done

-       local PUBKEYS=""

        for KEY in $(find keys/ -name '*.pub'); do
        for KEY in $(find keys/ -name '*.pub'); do

-               PUBKEYS="$PUBKEYS --keyring $KEY"
+               GPG="$GPG --keyring $KEY"

        done
        for RELEASE in $(find aptarchive/ -name Release); do
        done
        for RELEASE in $(find aptarchive/ -name Release); do

-               gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE}
+               $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE}

                local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
                local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"

-               gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE
+               $GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE

                # we might have set a specific date for the Release file, so copy it
                touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE}
        done
                # we might have set a specific date for the Release file, so copy it
                touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE}
        done

+       if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
+               mv -f $SECEXPIREBAK ${REXKEY}.sec
+               mv -f $PUBEXPIREBAK ${REXKEY}.pub
+       fi

        msgdone "info"
 }
 
        msgdone "info"
 }
 

diff --git a/test/integration/rexexpired.pub b/test/integration/rexexpired.pub
new file mode 100644 (file)
index 0000000..5ab2e48
Binary files /dev/null and b/test/integration/rexexpired.pub differ

diff --git a/test/integration/rexexpired.sec b/test/integration/rexexpired.sec
new file mode 100644 (file)
index 0000000..dc00168
Binary files /dev/null and b/test/integration/rexexpired.sec differ

diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index e56f458d3be4309b67666acd6b8f4178fee490e5..daba3919bfe5e2d5cd53826db537dee2d485b67a 100755 (executable)
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -107,13 +107,24 @@ runtest() {
 " aptcache show apt
        installaptnew
 
 " aptcache show apt
        installaptnew
 

+       prepare ${PKGFILE}
+       rm -rf rootdir/var/lib/apt/lists
+       cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+       signreleasefiles 'Rex Expired'
+       find aptarchive/ -name "$DELETEFILE" -delete
+       msgtest 'Cold archive signed by' 'Rex Expired'
+       aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
+       testequal "$(cat ${PKGFILE})
+" aptcache show apt
+       failaptold
+       rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg

 
        prepare ${PKGFILE}
        rm -rf rootdir/var/lib/apt/lists
        signreleasefiles 'Marvin Paranoid'
        find aptarchive/ -name "$DELETEFILE" -delete
        msgtest 'Cold archive signed by' 'Marvin Paranoid'
 
        prepare ${PKGFILE}
        rm -rf rootdir/var/lib/apt/lists
        signreleasefiles 'Marvin Paranoid'
        find aptarchive/ -name "$DELETEFILE" -delete
        msgtest 'Cold archive signed by' 'Marvin Paranoid'

-       aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+       aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail

        testequal "$(cat ${PKGFILE})
 " aptcache show apt
        failaptold
        testequal "$(cat ${PKGFILE})
 " aptcache show apt
        failaptold


@@ -147,10 +158,30 @@ runtest() {
        signreleasefiles 'Marvin Paranoid'
        find aptarchive/ -name "$DELETEFILE" -delete
        msgtest 'Good warm archive signed by' 'Marvin Paranoid'
        signreleasefiles 'Marvin Paranoid'
        find aptarchive/ -name "$DELETEFILE" -delete
        msgtest 'Good warm archive signed by' 'Marvin Paranoid'

-       aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+       aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
+       testequal "$(cat ${PKGFILE})
+" aptcache show apt
+       installaptold
+
+       prepare ${PKGFILE}-new
+       cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+       signreleasefiles 'Rex Expired'
+       find aptarchive/ -name "$DELETEFILE" -delete
+       msgtest 'Good warm archive signed by' 'Rex Expired'
+       aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail

        testequal "$(cat ${PKGFILE})
 " aptcache show apt
        installaptold
        testequal "$(cat ${PKGFILE})
 " aptcache show apt
        installaptold

+       rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+
+       prepare ${PKGFILE}-new
+       signreleasefiles
+       find aptarchive/ -name "$DELETEFILE" -delete
+       msgtest 'Good warm archive signed by' 'Joe Sixpack'
+       aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass
+       testequal "$(cat ${PKGFILE}-new)
+" aptcache show apt
+       installaptnew

 }
 
 runtest2() {
 }
 
 runtest2() {