test-releasefile-verification 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE" 'now + 1 month'
  28. }
  29. installaptold() {
  30. rm -rf rootdir/var/cache/apt/archives
  31. testsuccessequal "Reading package lists...
  32. Building dependency tree...
  33. Suggested packages:
  34. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  35. The following NEW packages will be installed:
  36. apt
  37. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  38. After this operation, 5370 kB of additional disk space will be used.
  39. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  40. Download complete and in download only mode" aptget install apt -dy
  41. }
  42. installaptnew() {
  43. rm -rf rootdir/var/cache/apt/archives
  44. testsuccessequal "Reading package lists...
  45. Building dependency tree...
  46. Suggested packages:
  47. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  48. The following NEW packages will be installed:
  49. apt
  50. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  51. After this operation, 5808 kB of additional disk space will be used.
  52. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  53. Download complete and in download only mode" aptget install apt -dy
  54. }
  55. failaptold() {
  56. testfailureequal 'Reading package lists...
  57. Building dependency tree...
  58. Suggested packages:
  59. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  60. The following NEW packages will be installed:
  61. apt
  62. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  63. After this operation, 5370 kB of additional disk space will be used.
  64. WARNING: The following packages cannot be authenticated!
  65. apt
  66. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  67. }
  68. failaptnew() {
  69. testfailureequal 'Reading package lists...
  70. Building dependency tree...
  71. Suggested packages:
  72. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  73. The following NEW packages will be installed:
  74. apt
  75. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  76. After this operation, 5808 kB of additional disk space will be used.
  77. WARNING: The following packages cannot be authenticated!
  78. apt
  79. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  80. }
  81. # fake our downloadable file
  82. touch aptarchive/apt.deb
  83. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  84. updatewithwarnings() {
  85. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  86. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  87. }
  88. runtest() {
  89. local DELETEFILE="$1"
  90. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  91. prepare "${PKGFILE}"
  92. rm -rf rootdir/var/lib/apt/lists
  93. signreleasefiles 'Joe Sixpack'
  94. find aptarchive/ -name "$DELETEFILE" -delete
  95. successfulaptgetupdate
  96. testsuccessequal "$(cat "${PKGFILE}")
  97. " aptcache show apt
  98. installaptold
  99. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  100. prepare "${PKGFILE}-new"
  101. signreleasefiles 'Joe Sixpack'
  102. find aptarchive/ -name "$DELETEFILE" -delete
  103. successfulaptgetupdate
  104. testsuccessequal "$(cat "${PKGFILE}-new")
  105. " aptcache show apt
  106. installaptnew
  107. msgmsg 'Cold archive signed by' 'Rex Expired'
  108. prepare "${PKGFILE}"
  109. rm -rf rootdir/var/lib/apt/lists
  110. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  111. signreleasefiles 'Rex Expired'
  112. find aptarchive/ -name "$DELETEFILE" -delete
  113. updatewithwarnings '^W: .* EXPKEYSIG'
  114. testsuccessequal "$(cat "${PKGFILE}")
  115. " aptcache show apt
  116. failaptold
  117. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  118. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  119. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  120. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  121. elif gpg2 --version >/dev/null 2>&1; then
  122. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  123. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  124. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  125. fi
  126. fi
  127. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  128. prepare "${PKGFILE}"
  129. rm -rf rootdir/var/lib/apt/lists
  130. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  131. find aptarchive/ -name "$DELETEFILE" -delete
  132. updatewithwarnings '^W: .* EXPSIG'
  133. testsuccessequal "$(cat "${PKGFILE}")
  134. " aptcache show apt
  135. failaptold
  136. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  137. else
  138. msgskip 'Not a new enough gpg available providing --fake-system-time'
  139. fi
  140. msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
  141. prepare "${PKGFILE}"
  142. rm -rf rootdir/var/lib/apt/lists
  143. signreleasefiles 'Joe Sixpack,Marvin Paranoid'
  144. find aptarchive/ -name "$DELETEFILE" -delete
  145. successfulaptgetupdate 'NO_PUBKEY'
  146. testsuccessequal "$(cat "${PKGFILE}")
  147. " aptcache show apt
  148. installaptold
  149. msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
  150. prepare "${PKGFILE}"
  151. rm -rf rootdir/var/lib/apt/lists
  152. signreleasefiles 'Joe Sixpack,Rex Expired'
  153. find aptarchive/ -name "$DELETEFILE" -delete
  154. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  155. successfulaptgetupdate 'EXPKEYSIG'
  156. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  157. testsuccessequal "$(cat "${PKGFILE}")
  158. " aptcache show apt
  159. installaptold
  160. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  161. prepare "${PKGFILE}"
  162. rm -rf rootdir/var/lib/apt/lists
  163. signreleasefiles 'Marvin Paranoid'
  164. find aptarchive/ -name "$DELETEFILE" -delete
  165. updatewithwarnings '^W: .* NO_PUBKEY'
  166. testsuccessequal "$(cat "${PKGFILE}")
  167. " aptcache show apt
  168. failaptold
  169. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  170. prepare "${PKGFILE}-new"
  171. signreleasefiles 'Joe Sixpack'
  172. find aptarchive/ -name "$DELETEFILE" -delete
  173. successfulaptgetupdate
  174. testsuccessequal "$(cat "${PKGFILE}-new")
  175. " aptcache show apt
  176. installaptnew
  177. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  178. prepare "${PKGFILE}"
  179. rm -rf rootdir/var/lib/apt/lists
  180. signreleasefiles 'Joe Sixpack'
  181. find aptarchive/ -name "$DELETEFILE" -delete
  182. successfulaptgetupdate
  183. testsuccessequal "$(cat "${PKGFILE}")
  184. " aptcache show apt
  185. installaptold
  186. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  187. prepare "${PKGFILE}-new"
  188. signreleasefiles 'Marvin Paranoid'
  189. find aptarchive/ -name "$DELETEFILE" -delete
  190. updatewithwarnings '^W: .* NO_PUBKEY'
  191. testsuccessequal "$(cat "${PKGFILE}")
  192. " aptcache show apt
  193. installaptold
  194. msgmsg 'Good warm archive signed by' 'Rex Expired'
  195. prepare "${PKGFILE}-new"
  196. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  197. signreleasefiles 'Rex Expired'
  198. find aptarchive/ -name "$DELETEFILE" -delete
  199. updatewithwarnings '^W: .* EXPKEYSIG'
  200. testsuccessequal "$(cat "${PKGFILE}")
  201. " aptcache show apt
  202. installaptold
  203. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  204. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  205. prepare "${PKGFILE}-new"
  206. signreleasefiles
  207. find aptarchive/ -name "$DELETEFILE" -delete
  208. successfulaptgetupdate
  209. testsuccessequal "$(cat "${PKGFILE}-new")
  210. " aptcache show apt
  211. installaptnew
  212. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  213. prepare "${PKGFILE}"
  214. rm -rf rootdir/var/lib/apt/lists
  215. signreleasefiles 'Marvin Paranoid'
  216. find aptarchive/ -name "$DELETEFILE" -delete
  217. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  218. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  219. successfulaptgetupdate
  220. testsuccessequal "$(cat "${PKGFILE}")
  221. " aptcache show apt
  222. installaptold
  223. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  224. rm -rf rootdir/var/lib/apt/lists
  225. signreleasefiles 'Joe Sixpack'
  226. find aptarchive/ -name "$DELETEFILE" -delete
  227. updatewithwarnings '^W: .* NO_PUBKEY'
  228. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  229. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  230. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  231. rm -rf rootdir/var/lib/apt/lists
  232. signreleasefiles 'Joe Sixpack'
  233. find aptarchive/ -name "$DELETEFILE" -delete
  234. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  235. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  236. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  237. rm -rf rootdir/var/lib/apt/lists
  238. signreleasefiles 'Marvin Paranoid'
  239. find aptarchive/ -name "$DELETEFILE" -delete
  240. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  241. successfulaptgetupdate
  242. testsuccessequal "$(cat "${PKGFILE}")
  243. " aptcache show apt
  244. installaptold
  245. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
  246. rm -rf rootdir/var/lib/apt/lists
  247. signreleasefiles 'Marvin Paranoid,Joe Sixpack'
  248. find aptarchive/ -name "$DELETEFILE" -delete
  249. successfulaptgetupdate 'NoPubKey: GOODSIG'
  250. testsuccessequal "$(cat "${PKGFILE}")
  251. " aptcache show apt
  252. installaptold
  253. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  254. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  255. rm -rf rootdir/var/lib/apt/lists
  256. signreleasefiles 'Joe Sixpack'
  257. find aptarchive/ -name "$DELETEFILE" -delete
  258. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/*
  259. successfulaptgetupdate
  260. testsuccessequal "$(cat "${PKGFILE}")
  261. " aptcache show apt
  262. installaptold
  263. local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  264. msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack'
  265. rm -rf rootdir/var/lib/apt/lists
  266. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${SIXPACK},${MARVIN}\] #\1 [signed-by=${MARVIN},${SIXPACK}] #" rootdir/etc/apt/sources.list.d/*
  267. successfulaptgetupdate
  268. testsuccessequal "$(cat "${PKGFILE}")
  269. " aptcache show apt
  270. installaptold
  271. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  272. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=${MARVIN},${SIXPACK}\] #\1 #" rootdir/etc/apt/sources.list.d/*
  273. rm -rf rootdir/var/lib/apt/lists-bak
  274. cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak
  275. prepare "${PKGFILE}-new"
  276. signreleasefiles 'Joe Sixpack'
  277. find aptarchive/ -name "$DELETEFILE" -delete
  278. msgmsg 'Warm archive with signed-by' 'Joe Sixpack'
  279. sed -i "/^Valid-Until: / a\
  280. Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  281. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  282. successfulaptgetupdate
  283. testsuccessequal "$(cat "${PKGFILE}-new")
  284. " aptcache show apt
  285. installaptnew
  286. msgmsg 'Warm archive with signed-by' 'Marvin Paranoid'
  287. rm -rf rootdir/var/lib/apt/lists
  288. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  289. sed -i "/^Valid-Until: / a\
  290. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  291. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  292. updatewithwarnings 'W: .* public key is not available: GOODSIG'
  293. testsuccessequal "$(cat "${PKGFILE}")
  294. " aptcache show apt
  295. installaptold
  296. msgmsg 'Warm archive with outdated signed-by' 'Marvin Paranoid'
  297. rm -rf rootdir/var/lib/apt/lists
  298. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  299. sed -i "/^Valid-Until: / a\
  300. Valid-Until: $(date -u -d "now - 2min" '+%a, %d %b %Y %H:%M:%S %Z') \\
  301. Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
  302. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  303. successfulaptgetupdate
  304. testsuccessequal "$(cat "${PKGFILE}-new")
  305. " aptcache show apt
  306. installaptnew
  307. msgmsg 'Warm archive with two signed-bys' 'Joe Sixpack'
  308. rm -rf rootdir/var/lib/apt/lists
  309. cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
  310. sed -i "/^Valid-Until: / a\
  311. Signed-By: ${MARVIN} ${MARVIN}, \\
  312. ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
  313. touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
  314. successfulaptgetupdate
  315. testsuccessequal "$(cat "${PKGFILE}-new")
  316. " aptcache show apt
  317. installaptnew
  318. }
  319. runtest2() {
  320. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  321. prepare "${PKGFILE}"
  322. rm -rf rootdir/var/lib/apt/lists
  323. signreleasefiles 'Joe Sixpack'
  324. successfulaptgetupdate
  325. # New .deb but now an unsigned archive. For example MITM to circumvent
  326. # package verification.
  327. msgmsg 'Warm archive signed by' 'nobody'
  328. prepare "${PKGFILE}-new"
  329. find aptarchive/ -name InRelease -delete
  330. find aptarchive/ -name Release.gpg -delete
  331. updatewithwarnings 'W: .* no longer signed.'
  332. testsuccessequal "$(cat "${PKGFILE}-new")
  333. " aptcache show apt
  334. failaptnew
  335. # Unsigned archive from the beginning must also be detected.
  336. msgmsg 'Cold archive signed by' 'nobody'
  337. rm -rf rootdir/var/lib/apt/lists
  338. updatewithwarnings 'W: .* is not signed.'
  339. testsuccessequal "$(cat "${PKGFILE}-new")
  340. " aptcache show apt
  341. failaptnew
  342. }
  343. runtest3() {
  344. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  345. msgmsg "Running base test with $1 digest"
  346. runtest2
  347. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  348. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  349. runtest "$DELETEFILE"
  350. done
  351. }
  352. # diable some protection by default and ensure we still do the verification
  353. # correctly
  354. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  355. Acquire::AllowInsecureRepositories "1";
  356. Acquire::AllowDowngradeToInsecureRepositories "1";
  357. EOF
  358. # the hash marked as configureable in our gpgv method
  359. export APT_TESTS_DIGEST_ALGO='SHA224'
  360. successfulaptgetupdate() {
  361. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  362. if [ -n "$1" ]; then
  363. cp rootdir/tmp/testsuccess.output aptupdate.output
  364. testsuccess grep "$1" aptupdate.output
  365. fi
  366. }
  367. runtest3 'Trusted'
  368. successfulaptgetupdate() {
  369. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  370. if [ -n "$1" ]; then
  371. testsuccess grep "$1" rootdir/tmp/testwarning.output
  372. fi
  373. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  374. }
  375. runtest3 'Weak'
  376. msgmsg "Running test with apt-untrusted digest"
  377. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  378. runfailure() {
  379. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  380. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  381. prepare "${PKGFILE}"
  382. rm -rf rootdir/var/lib/apt/lists
  383. signreleasefiles 'Joe Sixpack'
  384. find aptarchive/ -name "$DELETEFILE" -delete
  385. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  386. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  387. testnopackage 'apt'
  388. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  389. failaptold
  390. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  391. prepare "${PKGFILE}"
  392. rm -rf rootdir/var/lib/apt/lists
  393. signreleasefiles 'Marvin Paranoid'
  394. find aptarchive/ -name "$DELETEFILE" -delete
  395. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  396. testnopackage 'apt'
  397. updatewithwarnings '^W: .* NO_PUBKEY'
  398. testsuccessequal "$(cat "${PKGFILE}")
  399. " aptcache show apt
  400. failaptold
  401. done
  402. }
  403. runfailure
  404. msgmsg "Running test with gpgv-untrusted digest"
  405. export APT_TESTS_DIGEST_ALGO='MD5'
  406. runfailure