You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

506 lines
18 KiB

  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. export APT_DONT_SIGN='Release.gpg'
  8. buildaptarchive
  9. setupflataptarchive
  10. changetowebserver
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE" 'now + 1 month'
  28. }
  29. installaptold() {
  30. rm -rf rootdir/var/cache/apt/archives
  31. testsuccessequal "Reading package lists...
  32. Building dependency tree...
  33. Suggested packages:
  34. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  35. The following NEW packages will be installed:
  36. apt
  37. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  38. After this operation, 5370 kB of additional disk space will be used.
  39. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  40. Download complete and in download only mode" aptget install apt -dy
  41. }
  42. installaptnew() {
  43. rm -rf rootdir/var/cache/apt/archives
  44. testsuccessequal "Reading package lists...
  45. Building dependency tree...
  46. Suggested packages:
  47. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  48. The following NEW packages will be installed:
  49. apt
  50. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  51. After this operation, 5808 kB of additional disk space will be used.
  52. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  53. Download complete and in download only mode" aptget install apt -dy
  54. }
  55. failaptold() {
  56. testfailureequal 'Reading package lists...
  57. Building dependency tree...
  58. Suggested packages:
  59. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  60. The following NEW packages will be installed:
  61. apt
  62. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  63. After this operation, 5370 kB of additional disk space will be used.
  64. WARNING: The following packages cannot be authenticated!
  65. apt
  66. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  67. }
  68. failaptnew() {
  69. testfailureequal 'Reading package lists...
  70. Building dependency tree...
  71. Suggested packages:
  72. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  73. The following NEW packages will be installed:
  74. apt
  75. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  76. After this operation, 5808 kB of additional disk space will be used.
  77. WARNING: The following packages cannot be authenticated!
  78. apt
  79. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  80. }
  81. # fake our downloadable file
  82. touch aptarchive/apt.deb
  83. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  84. updatewithwarnings() {
  85. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  86. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  87. }
  88. runtest() {
  89. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  90. prepare "${PKGFILE}"
  91. rm -rf rootdir/var/lib/apt/lists
  92. signreleasefiles 'Joe Sixpack'
  93. successfulaptgetupdate
  94. testsuccessequal "$(cat "${PKGFILE}")
  95. " aptcache show apt
  96. installaptold
  97. if [ "$(id -u)" != '0' ]; then
  98. msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
  99. rm -rf rootdir/var/lib/apt/lists
  100. echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
  101. chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
  102. updatewithwarnings '^W: .* is not readable by user'
  103. chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
  104. rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
  105. testsuccessequal "$(cat "${PKGFILE}")
  106. " aptcache show apt
  107. installaptold
  108. fi
  109. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  110. prepare "${PKGFILE}-new"
  111. signreleasefiles 'Joe Sixpack'
  112. successfulaptgetupdate
  113. testsuccessequal "$(cat "${PKGFILE}-new")
  114. " aptcache show apt
  115. installaptnew
  116. msgmsg 'Cold archive signed by' 'Rex Expired'
  117. prepare "${PKGFILE}"
  118. rm -rf rootdir/var/lib/apt/lists
  119. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  120. signreleasefiles 'Rex Expired'
  121. updatewithwarnings '^W: .* EXPKEYSIG'
  122. testsuccessequal "$(cat "${PKGFILE}")
  123. " aptcache show apt
  124. failaptold
  125. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  126. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  127. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  128. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  129. elif gpg2 --version >/dev/null 2>&1; then
  130. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  131. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  132. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  133. fi
  134. fi
  135. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  136. prepare "${PKGFILE}"
  137. rm -rf rootdir/var/lib/apt/lists
  138. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  139. updatewithwarnings '^W: .* EXPSIG'
  140. testsuccessequal "$(cat "${PKGFILE}")
  141. " aptcache show apt
  142. failaptold
  143. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  144. else
  145. msgskip 'Not a new enough gpg available providing --fake-system-time'
  146. fi
  147. msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
  148. prepare "${PKGFILE}"
  149. rm -rf rootdir/var/lib/apt/lists
  150. signreleasefiles 'Joe Sixpack,Marvin Paranoid'
  151. successfulaptgetupdate 'NO_PUBKEY'
  152. testsuccessequal "$(cat "${PKGFILE}")
  153. " aptcache show apt
  154. installaptold
  155. msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
  156. prepare "${PKGFILE}"
  157. rm -rf rootdir/var/lib/apt/lists
  158. signreleasefiles 'Joe Sixpack,Rex Expired'
  159. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  160. successfulaptgetupdate 'EXPKEYSIG'
  161. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  162. testsuccessequal "$(cat "${PKGFILE}")
  163. " aptcache show apt
  164. installaptold
  165. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  166. prepare "${PKGFILE}"
  167. rm -rf rootdir/var/lib/apt/lists
  168. signreleasefiles 'Marvin Paranoid'
  169. updatewithwarnings '^W: .* NO_PUBKEY'
  170. testsuccessequal "$(cat "${PKGFILE}")
  171. " aptcache show apt
  172. failaptold
  173. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  174. prepare "${PKGFILE}-new"
  175. signreleasefiles 'Joe Sixpack'
  176. successfulaptgetupdate
  177. testsuccessequal "$(cat "${PKGFILE}-new")
  178. " aptcache show apt
  179. installaptnew
  180. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  181. prepare "${PKGFILE}"
  182. rm -rf rootdir/var/lib/apt/lists
  183. signreleasefiles 'Joe Sixpack'
  184. successfulaptgetupdate
  185. testsuccessequal "$(cat "${PKGFILE}")
  186. " aptcache show apt
  187. installaptold
  188. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  189. prepare "${PKGFILE}-new"
  190. signreleasefiles 'Marvin Paranoid'
  191. updatewithwarnings '^W: .* NO_PUBKEY'
  192. testsuccessequal "$(cat "${PKGFILE}")
  193. " aptcache show apt
  194. installaptold
  195. msgmsg 'Good warm archive signed by' 'Rex Expired'
  196. prepare "${PKGFILE}-new"
  197. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  198. signreleasefiles 'Rex Expired'
  199. updatewithwarnings '^W: .* EXPKEYSIG'
  200. testsuccessequal "$(cat "${PKGFILE}")
  201. " aptcache show apt
  202. installaptold
  203. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  204. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  205. prepare "${PKGFILE}-new"
  206. signreleasefiles
  207. successfulaptgetupdate
  208. testsuccessequal "$(cat "${PKGFILE}-new")
  209. " aptcache show apt
  210. installaptnew
  211. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  212. rm -rf rootdir/var/lib/apt/lists
  213. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  214. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  215. updatewithwarnings '^W: .* NO_PUBKEY'
  216. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  217. prepare "${PKGFILE}"
  218. signreleasefiles 'Marvin Paranoid'
  219. rm -rf rootdir/var/lib/apt/lists
  220. successfulaptgetupdate
  221. testsuccessequal "$(cat "${PKGFILE}")
  222. " aptcache show apt
  223. installaptold
  224. msgmsg 'Cold archive signed by good keyrings' 'Marvin Paranoid, Joe Sixpack'
  225. rm -rf rootdir/var/lib/apt/lists
  226. local SIXPACK="$(readlink -f keys/joesixpack.pub)"
  227. sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$MARVIN,$SIXPACK] #" rootdir/etc/apt/sources.list.d/*
  228. successfulaptgetupdate
  229. testsuccessequal "$(cat "${PKGFILE}")
  230. " aptcache show apt
  231. installaptold
  232. msgmsg 'Cold archive signed by good keyrings' 'Joe Sixpack, Marvin Paranoid'
  233. rm -rf rootdir/var/lib/apt/lists
  234. local SIXPACK="$(readlink -f keys/joesixpack.pub)"
  235. sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$SIXPACK,$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  236. successfulaptgetupdate
  237. testsuccessequal "$(cat "${PKGFILE}")
  238. " aptcache show apt
  239. installaptold
  240. sed -i "s# \[signed-by=[^]]\+\] # #" rootdir/etc/apt/sources.list.d/*
  241. local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
  242. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  243. rm -rf rootdir/var/lib/apt/lists
  244. signreleasefiles 'Joe Sixpack'
  245. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  246. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  247. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  248. rm -rf rootdir/var/lib/apt/lists
  249. signreleasefiles 'Marvin Paranoid'
  250. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  251. successfulaptgetupdate
  252. testsuccessequal "$(cat "${PKGFILE}")
  253. " aptcache show apt
  254. installaptold
  255. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
  256. rm -rf rootdir/var/lib/apt/lists
  257. signreleasefiles 'Marvin Paranoid,Joe Sixpack'
  258. successfulaptgetupdate 'NoPubKey: GOODSIG'
  259. testsuccessequal "$(cat "${PKGFILE}")
  260. " aptcache show apt
  261. installaptold
  262. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons | grep '^fpr' | cut -d':' -f 10)"
  263. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  264. rm -rf rootdir/var/lib/apt/lists
  265. signreleasefiles 'Joe Sixpack'
  266. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
  267. successfulaptgetupdate
  268. testsuccessequal "$(cat "${PKGFILE}")
  269. " aptcache show apt
  270. installaptold
  271. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  272. rm -rf rootdir/var/lib/apt/lists
  273. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
  274. successfulaptgetupdate
  275. testsuccessequal "$(cat "${PKGFILE}")
  276. " aptcache show apt
  277. installaptold
  278. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  279. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
  280. rm -rf rootdir/var/lib/apt/lists-bak
  281. cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
  282. prepare "${PKGFILE}-new"
  283. signreleasefiles 'Joe Sixpack'
  284. msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
  285. sed -i "/^Valid-Until: / a\
  286. Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  287. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  288. successfulaptgetupdate
  289. testsuccessequal "$(cat "${PKGFILE}-new")
  290. " aptcache show apt
  291. installaptnew
  292. msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
  293. rm -rf rootdir/var/lib/apt/lists
  294. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  295. sed -i "/^Valid-Until: / a\
  296. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  297. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  298. updatewithwarnings 'W: .* public key is not available: GOODSIG'
  299. testsuccessequal "$(cat "${PKGFILE}")
  300. " aptcache show apt
  301. installaptold
  302. msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
  303. rm -rf rootdir/var/lib/apt/lists
  304. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  305. sed -i "/^Valid-Until: / a\
  306. Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
  307. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  308. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  309. successfulaptgetupdate
  310. testsuccessequal "$(cat "${PKGFILE}-new")
  311. " aptcache show apt
  312. installaptnew
  313. msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
  314. rm -rf rootdir/var/lib/apt/lists
  315. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  316. sed -i "/^Valid-Until: / a\
  317. Signed-By: ${MARVIN} ${MARVIN}, \\
  318. ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  319. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  320. successfulaptgetupdate
  321. testsuccessequal "$(cat "${PKGFILE}-new")
  322. " aptcache show apt
  323. installaptnew
  324. cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
  325. local SEBASTIAN="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 1 '^fpr' | cut -d':' -f 10)"
  326. msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey'
  327. rm -rf rootdir/var/lib/apt/lists
  328. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  329. signreleasefiles 'Sebastian Subkey'
  330. sed -i "/^Valid-Until: / a\
  331. Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
  332. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  333. successfulaptgetupdate
  334. testsuccessequal "$(cat "${PKGFILE}-new")
  335. " aptcache show apt
  336. installaptnew
  337. msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey'
  338. rm -rf rootdir/var/lib/apt/lists
  339. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  340. sed -i "/^Valid-Until: / a\
  341. Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release
  342. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  343. updatewithwarnings 'W: .* public key is not available: GOODSIG'
  344. testsuccessequal "$(cat "${PKGFILE}")
  345. " aptcache show apt
  346. installaptold
  347. local SUBKEY="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 2 '^fpr' | tail -n -1 | cut -d':' -f 10)"
  348. msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey'
  349. rm -rf rootdir/var/lib/apt/lists
  350. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  351. sed -i "/^Valid-Until: / a\
  352. Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release
  353. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  354. successfulaptgetupdate
  355. testsuccessequal "$(cat "${PKGFILE}-new")
  356. " aptcache show apt
  357. installaptnew
  358. rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
  359. }
  360. runtest2() {
  361. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  362. prepare "${PKGFILE}"
  363. rm -rf rootdir/var/lib/apt/lists
  364. signreleasefiles 'Joe Sixpack'
  365. successfulaptgetupdate
  366. # New .deb but now an unsigned archive. For example MITM to circumvent
  367. # package verification.
  368. msgmsg 'Warm archive signed by' 'nobody'
  369. prepare "${PKGFILE}-new"
  370. find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
  371. updatewithwarnings 'W: .* no longer signed.'
  372. testsuccessequal "$(cat "${PKGFILE}-new")
  373. " aptcache show apt
  374. failaptnew
  375. # Unsigned archive from the beginning must also be detected.
  376. msgmsg 'Cold archive signed by' 'nobody'
  377. rm -rf rootdir/var/lib/apt/lists
  378. updatewithwarnings 'W: .* is not signed.'
  379. testsuccessequal "$(cat "${PKGFILE}-new")
  380. " aptcache show apt
  381. failaptnew
  382. }
  383. runtest3() {
  384. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  385. msgmsg "Running base test with $1 digest"
  386. runtest2
  387. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  388. export APT_DONT_SIGN="$DELETEFILE"
  389. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  390. runtest
  391. export APT_DONT_SIGN='Release.gpg'
  392. done
  393. }
  394. # disable some protection by default and ensure we still do the verification
  395. # correctly
  396. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  397. Acquire::AllowInsecureRepositories "1";
  398. Acquire::AllowDowngradeToInsecureRepositories "1";
  399. EOF
  400. # the hash marked as configurable in our gpgv method
  401. export APT_TESTS_DIGEST_ALGO='SHA224'
  402. successfulaptgetupdate() {
  403. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  404. if [ -n "$1" ]; then
  405. cp rootdir/tmp/testsuccess.output aptupdate.output
  406. testsuccess grep "$1" aptupdate.output
  407. fi
  408. }
  409. runtest3 'Trusted'
  410. successfulaptgetupdate() {
  411. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  412. if [ -n "$1" ]; then
  413. testsuccess grep "$1" rootdir/tmp/testwarning.output
  414. fi
  415. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  416. }
  417. runtest3 'Weak'
  418. msgmsg "Running test with apt-untrusted digest"
  419. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  420. runfailure() {
  421. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  422. export APT_DONT_SIGN="$DELETEFILE"
  423. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  424. prepare "${PKGFILE}"
  425. rm -rf rootdir/var/lib/apt/lists
  426. signreleasefiles 'Joe Sixpack'
  427. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  428. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  429. testnopackage 'apt'
  430. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  431. failaptold
  432. rm -rf rootdir/var/lib/apt/lists
  433. sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
  434. testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  435. failaptold
  436. sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
  437. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  438. prepare "${PKGFILE}"
  439. rm -rf rootdir/var/lib/apt/lists
  440. signreleasefiles 'Marvin Paranoid'
  441. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  442. testnopackage 'apt'
  443. updatewithwarnings '^W: .* NO_PUBKEY'
  444. testsuccessequal "$(cat "${PKGFILE}")
  445. " aptcache show apt
  446. failaptold
  447. export APT_DONT_SIGN='Release.gpg'
  448. done
  449. }
  450. runfailure
  451. msgmsg "Running test with gpgv-untrusted digest"
  452. export APT_TESTS_DIGEST_ALGO='MD5'
  453. runfailure