test-releasefile-verification 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE"
  28. }
  29. installaptold() {
  30. testsuccessequal "Reading package lists...
  31. Building dependency tree...
  32. Suggested packages:
  33. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  34. The following NEW packages will be installed:
  35. apt
  36. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  37. After this operation, 5370 kB of additional disk space will be used.
  38. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  39. Download complete and in download only mode" aptget install apt -dy
  40. }
  41. installaptnew() {
  42. testsuccessequal "Reading package lists...
  43. Building dependency tree...
  44. Suggested packages:
  45. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  46. The following NEW packages will be installed:
  47. apt
  48. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  49. After this operation, 5808 kB of additional disk space will be used.
  50. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  51. Download complete and in download only mode" aptget install apt -dy
  52. }
  53. failaptold() {
  54. testfailureequal 'Reading package lists...
  55. Building dependency tree...
  56. Suggested packages:
  57. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  58. The following NEW packages will be installed:
  59. apt
  60. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  61. After this operation, 5370 kB of additional disk space will be used.
  62. WARNING: The following packages cannot be authenticated!
  63. apt
  64. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  65. }
  66. failaptnew() {
  67. testfailureequal 'Reading package lists...
  68. Building dependency tree...
  69. Suggested packages:
  70. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  71. The following NEW packages will be installed:
  72. apt
  73. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  74. After this operation, 5808 kB of additional disk space will be used.
  75. WARNING: The following packages cannot be authenticated!
  76. apt
  77. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  78. }
  79. # fake our downloadable file
  80. touch aptarchive/apt.deb
  81. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  82. updatewithwarnings() {
  83. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  84. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  85. }
  86. runtest() {
  87. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  88. prepare "${PKGFILE}"
  89. rm -rf rootdir/var/lib/apt/lists
  90. signreleasefiles 'Joe Sixpack'
  91. find aptarchive/ -name "$DELETEFILE" -delete
  92. successfulaptgetupdate
  93. testsuccessequal "$(cat "${PKGFILE}")
  94. " aptcache show apt
  95. installaptold
  96. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  97. prepare "${PKGFILE}-new"
  98. signreleasefiles 'Joe Sixpack'
  99. find aptarchive/ -name "$DELETEFILE" -delete
  100. successfulaptgetupdate
  101. testsuccessequal "$(cat "${PKGFILE}-new")
  102. " aptcache show apt
  103. installaptnew
  104. msgmsg 'Cold archive signed by' 'Rex Expired'
  105. prepare "${PKGFILE}"
  106. rm -rf rootdir/var/lib/apt/lists
  107. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  108. signreleasefiles 'Rex Expired'
  109. find aptarchive/ -name "$DELETEFILE" -delete
  110. updatewithwarnings '^W: .* KEYEXPIRED'
  111. testsuccessequal "$(cat "${PKGFILE}")
  112. " aptcache show apt
  113. failaptold
  114. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  115. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  116. prepare "${PKGFILE}"
  117. rm -rf rootdir/var/lib/apt/lists
  118. signreleasefiles 'Marvin Paranoid'
  119. find aptarchive/ -name "$DELETEFILE" -delete
  120. updatewithwarnings '^W: .* NO_PUBKEY'
  121. testsuccessequal "$(cat "${PKGFILE}")
  122. " aptcache show apt
  123. failaptold
  124. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  125. prepare "${PKGFILE}-new"
  126. signreleasefiles 'Joe Sixpack'
  127. find aptarchive/ -name "$DELETEFILE" -delete
  128. successfulaptgetupdate
  129. testsuccessequal "$(cat "${PKGFILE}-new")
  130. " aptcache show apt
  131. installaptnew
  132. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  133. prepare "${PKGFILE}"
  134. rm -rf rootdir/var/lib/apt/lists
  135. signreleasefiles 'Joe Sixpack'
  136. find aptarchive/ -name "$DELETEFILE" -delete
  137. successfulaptgetupdate
  138. testsuccessequal "$(cat "${PKGFILE}")
  139. " aptcache show apt
  140. installaptold
  141. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  142. prepare "${PKGFILE}-new"
  143. signreleasefiles 'Marvin Paranoid'
  144. find aptarchive/ -name "$DELETEFILE" -delete
  145. updatewithwarnings '^W: .* NO_PUBKEY'
  146. testsuccessequal "$(cat "${PKGFILE}")
  147. " aptcache show apt
  148. installaptold
  149. msgmsg 'Good warm archive signed by' 'Rex Expired'
  150. prepare "${PKGFILE}-new"
  151. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  152. signreleasefiles 'Rex Expired'
  153. find aptarchive/ -name "$DELETEFILE" -delete
  154. updatewithwarnings '^W: .* KEYEXPIRED'
  155. testsuccessequal "$(cat "${PKGFILE}")
  156. " aptcache show apt
  157. installaptold
  158. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  159. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  160. prepare "${PKGFILE}-new"
  161. signreleasefiles
  162. find aptarchive/ -name "$DELETEFILE" -delete
  163. successfulaptgetupdate
  164. testsuccessequal "$(cat "${PKGFILE}-new")
  165. " aptcache show apt
  166. installaptnew
  167. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  168. prepare "${PKGFILE}"
  169. rm -rf rootdir/var/lib/apt/lists
  170. signreleasefiles 'Marvin Paranoid'
  171. find aptarchive/ -name "$DELETEFILE" -delete
  172. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  173. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  174. successfulaptgetupdate
  175. testsuccessequal "$(cat "${PKGFILE}")
  176. " aptcache show apt
  177. installaptold
  178. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  179. rm -rf rootdir/var/lib/apt/lists
  180. signreleasefiles 'Joe Sixpack'
  181. find aptarchive/ -name "$DELETEFILE" -delete
  182. updatewithwarnings '^W: .* NO_PUBKEY'
  183. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  184. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  185. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  186. prepare "${PKGFILE}"
  187. rm -rf rootdir/var/lib/apt/lists
  188. signreleasefiles 'Marvin Paranoid'
  189. find aptarchive/ -name "$DELETEFILE" -delete
  190. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  191. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  192. successfulaptgetupdate
  193. testsuccessequal "$(cat "${PKGFILE}")
  194. " aptcache show apt
  195. installaptold
  196. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  197. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  198. rm -rf rootdir/var/lib/apt/lists
  199. signreleasefiles 'Joe Sixpack'
  200. find aptarchive/ -name "$DELETEFILE" -delete
  201. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  202. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  203. }
  204. runtest2() {
  205. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  206. prepare "${PKGFILE}"
  207. rm -rf rootdir/var/lib/apt/lists
  208. signreleasefiles 'Joe Sixpack'
  209. successfulaptgetupdate
  210. # New .deb but now an unsigned archive. For example MITM to circumvent
  211. # package verification.
  212. msgmsg 'Warm archive signed by' 'nobody'
  213. prepare "${PKGFILE}-new"
  214. find aptarchive/ -name InRelease -delete
  215. find aptarchive/ -name Release.gpg -delete
  216. updatewithwarnings 'W: .* no longer signed.'
  217. testsuccessequal "$(cat "${PKGFILE}-new")
  218. " aptcache show apt
  219. failaptnew
  220. # Unsigned archive from the beginning must also be detected.
  221. msgmsg 'Cold archive signed by' 'nobody'
  222. rm -rf rootdir/var/lib/apt/lists
  223. updatewithwarnings 'W: .* is not signed.'
  224. testsuccessequal "$(cat "${PKGFILE}-new")
  225. " aptcache show apt
  226. failaptnew
  227. }
  228. runtest3() {
  229. export APT_TESTS_DIGEST_ALGO="$1"
  230. msgmsg "Running base test with digest $1"
  231. runtest2
  232. DELETEFILE="InRelease"
  233. msgmsg "Running test with deletion of $DELETEFILE and digest $1"
  234. runtest
  235. DELETEFILE="Release.gpg"
  236. msgmsg "Running test with deletion of $DELETEFILE and digest $1"
  237. runtest
  238. unset APT_TESTS_DIGEST_ALGO
  239. }
  240. # diable some protection by default and ensure we still do the verification
  241. # correctly
  242. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  243. Acquire::AllowInsecureRepositories "1";
  244. Acquire::AllowDowngradeToInsecureRepositories "1";
  245. EOF
  246. # an all-round good hash
  247. successfulaptgetupdate() {
  248. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  249. }
  250. runtest3 'SHA512'
  251. # a hash we consider weak and therefore warn about
  252. rm -f rootdir/etc/apt/apt.conf.d/no-sha1
  253. successfulaptgetupdate() {
  254. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  255. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  256. }
  257. runtest3 'SHA1'