test-apt-key-net-update 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. #!/bin/sh
  2. set -e
  3. TESTDIR=$(readlink -f $(dirname $0))
  4. . $TESTDIR/framework
  5. setupenvironment
  6. configarchitecture "i386"
  7. # mock
  8. requires_root() {
  9. return 0
  10. }
  11. # extract net_update() and import it
  12. func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key )
  13. eval "$func"
  14. mkdir -p ./etc/apt
  15. TRUSTEDFILE=./etc/apt/trusted.gpg
  16. mkdir -p ./var/lib/apt/keyrings
  17. TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg
  18. GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
  19. # FIXME: instead of copying this use apt-key and the buildin apt webserver
  20. # to do a real test
  21. # COPYIED from apt-key.in --------------
  22. # gpg needs a trustdb to function, but it can't be invalid (not even empty)
  23. # so we create a temporary directory to store our fresh readable trustdb in
  24. TRUSTDBDIR="$(mktemp -d)"
  25. CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
  26. trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
  27. chmod 700 "$TRUSTDBDIR"
  28. # We also don't use a secret keyring, of course, but gpg panics and
  29. # implodes if there isn't one available - and writeable for imports
  30. SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
  31. touch $SECRETKEYRING
  32. GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
  33. GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
  34. #----------------------------------------- END COPY
  35. GPG="$GPG_CMD --keyring $TRUSTEDFILE"
  36. MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
  37. msgtest "add_keys_with_verify_against_master_keyring"
  38. if [ ! -e $MASTER_KEYRING ]; then
  39. echo -n "No $MASTER_KEYRING found"
  40. msgskip
  41. exit 0
  42. fi
  43. # test bad keyring and ensure its not added (LP: #857472)
  44. ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub
  45. if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
  46. msgfail
  47. else
  48. msgpass
  49. fi
  50. # ensure the keyring is still empty
  51. gpg_out=$($GPG --list-keys)
  52. msgtest "Test if keyring is empty"
  53. if [ -n "" ]; then
  54. msgfail
  55. else
  56. msgpass
  57. fi
  58. # test another possible attack vector using subkeys (LP: #1013128)
  59. msgtest "add_keys_with_verify_against_master_keyring with subkey attack"
  60. ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub
  61. if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
  62. msgfail
  63. else
  64. msgpass
  65. fi
  66. # ensure the keyring is still empty
  67. gpg_out=$($GPG --list-keys)
  68. msgtest "Test if keyring is empty"
  69. if [ -n "" ]; then
  70. msgfail
  71. else
  72. msgpass
  73. fi
  74. # test good keyring and ensure we get no errors
  75. ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
  76. if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then
  77. msgpass
  78. else
  79. msgfail
  80. fi
  81. testequal './etc/apt/trusted.gpg
  82. ---------------------
  83. pub 1024D/437D05B5 2004-09-12
  84. uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
  85. sub 2048g/79164387 2004-09-12
  86. pub 1024D/FBB75451 2004-12-30
  87. uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
  88. pub 4096R/C0B21F32 2012-05-11
  89. uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
  90. pub 4096R/EFE21092 2012-05-11
  91. uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
  92. ' $GPG --list-keys