From 29a59c460403820d0f039398194e321b7e0921fc Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 9 Aug 2013 22:20:27 +0200 Subject: [PATCH] test Release file handling with expired keys Signing files with expired keys is not as easy as it sounds, so the framework jumps a few loops to do it, but it might come in handy to have an expired key around for later tests even if it is not that different from having no key in regards to APT behaviour. Git-Dch: Ignore --- test/integration/framework | 35 +++++++++++++++--- test/integration/rexexpired.pub | Bin 0 -> 1200 bytes test/integration/rexexpired.sec | Bin 0 -> 2502 bytes .../integration/test-releasefile-verification | 35 +++++++++++++++++- 4 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 test/integration/rexexpired.pub create mode 100644 test/integration/rexexpired.sec diff --git a/test/integration/framework b/test/integration/framework index 7dd7c20a7..f64b8482c 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -711,22 +711,45 @@ setupaptarchive() { signreleasefiles() { local SIGNER="${1:-Joe Sixpack}" + local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg" msgninfo "\tSign archive with $SIGNER key… " - local SECKEYS="" + local REXKEY='keys/rexexpired' + local SECEXPIREBAK="${REXKEY}.sec.bak" + local PUBEXPIREBAK="${REXKEY}.pub.bak" + if [ "${SIGNER}" = 'Rex Expired' ]; then + # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time + # option doesn't exist anymore (and using faketime would add a new obscure dependency) + # therefore we 'temporary' make the key not expired and restore a backup after signing + cp ${REXKEY}.sec $SECEXPIREBAK + cp ${REXKEY}.pub $PUBEXPIREBAK + local SECUNEXPIRED="${REXKEY}.sec.unexpired" + local PUBUNEXPIRED="${REXKEY}.pub.unexpired" + if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then + cp $SECUNEXPIRED ${REXKEY}.sec + cp $PUBUNEXPIRED ${REXKEY}.pub + else + printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true + cp ${REXKEY}.sec $SECUNEXPIRED + cp ${REXKEY}.pub $PUBUNEXPIRED + fi + fi for KEY in $(find keys/ -name '*.sec'); do - SECKEYS="$SECKEYS --secret-keyring $KEY" + GPG="$GPG --secret-keyring $KEY" done - local PUBKEYS="" for KEY in $(find keys/ -name '*.pub'); do - PUBKEYS="$PUBKEYS --keyring $KEY" + GPG="$GPG --keyring $KEY" done for RELEASE in $(find aptarchive/ -name Release); do - gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE} + $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE} local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')" - gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE + $GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE # we might have set a specific date for the Release file, so copy it touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE} done + if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then + mv -f $SECEXPIREBAK ${REXKEY}.sec + mv -f $PUBEXPIREBAK ${REXKEY}.pub + fi msgdone "info" } diff --git a/test/integration/rexexpired.pub b/test/integration/rexexpired.pub new file mode 100644 index 0000000000000000000000000000000000000000..5ab2e489a0ad07c729c0bafe044eefff919eed38 GIT binary patch literal 1200 zcmV;h1W)^!0SyFE-^S(v2mqi+OZ(UrnFp*nmVVZNWZ1(SLiz{5DRRwpMpUcG=wQ7^{&sfGwQc&e*++ikuN-PmQVw`v(5joU#ObB(J}3w&`AUtwqctB-%VQp}1WiD@WXFiDm zJ_Hj10strl0#V<_<^mf71qlEFQGf;u2?z%R0tOWb0tpHW1Qr4V0RkQY0vCV)3JDNP zz@wZe&UE>KH3$71yYZew(5qrJOov^MNz^_nm@Ixhn)*N<;-#`50ilBi8Ai)c$*S-M60)tZb`md1BU`qo2oba}EwT5jXuo zdnpavJ$i2I#n!s6AhNo^`Qu)|GI%i~WJ;M}KfIz;vv4ec)%nEDoGFl)n5Ap1A5`Dp zX9#jb@esga9f5rkUt#R7#ltbyQyOIS7py63dBQtn8y*U;N)^LysjzZq!lTqRp;F>4 z55>km0egY40ssTK0SyFE-^S(v2mr6Dex*pARw!d{xOG2W(=fmX8L|Dt&QR=J6C{fN zJX`|pv&xgrKg4Bmz|S!AN$(H|W!lePtR{E?#cUrTiJ%!mM<(RVdU;*=@0+KRQNC@r zlKb$)4vaGr0`(ScrG`yRJKGpiup|P1g_AWE?83_%a#qy5t~Iz0AsjK(-Q)OJsol@y z*I2H#31rnCa8>C_^h!e@^AhI&Zb_HQmflGGa$G-Dh$6M_Sxp5bsK8F&f`=^!{8aNE zbgy?iHMZVE37<#tIrTFMbDDmDG5e_NE_dN2cg7=5n>z)cOG!xwW6#_C=71Z-vi3G! zXWci03Nvje|x@Jj#@0RRDs0VM<&0RjLI1p-mu#^wSW3)$xnLR2cf)A&^d;t|grD@}I*xIRJkbW#bS z*?F2@V6$-Fvj2Xi2DIn$5SuxeHs7`?0Hy#D_qGMVAuRM~H{dWGXRi%LpnaHW1cJx9XE1@Q`BDO~iSiNR!3@X~Ko%TL92-^uD|v@r ztFpAz9tkz3)`OX=58d>siaqHy8Z8^eNLZnj!&%IBwi37p;9A1BaY=*lYeOdX@f+8- zrHB~E4@?kvos%lNa!r4M&^j*I$G3LG3g11c5( literal 0 HcmV?d00001 diff --git a/test/integration/rexexpired.sec b/test/integration/rexexpired.sec new file mode 100644 index 0000000000000000000000000000000000000000..dc00168cd5d882a31e3e77798afa11ecd45d6f0e GIT binary patch literal 2502 zcmV;%2|4za1DFI+-^S(v2mqi+OZ(UrnFp*nmVVZNWZ1(SLiz{5DRRwpMpUcG=wQ7^{&sfGwQc&e*++ikuN-PmQVw`v(5joU#ObB(J}3is$THS^Q8X)$7 zjoRS0I{8w%1^;<9gx-a)mH;GTS@mbb^nJl;YXPd0Y<*+U!E5%xTTJPLwE9#jIP`{pIL{UqJvQ;Ln`JFYc6=G z92hvIOGd-~q3QBR+c9V6B*v`EgRxW{^kG#ZGlx%{nXRa_byR5xuQkTnzgXr!yojg!~s{$T_F$QFDEd6THg-e}*PLQ!cRYH`m8UD6HV0#`Rr#Un3( ztLS(KoqUPxaO;eX+Htu~8m1Fxd|F7dS7GL~AaPMBf-L46qKbowKqsa)SR*LVITBm4 zB;h}Ol#4za!u0~`@lZ-)Ff$S&e!GC9rsA}KY_yF%X8EHMEWuQ6wbb7=1OUwvNe7gg z&$vcKL_NL2>g2#APJwtH!<4(6Sr${}q8$uL7*$(eZ7YGa*oVq8Lm}#CG%1FDD+Ar^ z_KJ6kLrkP9Vd0F+#yxPbDLN4&lBc4j3alD*0j!-UTSVLTzr=qHweq90jnvL(uU*vu z<5c05S&1h9X`)pcMCs&eU+MtN}G_Y;NJaMfq$Ma4v?UJk1QqtOq9{=Z|LFr`c@dAbGd9 zi!7lYOo&qs%p)4QmpW5{J^rEMr{O?l(ET_xdH`KLVxt0j1t>s%&TSzdIlQzTQe}7` zMR;&&a%E&7JaT1tKxKGgZE$R5E^l&YK8XQ71QP)Q04N0lQQyYq0viJb2>=06fCdW* z2nPcK1{DYb2?`4Y76JnS0v-VZ7k~f?2@p%bqnszsboqfb2mKto@t#A_t70@vhh2|J z)I17cuumF4!Um`$BODQKQungHORwf)fh9+y+_}F z!#Ap5;1uiL-GIk$++ARirFTifJ@wE3*P7S3Vfx_roq|ufD+F9hLm;_PZ#^wPC0I#Zk zrAVDtC}VH9bw6FxFu(^HvHio&Q0!b2B#Qq$TmtR0%9G7M#AR{7&oJ{z?+^)P+Rt9B zCU^nGY#$+spcz6(CgjX|d0qJLo2QadzHPUX`|!jLj587f^%iZVhD}U6+Za-?Bm#eh zlQk9W!pj?SR@A(%HMkBT95K}0#q-OuFLSgy4RWYr#URq0CfN<$#?66XJINteo& z-bnm%Tt8HZBDL;WO$8*Vz)s(Shb;&ERP!EmuXj5&w%$VtpGWaI^)m@`ntp&W`>5+K zci|;>#v@LfI|ZLhNl6D|&)fXwfE&cJ_BLMRQXReT21+$|*aR4}1HW(ZO8^l800968 z`v-Pbs_x3bJ~sO&`qLIkLTKgWQHxe44T=2UQ%)2~oF4pUJVr$wKMJB`hz6e{`Sr}otP6+p8_ zZ6|C&o0+#@niO$)ONy+H%&`d$+0lr^hh0W4HJF{gh%=V}JJS3W4&x39p8jC|0R#Zf zeyfxS#-DV-lotM1yGX#VSjSZJySPepE+~k{Q~zd_EY&P4Fw#0rE?6gW!Fd8{)FPWA z%lu-yG+&4zgX6&T1YCR^K}1;Eef# z{4LKkp^-7lFE|}ZG<)wQ7W;daU?`M(7iRXFlTwy$3{U)WH}X1jU*GJ=aIw$Cg0A+_ zes+luX5_Jqy!abVwY5I;hBH=-Og;EJrilS11Q-DV01pKMQQyYq0vikk2>=06fB*^! z5KF+LoF~q7`PB#q|6i!~W+RN>E%DKH=auWhBl7gEODwt8q8rFdb*F4Mw1Sm}vxp$GT@Qfvfpa0Rsbt` zhhD3)wA3C6HKx{snX3=o^r?zH=`|WH8^uUip_Ri~%yzaCxCh``!nbirgYauZCid|g z*SDpJ7{?Dx5O|%FD!Xz`e}T|CF4)JncEk$jG3G5`kS{LAmH{lZ5Ws43&iSrUmSx{- QRSaCY$G1qt@~{E`0O*CHU;qFB literal 0 HcmV?d00001 diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index e56f458d3..daba3919b 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -107,13 +107,24 @@ runtest() { " aptcache show apt installaptnew + prepare ${PKGFILE} + rm -rf rootdir/var/lib/apt/lists + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + signreleasefiles 'Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Cold archive signed by' 'Rex Expired' + aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail + testequal "$(cat ${PKGFILE}) +" aptcache show apt + failaptold + rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Marvin Paranoid' - aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail + aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail testequal "$(cat ${PKGFILE}) " aptcache show apt failaptold @@ -147,10 +158,30 @@ runtest() { signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Marvin Paranoid' - aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail + aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail + testequal "$(cat ${PKGFILE}) +" aptcache show apt + installaptold + + prepare ${PKGFILE}-new + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + signreleasefiles 'Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Good warm archive signed by' 'Rex Expired' + aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail testequal "$(cat ${PKGFILE}) " aptcache show apt installaptold + rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + + prepare ${PKGFILE}-new + signreleasefiles + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Good warm archive signed by' 'Joe Sixpack' + aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass + testequal "$(cat ${PKGFILE}-new) +" aptcache show apt + installaptnew } runtest2() { -- 2.45.2