Browse Source

fix apt-key net-update test to use the buildin webserver

tags/debian/0.9.14.2
Michael Vogt 7 years ago
parent
commit
e5543ea5a2
8 changed files with 25 additions and 110 deletions
  1. +1
    -1
      cmdline/apt-key.in
  2. BIN
      test/integration/exploid-keyring-with-dupe-keys.pub
  3. BIN
      test/integration/exploid-keyring-with-dupe-subkeys.pub
  4. BIN
      test/integration/keyrings/test-archive-keyring.pub
  5. BIN
      test/integration/keyrings/test-archive-keyring.sec
  6. BIN
      test/integration/keyrings/test-master-keyring.pub
  7. BIN
      test/integration/keyrings/test-master-keyring.sec
  8. +24
    -109
      test/integration/test-apt-key-net-update

+ 1
- 1
cmdline/apt-key.in View File

@@ -130,7 +130,7 @@ net_update() {
if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then
mkdir -p ${APT_DIR}/var/lib/apt/keyrings
fi
keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI)
old_mtime=0
if [ -e $keyring ]; then
old_mtime=$(stat -c %Y $keyring)


BIN
test/integration/exploid-keyring-with-dupe-keys.pub View File


BIN
test/integration/exploid-keyring-with-dupe-subkeys.pub View File


BIN
test/integration/keyrings/test-archive-keyring.pub View File


BIN
test/integration/keyrings/test-archive-keyring.sec View File


BIN
test/integration/keyrings/test-master-keyring.pub View File


BIN
test/integration/keyrings/test-master-keyring.sec View File


+ 24
- 109
test/integration/test-apt-key-net-update View File

@@ -9,120 +9,35 @@ configarchitecture "i386"
changetowebserver

# setup env
mkdir -p aptarchive/ubuntu/project var/lib/apt/keyrings
echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/ubuntu-archive-keyring.gpg";' >> ./aptconfig.conf
echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf

# signed thing
echo "meep" > aptarchive/ubuntu/project/ubuntu-archive-keyring.gpg

# test against the "real" webserver
aptkey --fakeroot net-update

exit 1

# mock
requires_root() {
return 0
}

# extract net_update() and import it
func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key )
eval "$func"

mkdir -p ./etc/apt
TRUSTEDFILE=./etc/apt/trusted.gpg
mkdir -p ./var/lib/apt/keyrings
TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"

# FIXME: instead of copying this use apt-key and the buildin apt webserver
# to do a real test

# COPYIED from apt-key.in --------------

# gpg needs a trustdb to function, but it can't be invalid (not even empty)
# so we create a temporary directory to store our fresh readable trustdb in
TRUSTDBDIR="$(mktemp -d)"
CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
chmod 700 "$TRUSTDBDIR"
# We also don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available - and writeable for imports
SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
touch $SECRETKEYRING
GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
#----------------------------------------- END COPY
mkdir -p var/lib/apt/keyrings
mkdir -p usr/share/keyrings

GPG="$GPG_CMD --keyring $TRUSTEDFILE"
MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg

msgtest "add_keys_with_verify_against_master_keyring"
if [ ! -e $MASTER_KEYRING ]; then
echo -n "No $MASTER_KEYRING found"
msgskip
exit 0
fi

# test bad keyring and ensure its not added (LP: #857472)
ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub
if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
msgfail
else
msgpass
fi

# ensure the keyring is still empty
gpg_out=$($GPG --list-keys)
msgtest "Test if keyring is empty"
if [ -n "" ]; then
msgfail
else
msgpass
fi


# test another possible attack vector using subkeys (LP: #1013128)
msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
msgfail
else
msgpass
fi

# ensure the keyring is still empty
gpg_out=$($GPG --list-keys)
msgtest "Test if keyring is empty"
if [ -n "" ]; then
msgfail
else
msgpass
fi
# install the fake master keyring
install -m0644 keys/test-master-keyring.pub usr/share/keyrings
echo "APT::Key::MasterKeyring \"${TMPWORKINGDIRECTORY}/usr/share/keyrings/test-master-keyring.pub\";" >> ./aptconfig.conf

# setup archive-keyring
mkdir -p aptarchive/ubuntu/project
install -m0644 keys/test-archive-keyring.pub aptarchive/ubuntu/project/
echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/test-archive-keyring.pub";' >> ./aptconfig.conf
echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf

# test good keyring and ensure we get no errors
ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
msgpass
else
msgfail
fi
# test against the "real" webserver
testequal 'Checking for new archive signing keys now
gpg: key F68C85A3: public key "Test Automatic Archive Signing Key <ftpmaster@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)' aptkey --fakeroot net-update

testequal './etc/apt/trusted.gpg
---------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12

pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
# now try a different one
# setup archive-keyring
mkdir -p aptarchive/ubuntu/project
install -m0644 keys/marvinparanoid.pub aptarchive/ubuntu/project/
echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/marvinparanoid.pub";' >> ./aptconfig.conf
echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf

pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
# test against the "real" webserver
testequal "Checking for new archive signing keys now
Key 'E8525D47528144E2' not added. It is not signed with a master key" aptkey --fakeroot net-update

pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
' $GPG --list-keys


Loading…
Cancel
Save