Browse Source

tests: allow to disable generation of InRelease/Release.gpg file

If the test just signs release files to throw away one of them to test
the other, we can just as well save the time and not create it.

Git-Dch: Ignore
tags/debian/1.3_exp1
David Kalnischkies 5 years ago
parent
commit
761a5ad2ec
6 changed files with 33 additions and 45 deletions
  1. +14
    -4
      test/integration/framework
  2. +3
    -5
      test/integration/test-apt-update-nofallback
  3. +0
    -2
      test/integration/test-hashsum-verification
  4. +8
    -5
      test/integration/test-releasefile-date-older
  5. +6
    -25
      test/integration/test-releasefile-verification
  6. +2
    -4
      test/integration/test-ubuntu-bug-784473-InRelease-one-message-only

+ 14
- 4
test/integration/framework View File

@@ -1134,11 +1134,21 @@ signreleasefiles() {
fi
local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
for RELEASE in $(find "${REPODIR}/" -name Release); do
testsuccess $GPG "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
testsuccess $GPG "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE"
# we might have set a specific date for the Release file, so copy it
touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
local DATE="$(stat --format "%y" "${RELEASE}")"
if [ "$APT_DONT_SIGN" = 'Release.gpg' ]; then
rm -f "${RELEASE}.gpg"
else
testsuccess $GPG "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
touch -d "$DATE" "${RELEASE}.gpg"
fi
local INRELEASE="${RELEASE%/*}/InRelease"
if [ "$APT_DONT_SIGN" = 'InRelease' ]; then
rm -f "$INRELEASE"
else
testsuccess $GPG "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE"
touch -d "$DATE" "${INRELEASE}"
fi
done
if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
mv -f "$SECEXPIREBAK" "${REXKEY}.sec"


+ 3
- 5
test/integration/test-apt-update-nofallback View File

@@ -9,8 +9,7 @@ set -e
simulate_mitm_and_inject_evil_package()
{
redatereleasefiles '+1 hour'
rm -f "$APTARCHIVE/dists/unstable/InRelease"
rm -f "$APTARCHIVE/dists/unstable/Release.gpg"
rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
inject_evil_package
}

@@ -126,11 +125,10 @@ test_cve_2012_0214()
listcurrentlistsdirectory > lists.before

# do what CVE-2012-0214 did
rm "$APTARCHIVE/dists/unstable/InRelease"
rm "$APTARCHIVE/dists/unstable/Release.gpg"
rm "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
inject_evil_package
# build valid Release file
aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release
aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release

assert_update_is_refused_and_last_good_state_used
testfileequal lists.before "$(listcurrentlistsdirectory)"


+ 0
- 2
test/integration/test-hashsum-verification View File

@@ -44,7 +44,6 @@ SHA256:
xb306e66e5e6a7169c8d281a888539d1fdca9cecc99ae605717df579d5b9c166 527 Packages.lzma
x9585d0e66b74c9385727fbea11fea9ab33c716b18a32f3036f037a2b9b57120 572 Packages.xz
EOF
cp aptarchive/Release aptarchive/InRelease
}

# fake our downloadable file
@@ -56,7 +55,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete

# test signed release file
msgtest 'apt-get update gets the expected hashsum mismatch'


+ 8
- 5
test/integration/test-releasefile-date-older View File

@@ -26,40 +26,43 @@ testsuccess aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"

msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date'
export APT_DONT_SIGN='InRelease'
rm -rf rootdir/var/lib/apt/lists
generatereleasefiles 'now' 'now + 7 days'
signreleasefiles
find aptarchive -name 'InRelease' -delete
testsuccess aptget update
listcurrentlistsdirectory > listsdir.lst
redatereleasefiles 'now - 2 days'
find aptarchive -name 'InRelease' -delete
testsuccess aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
unset APT_DONT_SIGN

msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date'
export APT_DONT_SIGN='Release.gpg'
rm -rf rootdir/var/lib/apt/lists
generatereleasefiles 'now' 'now + 7 days'
signreleasefiles
find aptarchive -name 'Release.gpg' -delete
testsuccess aptget update
export APT_DONT_SIGN='InRelease'
listcurrentlistsdirectory > listsdir.lst
redatereleasefiles 'now - 2 days'
find aptarchive -name 'InRelease' -delete
testsuccess aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
unset APT_DONT_SIGN

msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date'
export APT_DONT_SIGN='InRelease'
rm -rf rootdir/var/lib/apt/lists
generatereleasefiles 'now' 'now + 7 days'
signreleasefiles
find aptarchive -name 'InRelease' -delete
testsuccess aptget update
export APT_DONT_SIGN='Release.gpg'
listcurrentlistsdirectory > listsdir.lst
redatereleasefiles 'now - 2 days'
find aptarchive -name 'Release.gpg' -delete
testsuccess aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
unset APT_DONT_SIGN

msgmsg 'Release file has' 'no Date and no Valid-Until field'
rm -rf rootdir/var/lib/apt/lists


+ 6
- 25
test/integration/test-releasefile-verification View File

@@ -99,12 +99,10 @@ updatewithwarnings() {
}

runtest() {
local DELETEFILE="$1"
msgmsg 'Cold archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -113,7 +111,6 @@ runtest() {
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}-new"
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
@@ -124,7 +121,6 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* EXPKEYSIG'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -144,7 +140,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* EXPSIG'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -158,7 +153,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate 'NO_PUBKEY'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -168,7 +162,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Rex Expired'
find aptarchive/ -name "$DELETEFILE" -delete
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
successfulaptgetupdate 'EXPKEYSIG'
rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
@@ -180,7 +173,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* NO_PUBKEY'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -189,7 +181,6 @@ runtest() {
msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}-new"
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
@@ -199,7 +190,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -208,7 +198,6 @@ runtest() {
msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
prepare "${PKGFILE}-new"
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* NO_PUBKEY'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -218,7 +207,6 @@ runtest() {
prepare "${PKGFILE}-new"
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* EXPKEYSIG'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -228,7 +216,6 @@ runtest() {
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}-new"
signreleasefiles
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
@@ -238,7 +225,6 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
successfulaptgetupdate
@@ -249,7 +235,6 @@ runtest() {
msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
updatewithwarnings '^W: .* NO_PUBKEY'
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*

@@ -257,14 +242,12 @@ runtest() {
msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
updatewithwarnings '^W: .* be verified because the public key is not available: .*'

msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}")
@@ -274,7 +257,6 @@ runtest() {
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid,Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
successfulaptgetupdate 'NoPubKey: GOODSIG'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -284,7 +266,6 @@ runtest() {
msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
successfulaptgetupdate
testsuccessequal "$(cat "${PKGFILE}")
@@ -306,7 +287,6 @@ runtest() {
cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
prepare "${PKGFILE}-new"
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete

msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
sed -i "/^Valid-Until: / a\
@@ -364,8 +344,7 @@ runtest2() {
# package verification.
msgmsg 'Warm archive signed by' 'nobody'
prepare "${PKGFILE}-new"
find aptarchive/ -name InRelease -delete
find aptarchive/ -name Release.gpg -delete
find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
updatewithwarnings 'W: .* no longer signed.'
testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
@@ -386,8 +365,10 @@ runtest3() {
runtest2

for DELETEFILE in 'InRelease' 'Release.gpg'; do
export APT_DONT_SIGN="$DELETEFILE"
msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
runtest "$DELETEFILE"
runtest
unset APT_DONT_SIGN
done
}

@@ -422,11 +403,11 @@ msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
runfailure() {
for DELETEFILE in 'InRelease' 'Release.gpg'; do
export APT_DONT_SIGN="$DELETEFILE"
msgmsg 'Cold archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
testnopackage 'apt'
@@ -437,13 +418,13 @@ runfailure() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
testnopackage 'apt'
updatewithwarnings '^W: .* NO_PUBKEY'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
unset APT_DONT_SIGN
done
}
runfailure


+ 2
- 4
test/integration/test-ubuntu-bug-784473-InRelease-one-message-only View File

@@ -8,11 +8,9 @@ configarchitecture 'i386'

insertpackage 'unstable' 'apt' 'i386' '0.8.11'

setupaptarchive
export APT_DONT_SIGN='Release.gpg'
setupaptarchive --no-update

rm -rf rootdir/var/lib/apt/lists

find aptarchive/ -name 'Release.gpg' -delete
find aptarchive/ -name 'InRelease' -exec cp {} {}.old \;

for RELEASE in $(find aptarchive/ -name 'InRelease'); do


Loading…
Cancel
Save