You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

436 lines
15 KiB

  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. export APT_DONT_SIGN='Release.gpg'
  8. buildaptarchive
  9. setupflataptarchive
  10. changetowebserver
  11. webserverconfig 'aptwebserver::support::range' 'false'
  12. prepare() {
  13. local DATE="${2:-now}"
  14. if [ "$DATE" = 'now' ]; then
  15. if [ "$1" = "${PKGFILE}-new" ]; then
  16. DATE='now - 1 day'
  17. else
  18. DATE='now - 7 day'
  19. fi
  20. fi
  21. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  22. touch -d 'now - 1 year' "$release"
  23. done
  24. aptget clean
  25. cp "$1" aptarchive/Packages
  26. find aptarchive -name 'Release' -delete
  27. compressfile 'aptarchive/Packages' "$DATE"
  28. generatereleasefiles "$DATE" 'now + 1 month'
  29. }
  30. installaptold() {
  31. rm -rf rootdir/var/cache/apt/archives
  32. testsuccessequal "Reading package lists...
  33. Building dependency tree...
  34. Suggested packages:
  35. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  36. The following NEW packages will be installed:
  37. apt
  38. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  39. After this operation, 5370 kB of additional disk space will be used.
  40. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  41. Download complete and in download only mode" aptget install apt -dy
  42. }
  43. installaptnew() {
  44. rm -rf rootdir/var/cache/apt/archives
  45. testsuccessequal "Reading package lists...
  46. Building dependency tree...
  47. Suggested packages:
  48. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  49. The following NEW packages will be installed:
  50. apt
  51. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  52. After this operation, 5808 kB of additional disk space will be used.
  53. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  54. Download complete and in download only mode" aptget install apt -dy
  55. }
  56. failaptold() {
  57. testfailureequal 'Reading package lists...
  58. Building dependency tree...
  59. Suggested packages:
  60. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  61. The following NEW packages will be installed:
  62. apt
  63. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  64. After this operation, 5370 kB of additional disk space will be used.
  65. WARNING: The following packages cannot be authenticated!
  66. apt
  67. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  68. }
  69. failaptnew() {
  70. testfailureequal 'Reading package lists...
  71. Building dependency tree...
  72. Suggested packages:
  73. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  74. The following NEW packages will be installed:
  75. apt
  76. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  77. After this operation, 5808 kB of additional disk space will be used.
  78. WARNING: The following packages cannot be authenticated!
  79. apt
  80. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  81. }
  82. # fake our downloadable file
  83. touch aptarchive/apt.deb
  84. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  85. updatewithwarnings() {
  86. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  87. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  88. }
  89. runtest() {
  90. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  91. prepare "${PKGFILE}"
  92. rm -rf rootdir/var/lib/apt/lists
  93. signreleasefiles 'Joe Sixpack'
  94. successfulaptgetupdate
  95. testsuccessequal "$(cat "${PKGFILE}")
  96. " aptcache show apt
  97. installaptold
  98. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  99. prepare "${PKGFILE}-new"
  100. signreleasefiles 'Joe Sixpack'
  101. successfulaptgetupdate
  102. testsuccessequal "$(cat "${PKGFILE}-new")
  103. " aptcache show apt
  104. installaptnew
  105. msgmsg 'Cold archive signed by' 'Rex Expired'
  106. prepare "${PKGFILE}"
  107. rm -rf rootdir/var/lib/apt/lists
  108. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  109. signreleasefiles 'Rex Expired'
  110. updatewithwarnings '^W: .* EXPKEYSIG'
  111. testsuccessequal "$(cat "${PKGFILE}")
  112. " aptcache show apt
  113. failaptold
  114. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  115. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  116. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  117. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  118. elif gpg2 --version >/dev/null 2>&1; then
  119. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  120. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  121. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  122. fi
  123. fi
  124. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  125. prepare "${PKGFILE}"
  126. rm -rf rootdir/var/lib/apt/lists
  127. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  128. updatewithwarnings '^W: .* EXPSIG'
  129. testsuccessequal "$(cat "${PKGFILE}")
  130. " aptcache show apt
  131. failaptold
  132. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  133. else
  134. msgskip 'Not a new enough gpg available providing --fake-system-time'
  135. fi
  136. msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
  137. prepare "${PKGFILE}"
  138. rm -rf rootdir/var/lib/apt/lists
  139. signreleasefiles 'Joe Sixpack,Marvin Paranoid'
  140. successfulaptgetupdate 'NO_PUBKEY'
  141. testsuccessequal "$(cat "${PKGFILE}")
  142. " aptcache show apt
  143. installaptold
  144. msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
  145. prepare "${PKGFILE}"
  146. rm -rf rootdir/var/lib/apt/lists
  147. signreleasefiles 'Joe Sixpack,Rex Expired'
  148. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  149. successfulaptgetupdate 'EXPKEYSIG'
  150. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  151. testsuccessequal "$(cat "${PKGFILE}")
  152. " aptcache show apt
  153. installaptold
  154. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  155. prepare "${PKGFILE}"
  156. rm -rf rootdir/var/lib/apt/lists
  157. signreleasefiles 'Marvin Paranoid'
  158. updatewithwarnings '^W: .* NO_PUBKEY'
  159. testsuccessequal "$(cat "${PKGFILE}")
  160. " aptcache show apt
  161. failaptold
  162. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  163. prepare "${PKGFILE}-new"
  164. signreleasefiles 'Joe Sixpack'
  165. successfulaptgetupdate
  166. testsuccessequal "$(cat "${PKGFILE}-new")
  167. " aptcache show apt
  168. installaptnew
  169. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  170. prepare "${PKGFILE}"
  171. rm -rf rootdir/var/lib/apt/lists
  172. signreleasefiles 'Joe Sixpack'
  173. successfulaptgetupdate
  174. testsuccessequal "$(cat "${PKGFILE}")
  175. " aptcache show apt
  176. installaptold
  177. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  178. prepare "${PKGFILE}-new"
  179. signreleasefiles 'Marvin Paranoid'
  180. updatewithwarnings '^W: .* NO_PUBKEY'
  181. testsuccessequal "$(cat "${PKGFILE}")
  182. " aptcache show apt
  183. installaptold
  184. msgmsg 'Good warm archive signed by' 'Rex Expired'
  185. prepare "${PKGFILE}-new"
  186. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  187. signreleasefiles 'Rex Expired'
  188. updatewithwarnings '^W: .* EXPKEYSIG'
  189. testsuccessequal "$(cat "${PKGFILE}")
  190. " aptcache show apt
  191. installaptold
  192. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  193. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  194. prepare "${PKGFILE}-new"
  195. signreleasefiles
  196. successfulaptgetupdate
  197. testsuccessequal "$(cat "${PKGFILE}-new")
  198. " aptcache show apt
  199. installaptnew
  200. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  201. prepare "${PKGFILE}"
  202. rm -rf rootdir/var/lib/apt/lists
  203. signreleasefiles 'Marvin Paranoid'
  204. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  205. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  206. successfulaptgetupdate
  207. testsuccessequal "$(cat "${PKGFILE}")
  208. " aptcache show apt
  209. installaptold
  210. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  211. rm -rf rootdir/var/lib/apt/lists
  212. signreleasefiles 'Joe Sixpack'
  213. updatewithwarnings '^W: .* NO_PUBKEY'
  214. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  215. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  216. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  217. rm -rf rootdir/var/lib/apt/lists
  218. signreleasefiles 'Joe Sixpack'
  219. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  220. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  221. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  222. rm -rf rootdir/var/lib/apt/lists
  223. signreleasefiles 'Marvin Paranoid'
  224. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  225. successfulaptgetupdate
  226. testsuccessequal "$(cat "${PKGFILE}")
  227. " aptcache show apt
  228. installaptold
  229. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
  230. rm -rf rootdir/var/lib/apt/lists
  231. signreleasefiles 'Marvin Paranoid,Joe Sixpack'
  232. successfulaptgetupdate 'NoPubKey: GOODSIG'
  233. testsuccessequal "$(cat "${PKGFILE}")
  234. " aptcache show apt
  235. installaptold
  236. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  237. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  238. rm -rf rootdir/var/lib/apt/lists
  239. signreleasefiles 'Joe Sixpack'
  240. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
  241. successfulaptgetupdate
  242. testsuccessequal "$(cat "${PKGFILE}")
  243. " aptcache show apt
  244. installaptold
  245. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  246. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  247. rm -rf rootdir/var/lib/apt/lists
  248. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
  249. successfulaptgetupdate
  250. testsuccessequal "$(cat "${PKGFILE}")
  251. " aptcache show apt
  252. installaptold
  253. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  254. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
  255. rm -rf rootdir/var/lib/apt/lists-bak
  256. cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
  257. prepare "${PKGFILE}-new"
  258. signreleasefiles 'Joe Sixpack'
  259. msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
  260. sed -i "/^Valid-Until: / a\
  261. Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  262. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  263. successfulaptgetupdate
  264. testsuccessequal "$(cat "${PKGFILE}-new")
  265. " aptcache show apt
  266. installaptnew
  267. msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
  268. rm -rf rootdir/var/lib/apt/lists
  269. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  270. sed -i "/^Valid-Until: / a\
  271. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  272. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  273. updatewithwarnings 'W: .* public key is not available: GOODSIG'
  274. testsuccessequal "$(cat "${PKGFILE}")
  275. " aptcache show apt
  276. installaptold
  277. msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
  278. rm -rf rootdir/var/lib/apt/lists
  279. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  280. sed -i "/^Valid-Until: / a\
  281. Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
  282. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  283. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  284. successfulaptgetupdate
  285. testsuccessequal "$(cat "${PKGFILE}-new")
  286. " aptcache show apt
  287. installaptnew
  288. msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
  289. rm -rf rootdir/var/lib/apt/lists
  290. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  291. sed -i "/^Valid-Until: / a\
  292. Signed-By: ${MARVIN} ${MARVIN}, \\
  293. ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  294. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  295. successfulaptgetupdate
  296. testsuccessequal "$(cat "${PKGFILE}-new")
  297. " aptcache show apt
  298. installaptnew
  299. }
  300. runtest2() {
  301. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  302. prepare "${PKGFILE}"
  303. rm -rf rootdir/var/lib/apt/lists
  304. signreleasefiles 'Joe Sixpack'
  305. successfulaptgetupdate
  306. # New .deb but now an unsigned archive. For example MITM to circumvent
  307. # package verification.
  308. msgmsg 'Warm archive signed by' 'nobody'
  309. prepare "${PKGFILE}-new"
  310. find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
  311. updatewithwarnings 'W: .* no longer signed.'
  312. testsuccessequal "$(cat "${PKGFILE}-new")
  313. " aptcache show apt
  314. failaptnew
  315. # Unsigned archive from the beginning must also be detected.
  316. msgmsg 'Cold archive signed by' 'nobody'
  317. rm -rf rootdir/var/lib/apt/lists
  318. updatewithwarnings 'W: .* is not signed.'
  319. testsuccessequal "$(cat "${PKGFILE}-new")
  320. " aptcache show apt
  321. failaptnew
  322. }
  323. runtest3() {
  324. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  325. msgmsg "Running base test with $1 digest"
  326. runtest2
  327. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  328. export APT_DONT_SIGN="$DELETEFILE"
  329. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  330. runtest
  331. export APT_DONT_SIGN='Release.gpg'
  332. done
  333. }
  334. # diable some protection by default and ensure we still do the verification
  335. # correctly
  336. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  337. Acquire::AllowInsecureRepositories "1";
  338. Acquire::AllowDowngradeToInsecureRepositories "1";
  339. EOF
  340. # the hash marked as configureable in our gpgv method
  341. export APT_TESTS_DIGEST_ALGO='SHA224'
  342. successfulaptgetupdate() {
  343. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  344. if [ -n "$1" ]; then
  345. cp rootdir/tmp/testsuccess.output aptupdate.output
  346. testsuccess grep "$1" aptupdate.output
  347. fi
  348. }
  349. runtest3 'Trusted'
  350. successfulaptgetupdate() {
  351. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  352. if [ -n "$1" ]; then
  353. testsuccess grep "$1" rootdir/tmp/testwarning.output
  354. fi
  355. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  356. }
  357. runtest3 'Weak'
  358. msgmsg "Running test with apt-untrusted digest"
  359. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  360. runfailure() {
  361. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  362. export APT_DONT_SIGN="$DELETEFILE"
  363. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  364. prepare "${PKGFILE}"
  365. rm -rf rootdir/var/lib/apt/lists
  366. signreleasefiles 'Joe Sixpack'
  367. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  368. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  369. testnopackage 'apt'
  370. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  371. failaptold
  372. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  373. prepare "${PKGFILE}"
  374. rm -rf rootdir/var/lib/apt/lists
  375. signreleasefiles 'Marvin Paranoid'
  376. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  377. testnopackage 'apt'
  378. updatewithwarnings '^W: .* NO_PUBKEY'
  379. testsuccessequal "$(cat "${PKGFILE}")
  380. " aptcache show apt
  381. failaptold
  382. export APT_DONT_SIGN='Release.gpg'
  383. done
  384. }
  385. runfailure
  386. msgmsg "Running test with gpgv-untrusted digest"
  387. export APT_TESTS_DIGEST_ALGO='MD5'
  388. runfailure