Consider md5sum no longer a usable hash
authorMichael Vogt <mvo@ubuntu.com>
Tue, 1 Sep 2015 09:13:48 +0000 (11:13 +0200)
committerMichael Vogt <mvo@ubuntu.com>
Tue, 1 Sep 2015 09:29:49 +0000 (11:29 +0200)
The md5sum hash is broken since some time and we should no longer
consider it a usable hash. Also update the tests to reflect this.

apt-pkg/contrib/hashes.cc
apt-pkg/contrib/hashes.h
test/integration/Packages-releasefile-verification
test/integration/Packages-releasefile-verification-new
test/integration/framework
test/integration/test-apt-get-source
test/integration/test-apt-get-source-arch
test/integration/test-apt-get-source-multisources
test/integration/test-apt-helper
test/integration/test-bug-722207-print-uris-even-if-very-quiet
test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum

index 4481321c4e0aad9ff83ae1ec59d0ec6bb07d0b0e..41a0037cd5ac9974cd6fee41770d54e0ef3a3346 100644 (file)
@@ -129,6 +129,13 @@ APT_PURE bool HashString::empty() const                                    /*{{{*/
    return (Type.empty() || Hash.empty());
 }
                                                                        /*}}}*/
+APT_PURE bool HashString::usable() const                               /*{{{*/
+{
+   return (
+      (Type != "Checksum-FileSize") &&
+      (Type != "MD5Sum")
+   );
+}
 std::string HashString::toStr() const                                  /*{{{*/
 {
    return Type + ":" + Hash;
@@ -151,10 +158,10 @@ bool HashStringList::usable() const                                       /*{{{*/
    std::string const forcedType = _config->Find("Acquire::ForceHash", "");
    if (forcedType.empty() == true)
    {
-      // FileSize alone isn't usable
-      for (std::vector<HashString>::const_iterator hs = list.begin(); hs != list.end(); ++hs)
-        if (hs->HashType() != "Checksum-FileSize")
-           return true;
+      // See if there is at least one usable hash
+      for (auto const &hs: list)
+         if (hs.usable())
+            return true;
       return false;
    }
    return find(forcedType) != NULL;
index 0e6ff9ef1b7508a6742d31cf516b8a5be4e809ca..74024befd1615bf2fededacf9ea02b6bccae1c40 100644 (file)
@@ -68,6 +68,7 @@ class HashString
    // helper
    std::string toStr() const;                    // convert to str as "type:hash"
    bool empty() const;
+   bool usable() const;
    bool operator==(HashString const &other) const;
    bool operator!=(HashString const &other) const;
 
index eb732727912522cc536dca5892f24194bbbc45fe..1e5c47096e6b8835142d419136e850b1e68a0983 100644 (file)
@@ -9,6 +9,7 @@ Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, bzip2, lzma, python-ap
 Filename: apt.deb
 Size: 0
 MD5sum: d41d8cd98f00b204e9800998ecf8427e
+SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Description: Advanced front-end for dpkg
  This is Debian's next generation front-end for the dpkg package manager.
  It provides the apt-get utility and APT dselect method that provides a
index 61509d157b942f295a14e2f2ec422f5865c8bfaf..7f03829d68d4d45277b1f282b0e5581af5940303 100644 (file)
@@ -12,6 +12,7 @@ Conflicts: python-apt (<< 0.7.93.2~)
 Filename: apt.deb
 Size: 0
 MD5sum: d41d8cd98f00b204e9800998ecf8427e
+SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Description: Advanced front-end for dpkg
  This is Debian's next generation front-end for the dpkg package manager.
  It provides the apt-get utility and APT dselect method that provides a
index 182bec2e4d2ea397f4e234798114c06026cc1d0f..ec5d7c491d8a1084a4200d24e94c3ce49cc3237a 100644 (file)
@@ -852,6 +852,9 @@ Architecture: $ARCH" >> $FILE
        echo "Files:
  $(echo -n "$DSCFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE
  $(echo -n "$TARFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE
+Checksums-Sha256:
+ $(echo -n "$DSCFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE
+ $(echo -n "$TARFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE
 " >> $FILE
 }
 
index 03320754b305736c91de3f5e1a7f8590785de992..6791bdd983ab55880c556c50e341dd0fd911ca42 100755 (executable)
@@ -35,11 +35,11 @@ APTARCHIVE=$(readlink -f ./aptarchive)
 HEADER="Reading package lists...
 Building dependency tree..."
 DOWNLOAD1="Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef
-'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184"
+'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7
+'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239"
 DOWNLOAD2="Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55
-'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f"
+'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104
+'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a"
 testsuccessequal "$HEADER
 $DOWNLOAD2" aptget source -q --print-uris foo
 
@@ -72,8 +72,8 @@ $DOWNLOAD1" aptget source -q --print-uris foo=1.0
 # select by release with no binary package (Bug#731102) but ensure to get
 # highest version
 DOWNLOAD01="Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af
-'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61"
+'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565
+'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585"
 testsuccessequal "$HEADER
 Selected version '0.1' (wheezy) for foo
 $DOWNLOAD01" aptget source -q --print-uris foo/wheezy
@@ -85,8 +85,8 @@ E: Unable to find a source package for foo" aptget source -q --print-uris foo=9.
 
 # version and release
 DOWNLOAD001="Need to get 0 B/29 B of source archives.
-'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 MD5Sum:6c819ebf0a21b1a480e1dbf6b8edfebd
-'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 MD5Sum:a3c7e1ac2159fc0faf522e110d6906fd"
+'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 SHA256:649dfe03bbb70cebdfe7c6bf9036f9f2472510b8f52e823bdf5ade362ebaa76f
+'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 SHA256:ab7ba789d178362ecc808e49705e2338988a7f5b9410ec11a6c9555c017de907"
 testsuccessequal "$HEADER
 $DOWNLOAD001" aptget source -q --print-uris -t unstable foo=0.0.1
 
index f54bb6012ef32736007513210a93336a15f3b7d2..348f35f0bb7dcb04ef52788743129609e6bd68d9 100755 (executable)
@@ -29,8 +29,8 @@ APTARCHIVE=$(readlink -f ./aptarchive)
 HEADER="Reading package lists...
 Building dependency tree..."
 DOWNLOAD10="Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef
-'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184"
+'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7
+'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239"
 
 # pick :amd64
 testsuccessequal "$HEADER
@@ -39,15 +39,15 @@ $DOWNLOAD10" aptget source -q --print-uris foo:amd64
 # pick :i386
 testsuccessequal "$HEADER
 Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55
-'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f" aptget source -q --print-uris foo:i386
+'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104
+'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a" aptget source -q --print-uris foo:i386
 
 # pick :i386 by release
 testsuccessequal "$HEADER
 Selected version '0.1' (oldstable) for foo
 Need to get 0 B/25 B of source archives.
-'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af
-'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61" aptget source -q --print-uris foo:i386/oldstable
+'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565
+'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585" aptget source -q --print-uris foo:i386/oldstable
 
 # pick :i386 by version
 testsuccessequal "$HEADER
index 887a3068507881de3f9bf284579f4100634645e0..ba370fea67630063b8c5e0f0a562e56497f9c526 100755 (executable)
@@ -21,10 +21,10 @@ HEADER="Reading package lists...
 Building dependency tree..."
 testsuccessequal "$HEADER
 Need to get 0 B/43 B of source archives.
-'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b
-'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11
+'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7
+'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11
 
 testsuccessequal "$HEADER
 Need to get 0 B/43 B of source archives.
-'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df
-'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113
+'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285
+'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113
index 00d859ad583a012491b43913c6bd348140f0dec2..a303e944e5485f6ebbf09f94bfa28ba845fc7cfe 100755 (executable)
@@ -13,10 +13,6 @@ test_apt_helper_download() {
     echo 'foo' > aptarchive/foo
     echo 'bar' > aptarchive/foo2
 
-    msgtest 'apt-file download-file md5sum'
-    testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo2 MD5Sum:d3b07384d113edec49eaa6238ad5ff00
-    testfileequal ./downloaded/foo2 'foo'
-
     msgtest 'apt-file download-file sha1'
     testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo1 SHA1:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
     testfileequal ./downloaded/foo1 'foo'
@@ -30,14 +26,14 @@ test_apt_helper_download() {
     testfileequal ./downloaded/foo4 'foo'
     
     msgtest 'apt-file download-file wrong hash'
-    testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 MD5Sum:aabbcc
+    testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 SHA256:aabbcc
     testfileequal rootdir/tmp/testfailure.output 'E: Failed to fetch http://localhost:8080/foo  Hash Sum mismatch
 
 E: Download Failed'
     testfileequal ./downloaded/foo5.FAILED 'foo'
 
-    msgtest 'apt-file download-file md5sum sha1'
-    testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 MD5Sum:d3b07384d113edec49eaa6238ad5ff00 http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f
+    msgtest 'apt-file download-file sha256 sha1'
+    testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 SHA256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f
     testfileequal ./downloaded/foo6 'foo'
     testfileequal ./downloaded/foo7 'bar'
 }
index 1fa94de7db005ba1dfa7126c83abe811b4190b04..07d76eaf0723f8ec034c3089978665da6f4b6772 100755 (executable)
@@ -21,11 +21,11 @@ testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.d
 testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget dist-upgrade -qq --print-uris
 testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget install apt -qq --print-uris
 testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget download apt -qq --print-uris
-testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a
-'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373" aptget source apt -qq --print-uris
+testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4
+'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99" aptget source apt -qq --print-uris
 testsuccessequal "'http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_2_changelog' apt.changelog" aptget changelog apt -qq --print-uris
 
-testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a
-'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373
-'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 MD5Sum:4c572ce45f1e2bedbb30da7f5e1c241c
-'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 MD5Sum:2a96fec139f8722d93312a1ff8281232" aptget source apt apt2 -qq --print-uris
+testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4
+'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99
+'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 SHA256:5693ba5efbfa21216f13661d344611aabe70ce3c343554ab46d4d9c24fdfd13a
+'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 SHA256:1464c609fd09934c270ec629020d5e248b080607f715e47ef088cc8ab8480541" aptget source apt apt2 -qq --print-uris
index 48a7f0562e74c79e4a3004826aae298749289722..26b1393b7656a6e1bc442f6b1f2550bf217a5fe8 100755 (executable)
@@ -1,4 +1,8 @@
 #!/bin/sh
+#
+# FIXME: this test is mostly meaningless now as we do not consider
+#        md5sum sufficient anyway. useful to test that it errors
+#        if not all hashes pass
 set -e
 
 TESTDIR=$(readlink -f $(dirname $0))
@@ -210,8 +214,8 @@ Download complete and in download only mode" aptget source --allow-unauthenticat
        testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
 }
 
-testok pkg-md5-ok
-testkeep pkg-md5-ok
+#testok pkg-md5-ok
+#testkeep pkg-md5-ok
 testok pkg-sha256-ok
 testkeep pkg-sha256-ok
 
@@ -223,7 +227,7 @@ testmismatch pkg-sha256-bad
 testok pkg-sha256-bad -o Acquire::ForceHash=MD5Sum
 
 # not having MD5 sum doesn't mean the file doesn't exist at all …
-testok pkg-no-md5
+#testok pkg-no-md5
 testok pkg-no-md5 -o Acquire::ForceHash=SHA256
 testsuccessequal "Reading package lists...
 Building dependency tree...
@@ -263,7 +267,7 @@ msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed
 testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz
 
 # it gets even more pathologic: multiple entries for one file, some even disagreeing!
-testok pkg-md5-agree
+#testok pkg-md5-agree
 testfailureequal 'Reading package lists...
 Building dependency tree...
 E: Error parsing checksum in Files of source package pkg-md5-disagree' aptget source -d pkg-md5-disagree