You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

test-releasefile-verification 15 KiB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE" 'now + 1 month'
  28. }
  29. installaptold() {
  30. rm -rf rootdir/var/cache/apt/archives
  31. testsuccessequal "Reading package lists...
  32. Building dependency tree...
  33. Suggested packages:
  34. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  35. The following NEW packages will be installed:
  36. apt
  37. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  38. After this operation, 5370 kB of additional disk space will be used.
  39. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  40. Download complete and in download only mode" aptget install apt -dy
  41. }
  42. installaptnew() {
  43. rm -rf rootdir/var/cache/apt/archives
  44. testsuccessequal "Reading package lists...
  45. Building dependency tree...
  46. Suggested packages:
  47. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  48. The following NEW packages will be installed:
  49. apt
  50. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  51. After this operation, 5808 kB of additional disk space will be used.
  52. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  53. Download complete and in download only mode" aptget install apt -dy
  54. }
  55. failaptold() {
  56. testfailureequal 'Reading package lists...
  57. Building dependency tree...
  58. Suggested packages:
  59. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  60. The following NEW packages will be installed:
  61. apt
  62. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  63. After this operation, 5370 kB of additional disk space will be used.
  64. WARNING: The following packages cannot be authenticated!
  65. apt
  66. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  67. }
  68. failaptnew() {
  69. testfailureequal 'Reading package lists...
  70. Building dependency tree...
  71. Suggested packages:
  72. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  73. The following NEW packages will be installed:
  74. apt
  75. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  76. After this operation, 5808 kB of additional disk space will be used.
  77. WARNING: The following packages cannot be authenticated!
  78. apt
  79. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  80. }
  81. # fake our downloadable file
  82. touch aptarchive/apt.deb
  83. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  84. updatewithwarnings() {
  85. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  86. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  87. }
  88. runtest() {
  89. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  90. prepare "${PKGFILE}"
  91. rm -rf rootdir/var/lib/apt/lists
  92. signreleasefiles 'Joe Sixpack'
  93. successfulaptgetupdate
  94. testsuccessequal "$(cat "${PKGFILE}")
  95. " aptcache show apt
  96. installaptold
  97. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  98. prepare "${PKGFILE}-new"
  99. signreleasefiles 'Joe Sixpack'
  100. successfulaptgetupdate
  101. testsuccessequal "$(cat "${PKGFILE}-new")
  102. " aptcache show apt
  103. installaptnew
  104. msgmsg 'Cold archive signed by' 'Rex Expired'
  105. prepare "${PKGFILE}"
  106. rm -rf rootdir/var/lib/apt/lists
  107. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  108. signreleasefiles 'Rex Expired'
  109. updatewithwarnings '^W: .* EXPKEYSIG'
  110. testsuccessequal "$(cat "${PKGFILE}")
  111. " aptcache show apt
  112. failaptold
  113. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  114. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  115. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  116. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  117. elif gpg2 --version >/dev/null 2>&1; then
  118. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  119. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  120. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  121. fi
  122. fi
  123. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  124. prepare "${PKGFILE}"
  125. rm -rf rootdir/var/lib/apt/lists
  126. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  127. updatewithwarnings '^W: .* EXPSIG'
  128. testsuccessequal "$(cat "${PKGFILE}")
  129. " aptcache show apt
  130. failaptold
  131. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  132. else
  133. msgskip 'Not a new enough gpg available providing --fake-system-time'
  134. fi
  135. msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
  136. prepare "${PKGFILE}"
  137. rm -rf rootdir/var/lib/apt/lists
  138. signreleasefiles 'Joe Sixpack,Marvin Paranoid'
  139. successfulaptgetupdate 'NO_PUBKEY'
  140. testsuccessequal "$(cat "${PKGFILE}")
  141. " aptcache show apt
  142. installaptold
  143. msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
  144. prepare "${PKGFILE}"
  145. rm -rf rootdir/var/lib/apt/lists
  146. signreleasefiles 'Joe Sixpack,Rex Expired'
  147. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  148. successfulaptgetupdate 'EXPKEYSIG'
  149. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  150. testsuccessequal "$(cat "${PKGFILE}")
  151. " aptcache show apt
  152. installaptold
  153. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  154. prepare "${PKGFILE}"
  155. rm -rf rootdir/var/lib/apt/lists
  156. signreleasefiles 'Marvin Paranoid'
  157. updatewithwarnings '^W: .* NO_PUBKEY'
  158. testsuccessequal "$(cat "${PKGFILE}")
  159. " aptcache show apt
  160. failaptold
  161. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  162. prepare "${PKGFILE}-new"
  163. signreleasefiles 'Joe Sixpack'
  164. successfulaptgetupdate
  165. testsuccessequal "$(cat "${PKGFILE}-new")
  166. " aptcache show apt
  167. installaptnew
  168. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  169. prepare "${PKGFILE}"
  170. rm -rf rootdir/var/lib/apt/lists
  171. signreleasefiles 'Joe Sixpack'
  172. successfulaptgetupdate
  173. testsuccessequal "$(cat "${PKGFILE}")
  174. " aptcache show apt
  175. installaptold
  176. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  177. prepare "${PKGFILE}-new"
  178. signreleasefiles 'Marvin Paranoid'
  179. updatewithwarnings '^W: .* NO_PUBKEY'
  180. testsuccessequal "$(cat "${PKGFILE}")
  181. " aptcache show apt
  182. installaptold
  183. msgmsg 'Good warm archive signed by' 'Rex Expired'
  184. prepare "${PKGFILE}-new"
  185. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  186. signreleasefiles 'Rex Expired'
  187. updatewithwarnings '^W: .* EXPKEYSIG'
  188. testsuccessequal "$(cat "${PKGFILE}")
  189. " aptcache show apt
  190. installaptold
  191. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  192. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  193. prepare "${PKGFILE}-new"
  194. signreleasefiles
  195. successfulaptgetupdate
  196. testsuccessequal "$(cat "${PKGFILE}-new")
  197. " aptcache show apt
  198. installaptnew
  199. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  200. prepare "${PKGFILE}"
  201. rm -rf rootdir/var/lib/apt/lists
  202. signreleasefiles 'Marvin Paranoid'
  203. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  204. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  205. successfulaptgetupdate
  206. testsuccessequal "$(cat "${PKGFILE}")
  207. " aptcache show apt
  208. installaptold
  209. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  210. rm -rf rootdir/var/lib/apt/lists
  211. signreleasefiles 'Joe Sixpack'
  212. updatewithwarnings '^W: .* NO_PUBKEY'
  213. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  214. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  215. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  216. rm -rf rootdir/var/lib/apt/lists
  217. signreleasefiles 'Joe Sixpack'
  218. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  219. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  220. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  221. rm -rf rootdir/var/lib/apt/lists
  222. signreleasefiles 'Marvin Paranoid'
  223. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  224. successfulaptgetupdate
  225. testsuccessequal "$(cat "${PKGFILE}")
  226. " aptcache show apt
  227. installaptold
  228. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
  229. rm -rf rootdir/var/lib/apt/lists
  230. signreleasefiles 'Marvin Paranoid,Joe Sixpack'
  231. successfulaptgetupdate 'NoPubKey: GOODSIG'
  232. testsuccessequal "$(cat "${PKGFILE}")
  233. " aptcache show apt
  234. installaptold
  235. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  236. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  237. rm -rf rootdir/var/lib/apt/lists
  238. signreleasefiles 'Joe Sixpack'
  239. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
  240. successfulaptgetupdate
  241. testsuccessequal "$(cat "${PKGFILE}")
  242. " aptcache show apt
  243. installaptold
  244. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  245. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  246. rm -rf rootdir/var/lib/apt/lists
  247. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
  248. successfulaptgetupdate
  249. testsuccessequal "$(cat "${PKGFILE}")
  250. " aptcache show apt
  251. installaptold
  252. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  253. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
  254. rm -rf rootdir/var/lib/apt/lists-bak
  255. cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
  256. prepare "${PKGFILE}-new"
  257. signreleasefiles 'Joe Sixpack'
  258. msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
  259. sed -i "/^Valid-Until: / a\
  260. Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  261. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  262. successfulaptgetupdate
  263. testsuccessequal "$(cat "${PKGFILE}-new")
  264. " aptcache show apt
  265. installaptnew
  266. msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
  267. rm -rf rootdir/var/lib/apt/lists
  268. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  269. sed -i "/^Valid-Until: / a\
  270. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  271. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  272. updatewithwarnings 'W: .* public key is not available: GOODSIG'
  273. testsuccessequal "$(cat "${PKGFILE}")
  274. " aptcache show apt
  275. installaptold
  276. msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
  277. rm -rf rootdir/var/lib/apt/lists
  278. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  279. sed -i "/^Valid-Until: / a\
  280. Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
  281. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  282. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  283. successfulaptgetupdate
  284. testsuccessequal "$(cat "${PKGFILE}-new")
  285. " aptcache show apt
  286. installaptnew
  287. msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
  288. rm -rf rootdir/var/lib/apt/lists
  289. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  290. sed -i "/^Valid-Until: / a\
  291. Signed-By: ${MARVIN} ${MARVIN}, \\
  292. ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  293. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  294. successfulaptgetupdate
  295. testsuccessequal "$(cat "${PKGFILE}-new")
  296. " aptcache show apt
  297. installaptnew
  298. }
  299. runtest2() {
  300. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  301. prepare "${PKGFILE}"
  302. rm -rf rootdir/var/lib/apt/lists
  303. signreleasefiles 'Joe Sixpack'
  304. successfulaptgetupdate
  305. # New .deb but now an unsigned archive. For example MITM to circumvent
  306. # package verification.
  307. msgmsg 'Warm archive signed by' 'nobody'
  308. prepare "${PKGFILE}-new"
  309. find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
  310. updatewithwarnings 'W: .* no longer signed.'
  311. testsuccessequal "$(cat "${PKGFILE}-new")
  312. " aptcache show apt
  313. failaptnew
  314. # Unsigned archive from the beginning must also be detected.
  315. msgmsg 'Cold archive signed by' 'nobody'
  316. rm -rf rootdir/var/lib/apt/lists
  317. updatewithwarnings 'W: .* is not signed.'
  318. testsuccessequal "$(cat "${PKGFILE}-new")
  319. " aptcache show apt
  320. failaptnew
  321. }
  322. runtest3() {
  323. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  324. msgmsg "Running base test with $1 digest"
  325. runtest2
  326. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  327. export APT_DONT_SIGN="$DELETEFILE"
  328. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  329. runtest
  330. unset APT_DONT_SIGN
  331. done
  332. }
  333. # diable some protection by default and ensure we still do the verification
  334. # correctly
  335. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  336. Acquire::AllowInsecureRepositories "1";
  337. Acquire::AllowDowngradeToInsecureRepositories "1";
  338. EOF
  339. # the hash marked as configureable in our gpgv method
  340. export APT_TESTS_DIGEST_ALGO='SHA224'
  341. successfulaptgetupdate() {
  342. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  343. if [ -n "$1" ]; then
  344. cp rootdir/tmp/testsuccess.output aptupdate.output
  345. testsuccess grep "$1" aptupdate.output
  346. fi
  347. }
  348. runtest3 'Trusted'
  349. successfulaptgetupdate() {
  350. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  351. if [ -n "$1" ]; then
  352. testsuccess grep "$1" rootdir/tmp/testwarning.output
  353. fi
  354. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  355. }
  356. runtest3 'Weak'
  357. msgmsg "Running test with apt-untrusted digest"
  358. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  359. runfailure() {
  360. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  361. export APT_DONT_SIGN="$DELETEFILE"
  362. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  363. prepare "${PKGFILE}"
  364. rm -rf rootdir/var/lib/apt/lists
  365. signreleasefiles 'Joe Sixpack'
  366. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  367. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  368. testnopackage 'apt'
  369. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  370. failaptold
  371. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  372. prepare "${PKGFILE}"
  373. rm -rf rootdir/var/lib/apt/lists
  374. signreleasefiles 'Marvin Paranoid'
  375. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  376. testnopackage 'apt'
  377. updatewithwarnings '^W: .* NO_PUBKEY'
  378. testsuccessequal "$(cat "${PKGFILE}")
  379. " aptcache show apt
  380. failaptold
  381. unset APT_DONT_SIGN
  382. done
  383. }
  384. runfailure
  385. msgmsg "Running test with gpgv-untrusted digest"
  386. export APT_TESTS_DIGEST_ALGO='MD5'
  387. runfailure