탐색 도움말
로그인
NitoTV
/
apt
Watch 2
Star 0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: 62f60c55f0
브랜치 태그
apt
/
test
/
integration
/
test-apt-update-weak-hashes

test-apt-update-weak-hashes 7.8 KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 
  1. #!/bin/sh
    2. 

  2. set -e
    3. 

  3. 

  4. TESTDIR="$(readlink -f "$(dirname "$0")")"
    5. 

  5. . "$TESTDIR/framework"
    6. 

  6. 

  7. setupenvironment
    8. 

  8. configarchitecture 'i386'
    9. 

  9. confighashes 'MD5'
    10. 

  10. export APT_DONT_SIGN=''
    11. 

  11. 

  12. insertpackage 'unstable' 'foo' 'i386' '1.0'
    13. 

  13. insertsource 'unstable' 'foo' 'any' '1.0'
    14. 

  14. 

  15. setupaptarchive --no-update
    16. 

  16. APTARCHIVE="$(readlink -f ./aptarchive)"
    17. 

  17. 

  18. testnopkg() {
    19. 

  19. 	testnopackage "$@"
    20. 

  20. 	testnosrcpackage "$@"
    21. 

  21. }
    22. 

  22. testbadpkg() {
    23. 

  23. 	testempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
    24. 

  24. 	testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*Release'
    25. 

  25. 	testnotempty apt show "$@"
    26. 

  26. 	testnotempty apt showsrc "$@"
    27. 

  27. 	testfailureequal "WARNING: The following packages cannot be authenticated!
    28. 

  28.   $*
    29. 

  29. E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y "$@"
    30. 

  30. 	testfailureequal "WARNING: The following packages cannot be authenticated!
    31. 

  31.   $*
    32. 

  32. E: Some packages could not be authenticated" aptget source -qq "$@"
    33. 

  33. }
    34. 

  34. 

  35. testrun() {
    36. 

  36. 	local TYPE="$1"
    37. 

  37. 	local FILENAME="$2"
    38. 

  38. 	shift 2
    39. 

  39. 	local MANGLED="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "$FILENAME" | sed 's#/#_#g')"
    40. 

  40. 	msgmsg "$TYPE contains only weak hashes"
    41. 

  41. 	confighashes 'MD5'
    42. 

  42. 	generatereleasefiles
    43. 

  43. 	signreleasefiles
    44. 

  44. 	preparetest
    45. 

  45. 	if [ -z "$1" ]; then
    46. 

  46. 		listcurrentlistsdirectory > lists.before
    47. 

  47. 		testfailuremsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
    48. 

  48. E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
    49. 

  49. N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    50. 

  50. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
    51. 

  51. 		testfileequal lists.before "$(listcurrentlistsdirectory)"
    52. 

  52. 		testnopkg 'foo'
    53. 

  53. 	else
    54. 

  54. 		testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
    55. 

  55. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
    56. 

  56. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
    57. 

  57. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
    58. 

  58. 		testbadpkg 'foo'
    59. 

  59. 	fi
    60. 

  60. 

  61. 	msgmsg "$TYPE contains only weak hashes, but source allows weak"
    62. 

  62. 	sed -i 's#^deb\(-src\)\? #deb\1 [allow-weak=yes] #' rootdir/etc/apt/sources.list.d/*
    63. 

  63. 	genericprepare
    64. 

  64. 	testwarningmsg "W: No Hash entry in Release file ${MANGLED} which is considered strong enough for security purposes
    65. 

  65. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
    66. 

  66. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
    67. 

  67. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
    68. 

  68. 	testbadpkg 'foo'
    69. 

  69. 	sed -i 's#^deb\(-src\)\? \[allow-weak=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
    70. 

  70. 

  71. 	msgmsg "$TYPE contains no hashes"
    72. 

  72. 	generatereleasefiles
    73. 

  73. 	sed -i -e '/^ / d' -e '/^MD5Sum:/ d' "$APTARCHIVE/dists/unstable/Release"
    74. 

  74. 	signreleasefiles
    75. 

  75. 	preparetest
    76. 

  76. 	if [ -z "$1" ]; then
    77. 

  77. 		listcurrentlistsdirectory > lists.before
    78. 

  78. 		testfailuremsg "W: No Hash entry in Release file ${MANGLED}
    79. 

  79. E: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
    80. 

  80. N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    81. 

  81. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update
    82. 

  82. 		testfileequal lists.before "$(listcurrentlistsdirectory)"
    83. 

  83. 		testnopkg 'foo'
    84. 

  84. 	else
    85. 

  85. 		testwarningmsg "W: No Hash entry in Release file ${MANGLED}
    86. 

  86. W: The repository 'file:${APTARCHIVE} unstable $(basename "$FILENAME")' provides only weak security information.
    87. 

  87. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
    88. 

  88. N: See apt-secure(8) manpage for repository creation and user configuration details." apt update "$@"
    89. 

  89. 		testbadpkg 'foo'
    90. 

  90. 	fi
    91. 

  91. 

  92. 	msgmsg "$TYPE contains only weak hashes for some files"
    93. 

  93. 	confighashes 'MD5' 'SHA256'
    94. 

  94. 	generatereleasefiles
    95. 

  95. 	sed -i '/^ [0-9a-fA-Z]\{64\} .*Sources$/d' "$APTARCHIVE/dists/unstable/Release"
    96. 

  96. 	signreleasefiles
    97. 

  97. 	preparetest
    98. 

  98. 	if [ -z "$1" ]; then
    99. 

  99. 		testwarningmsg "W: Skipping acquire of configured file 'main/source/Sources' as repository 'file:${APTARCHIVE} unstable InRelease' provides only weak security information for it" apt update
    100. 

  100. 		testnosrcpackage foo
    101. 

  101. 	else
    102. 

  102. 		rm -f rootdir/var/lib/apt/lists/partial/*
    103. 

  103. 		testsuccess apt update "$@"
    104. 

  104. 		testnotempty apt showsrc foo
    105. 

  105. 	fi
    106. 

  106. 	testsuccess apt show foo
    107. 

  107. }
    108. 

  108. 

  109. genericprepare() {
    110. 

  110. 	rm -rf rootdir/var/lib/apt/lists
    111. 

  111. 	mkdir -p rootdir/var/lib/apt/lists/partial
    112. 

  112. 	touch rootdir/var/lib/apt/lists/lock
    113. 

  113. 	local RELEASEGPG="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/Release.gpg" | sed 's#/#_#g')"
    114. 

  114. 	touch "$RELEASEGPG"
    115. 

  115. 	chmod 644 "$RELEASEGPG"
    116. 

  116. 	local INRELEASE="$(readlink -f ./rootdir)/var/lib/apt/lists/partial/$(echo "${APTARCHIVE}/dists/unstable/InRelease" | sed 's#/#_#g')"
    117. 

  117. 	touch "$INRELEASE"
    118. 

  118. 	chmod 644 "$INRELEASE"
    119. 

  119. }
    120. 

  120. preparetest() {
    121. 

  121. 	rm -f "${APTARCHIVE}/dists/unstable/Release" "${APTARCHIVE}/dists/unstable/Release.gpg"
    122. 

  122. 	genericprepare
    123. 

  123. }
    124. 

  124. testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease"
    125. 

  125. testrun 'InRelease' "${APTARCHIVE}/dists/unstable/InRelease" --allow-weak-repositories -o APT::Get::List-Cleanup=0
    126. 

  126. 

  127. preparetest() {
    128. 

  128. 	rm -f "${APTARCHIVE}/dists/unstable/InRelease"
    129. 

  129. 	genericprepare
    130. 

  130. }
    131. 

  131. testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release"
    132. 

  132. testrun 'Release+Release.gpg' "${APTARCHIVE}/dists/unstable/Release" --allow-weak-repositories -o APT::Get::List-Cleanup=0
    133. 

  133. 

  134. preparetest() {
    135. 

  135. 	rm -f "${APTARCHIVE}/dists/unstable/InRelease" "${APTARCHIVE}/dists/unstable/Release.gpg"
    136. 

  136. 	genericprepare
    137. 

  137. }
    138. 

  138. 

  139. msgmsg 'Moving between Release files with good and bad hashes'
    140. 

  140. rm -rf rootdir/var/lib/apt/lists
    141. 

  141. confighashes 'MD5'
    142. 

  142. generatereleasefiles 'now - 7 days'
    143. 

  143. signreleasefiles
    144. 

  144. testfailure apt update
    145. 

  145. testnopkg 'foo'
    146. 

  146. testwarning apt update --allow-weak-repositories
    147. 

  147. testbadpkg 'foo'
    148. 

  148. 

  149. confighashes 'MD5' 'SHA256'
    150. 

  150. rm -rf aptarchive/dists
    151. 

  151. insertpackage 'unstable' 'foo2' 'i386' '1.0'
    152. 

  152. insertsource 'unstable' 'foo2' 'any' '1.0'
    153. 

  153. setupaptarchive --no-update 'now - 5 days'
    154. 

  154. testsuccess apt update
    155. 

  155. testnopkg foo
    156. 

  156. testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
    157. 

  157. testnotempty apt show foo2
    158. 

  158. testnotempty apt showsrc foo2
    159. 

  159. 

  160. confighashes 'MD5'
    161. 

  161. rm -rf aptarchive/dists
    162. 

  162. insertpackage 'unstable' 'foo3' 'i386' '1.0'
    163. 

  163. insertsource 'unstable' 'foo3' 'any' '1.0'
    164. 

  164. setupaptarchive --no-update 'now - 3 days'
    165. 

  165. testfailure apt update
    166. 

  166. testnopkg foo
    167. 

  167. testnopkg foo3
    168. 

  168. testnotempty find rootdir/var/lib/apt/lists -maxdepth 1 -name '*InRelease' -o -name '*Release.gpg'
    169. 

  169. testnotempty apt show foo2
    170. 

  170. testnotempty apt showsrc foo2
    171. 

  171. testwarning apt update --allow-weak-repositories
    172. 

  172. testnopkg foo2
    173. 

  173. testbadpkg foo3
    174. 

  174. 

  175. msgmsg 'Working with packages guarded only by weak hashes'
    176. 

  176. confighashes 'MD5'
    177. 

  177. rm -rf aptarchive/dists
    178. 

  178. buildsimplenativepackage 'foo4' 'i386' '1' 'unstable'
    179. 

  179. setupaptarchive --no-update
    180. 

  180. testfailure apt update
    181. 

  181. confighashes 'SHA256'
    182. 

  182. generatereleasefiles 'now - 1 day'
    183. 

  183. signreleasefiles
    184. 

  184. testsuccess apt update
    185. 

  185. cd downloaded
    186. 

  186. testfailure apt download foo4
    187. 

  187. cp ../rootdir/tmp/testfailure.output download.output
    188. 

  188. testfailure grep 'Hash Sum mismatch' download.output
    189. 

  189. testsuccess grep 'Insufficient information' download.output
    190. 

  190. 

  191. testsuccess apt install foo4 -s
    192. 

  192. testfailure apt install foo4 -dy
    193. 

  193. cp ../rootdir/tmp/testfailure.output install.output
    194. 

  194. testfailure grep 'Hash Sum mismatch' install.output
    195. 

  195. testsuccess grep 'Insufficient information' download.output
    196. 

  196. 

  197. testsuccess apt source foo4
    198. 

  198. cp ../rootdir/tmp/testsuccess.output source.output
    199. 

  199. testsuccess grep 'Skipping download of file' source.output
    200. 

  200. testfailure test -e foo4_1.dsc
    201. 

  201. testsuccess test -e foo4_1.tar.*
    202. 

  202. cd ..
    203. 

  203.