Kaynağa Gözat

test Release file handling with expired keys

Signing files with expired keys is not as easy as it sounds, so the
framework jumps a few loops to do it, but it might come in handy to have
an expired key around for later tests even if it is not that different
from having no key in regards to APT behaviour.

Git-Dch: Ignore
David Kalnischkies 13 yıl önce
ebeveyn
işleme
29a59c4604

+ 29 - 6
test/integration/framework

@@ -711,22 +711,45 @@ setupaptarchive() {
 
 signreleasefiles() {
 	local SIGNER="${1:-Joe Sixpack}"
+	local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg"
 	msgninfo "\tSign archive with $SIGNER key… "
-	local SECKEYS=""
+	local REXKEY='keys/rexexpired'
+	local SECEXPIREBAK="${REXKEY}.sec.bak"
+	local PUBEXPIREBAK="${REXKEY}.pub.bak"
+	if [ "${SIGNER}" = 'Rex Expired' ]; then
+		# the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
+		# option doesn't exist anymore (and using faketime would add a new obscure dependency)
+		# therefore we 'temporary' make the key not expired and restore a backup after signing
+		cp ${REXKEY}.sec $SECEXPIREBAK
+		cp ${REXKEY}.pub $PUBEXPIREBAK
+		local SECUNEXPIRED="${REXKEY}.sec.unexpired"
+		local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
+		if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
+			cp $SECUNEXPIRED ${REXKEY}.sec
+			cp $PUBUNEXPIRED ${REXKEY}.pub
+		else
+			printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true
+			cp ${REXKEY}.sec $SECUNEXPIRED
+			cp ${REXKEY}.pub $PUBUNEXPIRED
+		fi
+	fi
 	for KEY in $(find keys/ -name '*.sec'); do
-		SECKEYS="$SECKEYS --secret-keyring $KEY"
+		GPG="$GPG --secret-keyring $KEY"
 	done
-	local PUBKEYS=""
 	for KEY in $(find keys/ -name '*.pub'); do
-		PUBKEYS="$PUBKEYS --keyring $KEY"
+		GPG="$GPG --keyring $KEY"
 	done
 	for RELEASE in $(find aptarchive/ -name Release); do
-		gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE}
+		$GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE}
 		local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
-		gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE
+		$GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE
 		# we might have set a specific date for the Release file, so copy it
 		touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE}
 	done
+	if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
+		mv -f $SECEXPIREBAK ${REXKEY}.sec
+		mv -f $PUBEXPIREBAK ${REXKEY}.pub
+	fi
 	msgdone "info"
 }
 

BIN
test/integration/rexexpired.pub


BIN
test/integration/rexexpired.sec


+ 33 - 2
test/integration/test-releasefile-verification

@@ -107,13 +107,24 @@ runtest() {
 " aptcache show apt
 	installaptnew
 
+	prepare ${PKGFILE}
+	rm -rf rootdir/var/lib/apt/lists
+	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+	signreleasefiles 'Rex Expired'
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Cold archive signed by' 'Rex Expired'
+	aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
+	testequal "$(cat ${PKGFILE})
+" aptcache show apt
+	failaptold
+	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 
 	prepare ${PKGFILE}
 	rm -rf rootdir/var/lib/apt/lists
 	signreleasefiles 'Marvin Paranoid'
 	find aptarchive/ -name "$DELETEFILE" -delete
 	msgtest 'Cold archive signed by' 'Marvin Paranoid'
-	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+	aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
 	testequal "$(cat ${PKGFILE})
 " aptcache show apt
 	failaptold
@@ -147,10 +158,30 @@ runtest() {
 	signreleasefiles 'Marvin Paranoid'
 	find aptarchive/ -name "$DELETEFILE" -delete
 	msgtest 'Good warm archive signed by' 'Marvin Paranoid'
-	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+	aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
+	testequal "$(cat ${PKGFILE})
+" aptcache show apt
+	installaptold
+
+	prepare ${PKGFILE}-new
+	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+	signreleasefiles 'Rex Expired'
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Good warm archive signed by' 'Rex Expired'
+	aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
 	testequal "$(cat ${PKGFILE})
 " aptcache show apt
 	installaptold
+	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+
+	prepare ${PKGFILE}-new
+	signreleasefiles
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Good warm archive signed by' 'Joe Sixpack'
+	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass
+	testequal "$(cat ${PKGFILE}-new)
+" aptcache show apt
+	installaptnew
 }
 
 runtest2() {