test-releasefile-verification 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277
  1. #!/bin/sh
  2. set -e
  3. TESTDIR=$(readlink -f $(dirname $0))
  4. . $TESTDIR/framework
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' $release
  22. done
  23. aptget clean
  24. cp $1 aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE"
  28. }
  29. installaptold() {
  30. testsuccessequal 'Reading package lists...
  31. Building dependency tree...
  32. Suggested packages:
  33. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  34. The following NEW packages will be installed:
  35. apt
  36. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  37. After this operation, 5370 kB of additional disk space will be used.
  38. Get:1 http://localhost:8080 apt 0.7.25.3
  39. Download complete and in download only mode' aptget install apt -dy
  40. }
  41. installaptnew() {
  42. testsuccessequal 'Reading package lists...
  43. Building dependency tree...
  44. Suggested packages:
  45. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  46. The following NEW packages will be installed:
  47. apt
  48. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  49. After this operation, 5808 kB of additional disk space will be used.
  50. Get:1 http://localhost:8080 apt 0.8.0~pre1
  51. Download complete and in download only mode' aptget install apt -dy
  52. }
  53. failaptold() {
  54. testfailureequal 'Reading package lists...
  55. Building dependency tree...
  56. Suggested packages:
  57. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  58. The following NEW packages will be installed:
  59. apt
  60. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  61. After this operation, 5370 kB of additional disk space will be used.
  62. WARNING: The following packages cannot be authenticated!
  63. apt
  64. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  65. }
  66. failaptnew() {
  67. testfailureequal 'Reading package lists...
  68. Building dependency tree...
  69. Suggested packages:
  70. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  71. The following NEW packages will be installed:
  72. apt
  73. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  74. After this operation, 5808 kB of additional disk space will be used.
  75. WARNING: The following packages cannot be authenticated!
  76. apt
  77. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  78. }
  79. # fake our downloadable file
  80. touch aptarchive/apt.deb
  81. PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')"
  82. updatewithwarnings() {
  83. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  84. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  85. }
  86. runtest() {
  87. prepare ${PKGFILE}
  88. rm -rf rootdir/var/lib/apt/lists
  89. signreleasefiles 'Joe Sixpack'
  90. find aptarchive/ -name "$DELETEFILE" -delete
  91. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  92. testsuccess aptget update
  93. testsuccessequal "$(cat ${PKGFILE})
  94. " aptcache show apt
  95. installaptold
  96. prepare ${PKGFILE}-new
  97. signreleasefiles 'Joe Sixpack'
  98. find aptarchive/ -name "$DELETEFILE" -delete
  99. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  100. testsuccess aptget update
  101. testsuccessequal "$(cat ${PKGFILE}-new)
  102. " aptcache show apt
  103. installaptnew
  104. prepare ${PKGFILE}
  105. rm -rf rootdir/var/lib/apt/lists
  106. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  107. signreleasefiles 'Rex Expired'
  108. find aptarchive/ -name "$DELETEFILE" -delete
  109. msgmsg 'Cold archive signed by' 'Rex Expired'
  110. updatewithwarnings '^W: .* KEYEXPIRED'
  111. testsuccessequal "$(cat ${PKGFILE})
  112. " aptcache show apt
  113. failaptold
  114. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  115. prepare ${PKGFILE}
  116. rm -rf rootdir/var/lib/apt/lists
  117. signreleasefiles 'Marvin Paranoid'
  118. find aptarchive/ -name "$DELETEFILE" -delete
  119. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  120. updatewithwarnings '^W: .* NO_PUBKEY'
  121. testsuccessequal "$(cat ${PKGFILE})
  122. " aptcache show apt
  123. failaptold
  124. prepare ${PKGFILE}-new
  125. signreleasefiles 'Joe Sixpack'
  126. find aptarchive/ -name "$DELETEFILE" -delete
  127. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  128. testsuccess aptget update
  129. testsuccessequal "$(cat ${PKGFILE}-new)
  130. " aptcache show apt
  131. installaptnew
  132. prepare ${PKGFILE}
  133. rm -rf rootdir/var/lib/apt/lists
  134. signreleasefiles 'Joe Sixpack'
  135. find aptarchive/ -name "$DELETEFILE" -delete
  136. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  137. testsuccess aptget update
  138. testsuccessequal "$(cat ${PKGFILE})
  139. " aptcache show apt
  140. installaptold
  141. prepare ${PKGFILE}-new
  142. signreleasefiles 'Marvin Paranoid'
  143. find aptarchive/ -name "$DELETEFILE" -delete
  144. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  145. updatewithwarnings '^W: .* NO_PUBKEY'
  146. testsuccessequal "$(cat ${PKGFILE})
  147. " aptcache show apt
  148. installaptold
  149. prepare ${PKGFILE}-new
  150. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  151. signreleasefiles 'Rex Expired'
  152. find aptarchive/ -name "$DELETEFILE" -delete
  153. msgmsg 'Good warm archive signed by' 'Rex Expired'
  154. updatewithwarnings '^W: .* KEYEXPIRED'
  155. testsuccessequal "$(cat ${PKGFILE})
  156. " aptcache show apt
  157. installaptold
  158. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  159. prepare ${PKGFILE}-new
  160. signreleasefiles
  161. find aptarchive/ -name "$DELETEFILE" -delete
  162. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  163. testsuccess aptget update
  164. testsuccessequal "$(cat ${PKGFILE}-new)
  165. " aptcache show apt
  166. installaptnew
  167. prepare ${PKGFILE}
  168. rm -rf rootdir/var/lib/apt/lists
  169. signreleasefiles 'Marvin Paranoid'
  170. find aptarchive/ -name "$DELETEFILE" -delete
  171. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  172. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  173. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  174. testsuccess aptget update -o Debug::pkgAcquire::Worker=1
  175. testsuccessequal "$(cat ${PKGFILE})
  176. " aptcache show apt
  177. installaptold
  178. rm -rf rootdir/var/lib/apt/lists
  179. signreleasefiles 'Joe Sixpack'
  180. find aptarchive/ -name "$DELETEFILE" -delete
  181. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  182. updatewithwarnings '^W: .* NO_PUBKEY'
  183. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  184. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  185. prepare ${PKGFILE}
  186. rm -rf rootdir/var/lib/apt/lists
  187. signreleasefiles 'Marvin Paranoid'
  188. find aptarchive/ -name "$DELETEFILE" -delete
  189. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  190. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  191. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  192. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  193. testsuccessequal "$(cat ${PKGFILE})
  194. " aptcache show apt
  195. installaptold
  196. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  197. rm -rf rootdir/var/lib/apt/lists
  198. signreleasefiles 'Joe Sixpack'
  199. find aptarchive/ -name "$DELETEFILE" -delete
  200. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  201. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  202. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  203. }
  204. runtest2() {
  205. prepare ${PKGFILE}
  206. rm -rf rootdir/var/lib/apt/lists
  207. signreleasefiles 'Joe Sixpack'
  208. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  209. testsuccess aptget update
  210. # New .deb but now an unsigned archive. For example MITM to circumvent
  211. # package verification.
  212. prepare ${PKGFILE}-new
  213. find aptarchive/ -name InRelease -delete
  214. find aptarchive/ -name Release.gpg -delete
  215. msgmsg 'Warm archive signed by' 'nobody'
  216. updatewithwarnings 'W: .* no longer signed.'
  217. testsuccessequal "$(cat ${PKGFILE}-new)
  218. " aptcache show apt
  219. failaptnew
  220. # Unsigned archive from the beginning must also be detected.
  221. rm -rf rootdir/var/lib/apt/lists
  222. msgmsg 'Cold archive signed by' 'nobody'
  223. updatewithwarnings 'W: .* is not signed.'
  224. testsuccessequal "$(cat ${PKGFILE}-new)
  225. " aptcache show apt
  226. failaptnew
  227. }
  228. # diable some protection by default and ensure we still do the verification
  229. # correctly
  230. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  231. Acquire::AllowInsecureRepositories "1";
  232. Acquire::AllowDowngradeToInsecureRepositories "1";
  233. EOF
  234. msgmsg "Running base test"
  235. runtest2
  236. DELETEFILE="InRelease"
  237. msgmsg "Running test with deletion of $DELETEFILE"
  238. runtest
  239. DELETEFILE="Release.gpg"
  240. msgmsg "Running test with deletion of $DELETEFILE"
  241. runtest