You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

203 lines
7.8 KiB

  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture 'i386'
  7. confighashes 'MD5'
  8. export APT_DONT_SIGN=''
  9. insertpackage 'unstable' 'foo' 'i386' '1.0'
  10. insertsource 'unstable' 'foo' 'any' '1.0'
  11. setupaptarchive --no-update
  12. APTARCHIVE="$(readlink -f ./aptarchive)"
  13. testnopkg() {
  14. testnopackage "$@"
  15. testnosrcpackage "$@"
  16. }
  17. testbadpkg() {
  18. testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
  19. testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release'
  20. testnotempty apt show "$@"
  21. testnotempty apt showsrc "$@"
  22. testfailureequal "WARNING: The following packages cannot be authenticated!
  23. $*
  24. E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@"
  25. testfailureequal "WARNING: The following packages cannot be authenticated!
  26. $*
  27. E: Some packages could not be authenticated" aptget source -qq "$@"
  28. }
  29. testrun() {
  30. local TYPE="$1"
  31. local FILENAME="$2"
  32. shift 2
  33. local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')"
  34. msgmsg "$TYPE contains only weak hashes"
  35. confighashes 'MD5'
  36. generatereleasefiles
  37. signreleasefiles
  38. preparetest
  39. if [ -z "$1" ]; then
  40. listcurrentlistsdirectory > lists.before
  41. testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  42. E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  43. N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  44. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
  45. testfileequal lists.before "$(listcurrentlistsdirectory)"
  46. testnopkg 'foo'
  47. else
  48. testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  49. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  50. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  51. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  52. testbadpkg 'foo'
  53. fi
  54. msgmsg "$TYPE contains only weak hashes, but source allows weak"
  55. sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/*
  56. genericprepare
  57. testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
  58. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  59. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  60. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  61. testbadpkg 'foo'
  62. sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
  63. msgmsg "$TYPE contains no hashes"
  64. generatereleasefiles
  65. sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release"
  66. signreleasefiles
  67. preparetest
  68. if [ -z "$1" ]; then
  69. listcurrentlistsdirectory > lists.before
  70. testfailuremsg "W: No Hash entry in Release file ${MANGLED}
  71. E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  72. N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  73. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
  74. testfileequal lists.before "$(listcurrentlistsdirectory)"
  75. testnopkg 'foo'
  76. else
  77. testwarningmsg "W: No Hash entry in Release file ${MANGLED}
  78. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
  79. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
  80. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
  81. testbadpkg 'foo'
  82. fi
  83. msgmsg "$TYPE contains only weak hashes for some files"
  84. confighashes 'MD5' 'SHA256'
  85. generatereleasefiles
  86. sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release"
  87. signreleasefiles
  88. preparetest
  89. if [ -z "$1" ]; then
  90. testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update
  91. testnosrcpackage foo
  92. else
  93. rm -f rootdir/var/lib/apt/lists/partial/*
  94. testsuccess apt update "$@"
  95. testnotempty apt showsrc foo
  96. fi
  97. testsuccess apt show foo
  98. }
  99. genericprepare() {
  100. rm -rf rootdir/var/lib/apt/lists
  101. mkdir -p rootdir/var/lib/apt/lists/partial
  102. touch rootdir/var/lib/apt/lists/lock
  103. local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')"
  104. touch "$RELEASEGPG"
  105. chmod 644 "$RELEASEGPG"
  106. local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')"
  107. touch "$INRELEASE"
  108. chmod 644 "$INRELEASE"
  109. }
  110. preparetest() {
  111. rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg"
  112. genericprepare
  113. }
  114. testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease"
  115. testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0
  116. preparetest() {
  117. rm -f "${APTARCHIVE}/dists/unstable/InRelease"
  118. genericprepare
  119. }
  120. testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release"
  121. testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0
  122. preparetest() {
  123. rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg"
  124. genericprepare
  125. }
  126. msgmsg 'Moving between Release files with good and bad hashes'
  127. rm -rf rootdir/var/lib/apt/lists
  128. confighashes 'MD5'
  129. generatereleasefiles 'now - 7 days'
  130. signreleasefiles
  131. testfailure apt update
  132. testnopkg 'foo'
  133. testwarning apt update --allow-weak-repositories
  134. testbadpkg 'foo'
  135. confighashes 'MD5' 'SHA256'
  136. rm -rf aptarchive/dists
  137. insertpackage 'unstable' 'foo2' 'i386' '1.0'
  138. insertsource 'unstable' 'foo2' 'any' '1.0'
  139. setupaptarchive --no-update 'now - 5 days'
  140. testsuccess apt update
  141. testnopkg foo
  142. testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
  143. testnotempty apt show foo2
  144. testnotempty apt showsrc foo2
  145. confighashes 'MD5'
  146. rm -rf aptarchive/dists
  147. insertpackage 'unstable' 'foo3' 'i386' '1.0'
  148. insertsource 'unstable' 'foo3' 'any' '1.0'
  149. setupaptarchive --no-update 'now - 3 days'
  150. testfailure apt update
  151. testnopkg foo
  152. testnopkg foo3
  153. testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
  154. testnotempty apt show foo2
  155. testnotempty apt showsrc foo2
  156. testwarning apt update --allow-weak-repositories
  157. testnopkg foo2
  158. testbadpkg foo3
  159. msgmsg 'Working with packages guarded only by weak hashes'
  160. confighashes 'MD5'
  161. rm -rf aptarchive/dists
  162. buildsimplenativepackage 'foo4' 'i386' '1' 'unstable'
  163. setupaptarchive --no-update
  164. testfailure apt update
  165. confighashes 'SHA256'
  166. generatereleasefiles 'now - 1 day'
  167. signreleasefiles
  168. testsuccess apt update
  169. cd downloaded
  170. testfailure apt download foo4
  171. cp ../rootdir/tmp/testfailure.output download.output
  172. testfailure grep 'Hash Sum mismatch' download.output
  173. testsuccess grep 'Insufficient information' download.output
  174. testsuccess apt install foo4 -s
  175. testfailure apt install foo4 -dy
  176. cp ../rootdir/tmp/testfailure.output install.output
  177. testfailure grep 'Hash Sum mismatch' install.output
  178. testsuccess grep 'Insufficient information' download.output
  179. testsuccess apt source foo4
  180. cp ../rootdir/tmp/testsuccess.output source.output
  181. testsuccess grep 'Skipping download of file' source.output
  182. testfailure test -e foo4_1.dsc
  183. testfailure test -e foo4_1.tar.*
  184. cd ..