Преглед изворни кода

gpgv: handle expired sig as worthless

Signatures on data can have an expiration date, too, which we hadn't
handled previously explicitly (no problem – gpg still has a non-zero
exit code so apt notices the invalid signature) so the error message
wasn't as helpful as it could be (aka mentioning the key signing it).
David Kalnischkies пре 10 година
родитељ
комит
1af227c2ea
3 измењених фајлова са 34 додато и 2 уклоњено
  1. 7 0
      methods/gpgv.cc
  2. 4 2
      test/integration/framework
  3. 23 0
      test/integration/test-releasefile-verification

+ 7 - 0
methods/gpgv.cc

@@ -37,6 +37,7 @@ using std::vector;
 #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
 #define GNUPGGOODSIG "[GNUPG:] GOODSIG"
 #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG"
+#define GNUPGEXPSIG "[GNUPG:] EXPSIG"
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
 
@@ -188,6 +189,12 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
             std::clog << "Got EXPKEYSIG! " << std::endl;
          WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
+      else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0)
+      {
+         if (Debug == true)
+            std::clog << "Got EXPSIG!" << std::endl;
+         WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
+      }
       else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
       {
          if (Debug == true)

+ 4 - 2
test/integration/framework

@@ -1084,6 +1084,8 @@ setupaptarchive() {
 signreleasefiles() {
 	local SIGNER="${1:-Joe Sixpack}"
 	local REPODIR="${2:-aptarchive}"
+	if [ -n "$1" ]; then shift; fi
+	if [ -n "$1" ]; then shift; fi
 	local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
 	local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
 	msgninfo "\tSign archive with $SIGNER key $KEY… "
@@ -1111,9 +1113,9 @@ signreleasefiles() {
 		fi
 	fi
 	for RELEASE in $(find "${REPODIR}/" -name Release); do
-		testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
+		testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
 		local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
-		testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
+		testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
 		# we might have set a specific date for the Release file, so copy it
 		touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
 	done

+ 23 - 0
test/integration/test-releasefile-verification

@@ -129,6 +129,29 @@ runtest() {
 	failaptold
 	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 
+	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
+	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+		touch rootdir/etc/apt/apt.conf.d/99gnupg2
+	elif gpg2 --version >/dev/null 2>&1; then
+		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
+		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+			rm rootdir/etc/apt/apt.conf.d/99gnupg2
+		fi
+	fi
+	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
+		prepare "${PKGFILE}"
+		rm -rf rootdir/var/lib/apt/lists
+		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
+		find aptarchive/ -name "$DELETEFILE" -delete
+		updatewithwarnings '^W: .* EXPSIG'
+		testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+		failaptold
+		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
+	else
+		msgskip 'Not a new enough gpg available providing --fake-system-time'
+	fi
+
 	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
 	prepare "${PKGFILE}"
 	rm -rf rootdir/var/lib/apt/lists