test-releasefile-verification 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE"
  28. }
  29. installaptold() {
  30. testsuccessequal "Reading package lists...
  31. Building dependency tree...
  32. Suggested packages:
  33. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  34. The following NEW packages will be installed:
  35. apt
  36. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  37. After this operation, 5370 kB of additional disk space will be used.
  38. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  39. Download complete and in download only mode" aptget install apt -dy
  40. }
  41. installaptnew() {
  42. testsuccessequal "Reading package lists...
  43. Building dependency tree...
  44. Suggested packages:
  45. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  46. The following NEW packages will be installed:
  47. apt
  48. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  49. After this operation, 5808 kB of additional disk space will be used.
  50. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  51. Download complete and in download only mode" aptget install apt -dy
  52. }
  53. failaptold() {
  54. testfailureequal 'Reading package lists...
  55. Building dependency tree...
  56. Suggested packages:
  57. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  58. The following NEW packages will be installed:
  59. apt
  60. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  61. After this operation, 5370 kB of additional disk space will be used.
  62. WARNING: The following packages cannot be authenticated!
  63. apt
  64. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  65. }
  66. failaptnew() {
  67. testfailureequal 'Reading package lists...
  68. Building dependency tree...
  69. Suggested packages:
  70. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  71. The following NEW packages will be installed:
  72. apt
  73. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  74. After this operation, 5808 kB of additional disk space will be used.
  75. WARNING: The following packages cannot be authenticated!
  76. apt
  77. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  78. }
  79. # fake our downloadable file
  80. touch aptarchive/apt.deb
  81. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  82. updatewithwarnings() {
  83. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  84. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  85. }
  86. runtest() {
  87. local DELETEFILE="$1"
  88. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  89. prepare "${PKGFILE}"
  90. rm -rf rootdir/var/lib/apt/lists
  91. signreleasefiles 'Joe Sixpack'
  92. find aptarchive/ -name "$DELETEFILE" -delete
  93. successfulaptgetupdate
  94. testsuccessequal "$(cat "${PKGFILE}")
  95. " aptcache show apt
  96. installaptold
  97. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  98. prepare "${PKGFILE}-new"
  99. signreleasefiles 'Joe Sixpack'
  100. find aptarchive/ -name "$DELETEFILE" -delete
  101. successfulaptgetupdate
  102. testsuccessequal "$(cat "${PKGFILE}-new")
  103. " aptcache show apt
  104. installaptnew
  105. msgmsg 'Cold archive signed by' 'Rex Expired'
  106. prepare "${PKGFILE}"
  107. rm -rf rootdir/var/lib/apt/lists
  108. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  109. signreleasefiles 'Rex Expired'
  110. find aptarchive/ -name "$DELETEFILE" -delete
  111. updatewithwarnings '^W: .* EXPKEYSIG'
  112. testsuccessequal "$(cat "${PKGFILE}")
  113. " aptcache show apt
  114. failaptold
  115. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  116. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  117. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  118. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  119. elif gpg2 --version >/dev/null 2>&1; then
  120. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  121. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  122. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  123. fi
  124. fi
  125. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  126. prepare "${PKGFILE}"
  127. rm -rf rootdir/var/lib/apt/lists
  128. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  129. find aptarchive/ -name "$DELETEFILE" -delete
  130. updatewithwarnings '^W: .* EXPSIG'
  131. testsuccessequal "$(cat "${PKGFILE}")
  132. " aptcache show apt
  133. failaptold
  134. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  135. else
  136. msgskip 'Not a new enough gpg available providing --fake-system-time'
  137. fi
  138. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  139. prepare "${PKGFILE}"
  140. rm -rf rootdir/var/lib/apt/lists
  141. signreleasefiles 'Marvin Paranoid'
  142. find aptarchive/ -name "$DELETEFILE" -delete
  143. updatewithwarnings '^W: .* NO_PUBKEY'
  144. testsuccessequal "$(cat "${PKGFILE}")
  145. " aptcache show apt
  146. failaptold
  147. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  148. prepare "${PKGFILE}-new"
  149. signreleasefiles 'Joe Sixpack'
  150. find aptarchive/ -name "$DELETEFILE" -delete
  151. successfulaptgetupdate
  152. testsuccessequal "$(cat "${PKGFILE}-new")
  153. " aptcache show apt
  154. installaptnew
  155. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  156. prepare "${PKGFILE}"
  157. rm -rf rootdir/var/lib/apt/lists
  158. signreleasefiles 'Joe Sixpack'
  159. find aptarchive/ -name "$DELETEFILE" -delete
  160. successfulaptgetupdate
  161. testsuccessequal "$(cat "${PKGFILE}")
  162. " aptcache show apt
  163. installaptold
  164. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  165. prepare "${PKGFILE}-new"
  166. signreleasefiles 'Marvin Paranoid'
  167. find aptarchive/ -name "$DELETEFILE" -delete
  168. updatewithwarnings '^W: .* NO_PUBKEY'
  169. testsuccessequal "$(cat "${PKGFILE}")
  170. " aptcache show apt
  171. installaptold
  172. msgmsg 'Good warm archive signed by' 'Rex Expired'
  173. prepare "${PKGFILE}-new"
  174. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  175. signreleasefiles 'Rex Expired'
  176. find aptarchive/ -name "$DELETEFILE" -delete
  177. updatewithwarnings '^W: .* EXPKEYSIG'
  178. testsuccessequal "$(cat "${PKGFILE}")
  179. " aptcache show apt
  180. installaptold
  181. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  182. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  183. prepare "${PKGFILE}-new"
  184. signreleasefiles
  185. find aptarchive/ -name "$DELETEFILE" -delete
  186. successfulaptgetupdate
  187. testsuccessequal "$(cat "${PKGFILE}-new")
  188. " aptcache show apt
  189. installaptnew
  190. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  191. prepare "${PKGFILE}"
  192. rm -rf rootdir/var/lib/apt/lists
  193. signreleasefiles 'Marvin Paranoid'
  194. find aptarchive/ -name "$DELETEFILE" -delete
  195. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  196. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  197. successfulaptgetupdate
  198. testsuccessequal "$(cat "${PKGFILE}")
  199. " aptcache show apt
  200. installaptold
  201. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  202. rm -rf rootdir/var/lib/apt/lists
  203. signreleasefiles 'Joe Sixpack'
  204. find aptarchive/ -name "$DELETEFILE" -delete
  205. updatewithwarnings '^W: .* NO_PUBKEY'
  206. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  207. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  208. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  209. prepare "${PKGFILE}"
  210. rm -rf rootdir/var/lib/apt/lists
  211. signreleasefiles 'Marvin Paranoid'
  212. find aptarchive/ -name "$DELETEFILE" -delete
  213. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  214. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  215. successfulaptgetupdate
  216. testsuccessequal "$(cat "${PKGFILE}")
  217. " aptcache show apt
  218. installaptold
  219. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  220. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  221. rm -rf rootdir/var/lib/apt/lists
  222. signreleasefiles 'Joe Sixpack'
  223. find aptarchive/ -name "$DELETEFILE" -delete
  224. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  225. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  226. }
  227. runtest2() {
  228. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  229. prepare "${PKGFILE}"
  230. rm -rf rootdir/var/lib/apt/lists
  231. signreleasefiles 'Joe Sixpack'
  232. successfulaptgetupdate
  233. # New .deb but now an unsigned archive. For example MITM to circumvent
  234. # package verification.
  235. msgmsg 'Warm archive signed by' 'nobody'
  236. prepare "${PKGFILE}-new"
  237. find aptarchive/ -name InRelease -delete
  238. find aptarchive/ -name Release.gpg -delete
  239. updatewithwarnings 'W: .* no longer signed.'
  240. testsuccessequal "$(cat "${PKGFILE}-new")
  241. " aptcache show apt
  242. failaptnew
  243. # Unsigned archive from the beginning must also be detected.
  244. msgmsg 'Cold archive signed by' 'nobody'
  245. rm -rf rootdir/var/lib/apt/lists
  246. updatewithwarnings 'W: .* is not signed.'
  247. testsuccessequal "$(cat "${PKGFILE}-new")
  248. " aptcache show apt
  249. failaptnew
  250. }
  251. runtest3() {
  252. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  253. msgmsg "Running base test with $1 digest"
  254. runtest2
  255. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  256. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  257. runtest "$DELETEFILE"
  258. done
  259. }
  260. # diable some protection by default and ensure we still do the verification
  261. # correctly
  262. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  263. Acquire::AllowInsecureRepositories "1";
  264. Acquire::AllowDowngradeToInsecureRepositories "1";
  265. EOF
  266. # the hash marked as configureable in our gpgv method
  267. export APT_TESTS_DIGEST_ALGO='SHA224'
  268. successfulaptgetupdate() {
  269. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  270. }
  271. runtest3 'Trusted'
  272. successfulaptgetupdate() {
  273. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  274. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  275. }
  276. runtest3 'Weak'
  277. msgmsg "Running test with apt-untrusted digest"
  278. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  279. runfailure() {
  280. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  281. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  282. prepare "${PKGFILE}"
  283. rm -rf rootdir/var/lib/apt/lists
  284. signreleasefiles 'Joe Sixpack'
  285. find aptarchive/ -name "$DELETEFILE" -delete
  286. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  287. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  288. testnopackage 'apt'
  289. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  290. failaptold
  291. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  292. prepare "${PKGFILE}"
  293. rm -rf rootdir/var/lib/apt/lists
  294. signreleasefiles 'Marvin Paranoid'
  295. find aptarchive/ -name "$DELETEFILE" -delete
  296. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  297. testnopackage 'apt'
  298. updatewithwarnings '^W: .* NO_PUBKEY'
  299. testsuccessequal "$(cat "${PKGFILE}")
  300. " aptcache show apt
  301. failaptold
  302. done
  303. }
  304. runfailure
  305. msgmsg "Running test with gpgv-untrusted digest"
  306. export APT_TESTS_DIGEST_ALGO='MD5'
  307. runfailure