You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
276 lines
8.5 KiB
276 lines
8.5 KiB
#!/bin/sh
|
|
set -e
|
|
|
|
TESTDIR=$(readlink -f $(dirname $0))
|
|
. $TESTDIR/framework
|
|
|
|
setupenvironment
|
|
configarchitecture "i386"
|
|
|
|
buildaptarchive
|
|
setupflataptarchive
|
|
changetowebserver
|
|
|
|
webserverconfig 'aptwebserver::support::range' 'false'
|
|
|
|
prepare() {
|
|
local DATE="${2:-now}"
|
|
if [ "$DATE" = 'now' ]; then
|
|
if [ "$1" = "${PKGFILE}-new" ]; then
|
|
DATE='now - 1 day'
|
|
else
|
|
DATE='now - 7 day'
|
|
fi
|
|
fi
|
|
for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
|
|
touch -d 'now - 1 year' $release
|
|
done
|
|
aptget clean
|
|
cp $1 aptarchive/Packages
|
|
find aptarchive -name 'Release' -delete
|
|
compressfile 'aptarchive/Packages' "$DATE"
|
|
generatereleasefiles "$DATE"
|
|
}
|
|
|
|
installaptold() {
|
|
testsuccessequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
After this operation, 5370 kB of additional disk space will be used.
|
|
Get:1 http://localhost:8080 apt 0.7.25.3
|
|
Download complete and in download only mode' aptget install apt -dy
|
|
}
|
|
|
|
installaptnew() {
|
|
testsuccessequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
After this operation, 5808 kB of additional disk space will be used.
|
|
Get:1 http://localhost:8080 apt 0.8.0~pre1
|
|
Download complete and in download only mode' aptget install apt -dy
|
|
}
|
|
|
|
failaptold() {
|
|
testfailureequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
After this operation, 5370 kB of additional disk space will be used.
|
|
WARNING: The following packages cannot be authenticated!
|
|
apt
|
|
E: There are problems and -y was used without --force-yes' aptget install apt -dy
|
|
}
|
|
|
|
failaptnew() {
|
|
testfailureequal 'Reading package lists...
|
|
Building dependency tree...
|
|
Suggested packages:
|
|
aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
|
|
The following NEW packages will be installed:
|
|
apt
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
After this operation, 5808 kB of additional disk space will be used.
|
|
WARNING: The following packages cannot be authenticated!
|
|
apt
|
|
E: There are problems and -y was used without --force-yes' aptget install apt -dy
|
|
}
|
|
|
|
# fake our downloadable file
|
|
touch aptarchive/apt.deb
|
|
|
|
PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')"
|
|
|
|
updatewithwarnings() {
|
|
testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
|
|
testsuccess grep -E "$1" rootdir/tmp/testwarning.output
|
|
}
|
|
|
|
runtest() {
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
prepare ${PKGFILE}-new
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
testsuccessequal "$(cat ${PKGFILE}-new)
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
signreleasefiles 'Rex Expired'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by' 'Rex Expired'
|
|
updatewithwarnings '^W: .* KEYEXPIRED'
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
failaptold
|
|
rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by' 'Marvin Paranoid'
|
|
updatewithwarnings '^W: .* NO_PUBKEY'
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
failaptold
|
|
|
|
prepare ${PKGFILE}-new
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
testsuccessequal "$(cat ${PKGFILE}-new)
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
prepare ${PKGFILE}-new
|
|
signreleasefiles 'Marvin Paranoid'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
|
|
updatewithwarnings '^W: .* NO_PUBKEY'
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
prepare ${PKGFILE}-new
|
|
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
signreleasefiles 'Rex Expired'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Good warm archive signed by' 'Rex Expired'
|
|
updatewithwarnings '^W: .* KEYEXPIRED'
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
|
|
|
|
prepare ${PKGFILE}-new
|
|
signreleasefiles
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
testsuccessequal "$(cat ${PKGFILE}-new)
|
|
" aptcache show apt
|
|
installaptnew
|
|
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
|
|
local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
|
|
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
|
|
testsuccess aptget update -o Debug::pkgAcquire::Worker=1
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
|
|
updatewithwarnings '^W: .* NO_PUBKEY'
|
|
|
|
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
|
|
local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
|
|
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Marvin Paranoid'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
|
|
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
|
|
cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
|
|
testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
|
|
testsuccessequal "$(cat ${PKGFILE})
|
|
" aptcache show apt
|
|
installaptold
|
|
rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
|
|
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
find aptarchive/ -name "$DELETEFILE" -delete
|
|
msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
|
|
updatewithwarnings '^W: .* be verified because the public key is not available: .*'
|
|
|
|
sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
|
|
}
|
|
|
|
runtest2() {
|
|
prepare ${PKGFILE}
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
signreleasefiles 'Joe Sixpack'
|
|
msgmsg 'Cold archive signed by' 'Joe Sixpack'
|
|
testsuccess aptget update
|
|
|
|
# New .deb but now an unsigned archive. For example MITM to circumvent
|
|
# package verification.
|
|
prepare ${PKGFILE}-new
|
|
find aptarchive/ -name InRelease -delete
|
|
find aptarchive/ -name Release.gpg -delete
|
|
msgmsg 'Warm archive signed by' 'nobody'
|
|
updatewithwarnings 'W: .* no longer signed.'
|
|
testsuccessequal "$(cat ${PKGFILE}-new)
|
|
" aptcache show apt
|
|
failaptnew
|
|
|
|
# Unsigned archive from the beginning must also be detected.
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
msgmsg 'Cold archive signed by' 'nobody'
|
|
updatewithwarnings 'W: .* is not signed.'
|
|
testsuccessequal "$(cat ${PKGFILE}-new)
|
|
" aptcache show apt
|
|
failaptnew
|
|
}
|
|
|
|
# diable some protection by default and ensure we still do the verification
|
|
# correctly
|
|
cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
|
|
Acquire::AllowInsecureRepositories "1";
|
|
Acquire::AllowDowngradeToInsecureRepositories "1";
|
|
EOF
|
|
|
|
msgmsg "Runing base test"
|
|
runtest2
|
|
|
|
DELETEFILE="InRelease"
|
|
msgmsg "Running test with deletion of $DELETEFILE"
|
|
runtest
|
|
|
|
DELETEFILE="Release.gpg"
|
|
msgmsg "Running test with deletion of $DELETEFILE"
|
|
runtest
|
|
|