test-releasefile-verification 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376
  1. #!/bin/sh
  2. set -e
  3. TESTDIR="$(readlink -f "$(dirname "$0")")"
  4. . "$TESTDIR/framework"
  5. setupenvironment
  6. configarchitecture "i386"
  7. buildaptarchive
  8. setupflataptarchive
  9. changetowebserver
  10. webserverconfig 'aptwebserver::support::range' 'false'
  11. prepare() {
  12. local DATE="${2:-now}"
  13. if [ "$DATE" = 'now' ]; then
  14. if [ "$1" = "${PKGFILE}-new" ]; then
  15. DATE='now - 1 day'
  16. else
  17. DATE='now - 7 day'
  18. fi
  19. fi
  20. for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
  21. touch -d 'now - 1 year' "$release"
  22. done
  23. aptget clean
  24. cp "$1" aptarchive/Packages
  25. find aptarchive -name 'Release' -delete
  26. compressfile 'aptarchive/Packages' "$DATE"
  27. generatereleasefiles "$DATE"
  28. }
  29. installaptold() {
  30. testsuccessequal "Reading package lists...
  31. Building dependency tree...
  32. Suggested packages:
  33. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  34. The following NEW packages will be installed:
  35. apt
  36. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  37. After this operation, 5370 kB of additional disk space will be used.
  38. Get:1 http://localhost:${APTHTTPPORT} apt 0.7.25.3
  39. Download complete and in download only mode" aptget install apt -dy
  40. }
  41. installaptnew() {
  42. testsuccessequal "Reading package lists...
  43. Building dependency tree...
  44. Suggested packages:
  45. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  46. The following NEW packages will be installed:
  47. apt
  48. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  49. After this operation, 5808 kB of additional disk space will be used.
  50. Get:1 http://localhost:${APTHTTPPORT} apt 0.8.0~pre1
  51. Download complete and in download only mode" aptget install apt -dy
  52. }
  53. failaptold() {
  54. testfailureequal 'Reading package lists...
  55. Building dependency tree...
  56. Suggested packages:
  57. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  58. The following NEW packages will be installed:
  59. apt
  60. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  61. After this operation, 5370 kB of additional disk space will be used.
  62. WARNING: The following packages cannot be authenticated!
  63. apt
  64. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  65. }
  66. failaptnew() {
  67. testfailureequal 'Reading package lists...
  68. Building dependency tree...
  69. Suggested packages:
  70. aptitude | synaptic | wajig dpkg-dev apt-doc bzip2 lzma python-apt
  71. The following NEW packages will be installed:
  72. apt
  73. 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  74. After this operation, 5808 kB of additional disk space will be used.
  75. WARNING: The following packages cannot be authenticated!
  76. apt
  77. E: There were unauthenticated packages and -y was used without --allow-unauthenticated' aptget install apt -dy
  78. }
  79. # fake our downloadable file
  80. touch aptarchive/apt.deb
  81. PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
  82. updatewithwarnings() {
  83. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  84. testsuccess grep -E "$1" rootdir/tmp/testwarning.output
  85. }
  86. runtest() {
  87. local DELETEFILE="$1"
  88. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  89. prepare "${PKGFILE}"
  90. rm -rf rootdir/var/lib/apt/lists
  91. signreleasefiles 'Joe Sixpack'
  92. find aptarchive/ -name "$DELETEFILE" -delete
  93. successfulaptgetupdate
  94. testsuccessequal "$(cat "${PKGFILE}")
  95. " aptcache show apt
  96. installaptold
  97. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  98. prepare "${PKGFILE}-new"
  99. signreleasefiles 'Joe Sixpack'
  100. find aptarchive/ -name "$DELETEFILE" -delete
  101. successfulaptgetupdate
  102. testsuccessequal "$(cat "${PKGFILE}-new")
  103. " aptcache show apt
  104. installaptnew
  105. msgmsg 'Cold archive signed by' 'Rex Expired'
  106. prepare "${PKGFILE}"
  107. rm -rf rootdir/var/lib/apt/lists
  108. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  109. signreleasefiles 'Rex Expired'
  110. find aptarchive/ -name "$DELETEFILE" -delete
  111. updatewithwarnings '^W: .* EXPKEYSIG'
  112. testsuccessequal "$(cat "${PKGFILE}")
  113. " aptcache show apt
  114. failaptold
  115. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  116. msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
  117. if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  118. touch rootdir/etc/apt/apt.conf.d/99gnupg2
  119. elif gpg2 --version >/dev/null 2>&1; then
  120. echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
  121. if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
  122. rm rootdir/etc/apt/apt.conf.d/99gnupg2
  123. fi
  124. fi
  125. if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
  126. prepare "${PKGFILE}"
  127. rm -rf rootdir/var/lib/apt/lists
  128. signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
  129. find aptarchive/ -name "$DELETEFILE" -delete
  130. updatewithwarnings '^W: .* EXPSIG'
  131. testsuccessequal "$(cat "${PKGFILE}")
  132. " aptcache show apt
  133. failaptold
  134. rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
  135. else
  136. msgskip 'Not a new enough gpg available providing --fake-system-time'
  137. fi
  138. msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
  139. prepare "${PKGFILE}"
  140. rm -rf rootdir/var/lib/apt/lists
  141. signreleasefiles 'Joe Sixpack,Marvin Paranoid'
  142. find aptarchive/ -name "$DELETEFILE" -delete
  143. successfulaptgetupdate 'NO_PUBKEY'
  144. testsuccessequal "$(cat "${PKGFILE}")
  145. " aptcache show apt
  146. installaptold
  147. msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
  148. prepare "${PKGFILE}"
  149. rm -rf rootdir/var/lib/apt/lists
  150. signreleasefiles 'Joe Sixpack,Rex Expired'
  151. find aptarchive/ -name "$DELETEFILE" -delete
  152. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  153. successfulaptgetupdate 'EXPKEYSIG'
  154. rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  155. testsuccessequal "$(cat "${PKGFILE}")
  156. " aptcache show apt
  157. installaptold
  158. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  159. prepare "${PKGFILE}"
  160. rm -rf rootdir/var/lib/apt/lists
  161. signreleasefiles 'Marvin Paranoid'
  162. find aptarchive/ -name "$DELETEFILE" -delete
  163. updatewithwarnings '^W: .* NO_PUBKEY'
  164. testsuccessequal "$(cat "${PKGFILE}")
  165. " aptcache show apt
  166. failaptold
  167. msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
  168. prepare "${PKGFILE}-new"
  169. signreleasefiles 'Joe Sixpack'
  170. find aptarchive/ -name "$DELETEFILE" -delete
  171. successfulaptgetupdate
  172. testsuccessequal "$(cat "${PKGFILE}-new")
  173. " aptcache show apt
  174. installaptnew
  175. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  176. prepare "${PKGFILE}"
  177. rm -rf rootdir/var/lib/apt/lists
  178. signreleasefiles 'Joe Sixpack'
  179. find aptarchive/ -name "$DELETEFILE" -delete
  180. successfulaptgetupdate
  181. testsuccessequal "$(cat "${PKGFILE}")
  182. " aptcache show apt
  183. installaptold
  184. msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
  185. prepare "${PKGFILE}-new"
  186. signreleasefiles 'Marvin Paranoid'
  187. find aptarchive/ -name "$DELETEFILE" -delete
  188. updatewithwarnings '^W: .* NO_PUBKEY'
  189. testsuccessequal "$(cat "${PKGFILE}")
  190. " aptcache show apt
  191. installaptold
  192. msgmsg 'Good warm archive signed by' 'Rex Expired'
  193. prepare "${PKGFILE}-new"
  194. cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  195. signreleasefiles 'Rex Expired'
  196. find aptarchive/ -name "$DELETEFILE" -delete
  197. updatewithwarnings '^W: .* EXPKEYSIG'
  198. testsuccessequal "$(cat "${PKGFILE}")
  199. " aptcache show apt
  200. installaptold
  201. rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
  202. msgmsg 'Good warm archive signed by' 'Joe Sixpack'
  203. prepare "${PKGFILE}-new"
  204. signreleasefiles
  205. find aptarchive/ -name "$DELETEFILE" -delete
  206. successfulaptgetupdate
  207. testsuccessequal "$(cat "${PKGFILE}-new")
  208. " aptcache show apt
  209. installaptnew
  210. msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
  211. prepare "${PKGFILE}"
  212. rm -rf rootdir/var/lib/apt/lists
  213. signreleasefiles 'Marvin Paranoid'
  214. find aptarchive/ -name "$DELETEFILE" -delete
  215. local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
  216. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  217. successfulaptgetupdate
  218. testsuccessequal "$(cat "${PKGFILE}")
  219. " aptcache show apt
  220. installaptold
  221. msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack'
  222. rm -rf rootdir/var/lib/apt/lists
  223. signreleasefiles 'Joe Sixpack'
  224. find aptarchive/ -name "$DELETEFILE" -delete
  225. updatewithwarnings '^W: .* NO_PUBKEY'
  226. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  227. local MARVIN="$(aptkey --keyring $MARVIN finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')"
  228. msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
  229. prepare "${PKGFILE}"
  230. rm -rf rootdir/var/lib/apt/lists
  231. signreleasefiles 'Marvin Paranoid'
  232. find aptarchive/ -name "$DELETEFILE" -delete
  233. sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
  234. cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  235. successfulaptgetupdate
  236. testsuccessequal "$(cat "${PKGFILE}")
  237. " aptcache show apt
  238. installaptold
  239. rm -f rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg
  240. msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack'
  241. rm -rf rootdir/var/lib/apt/lists
  242. signreleasefiles 'Joe Sixpack'
  243. find aptarchive/ -name "$DELETEFILE" -delete
  244. updatewithwarnings '^W: .* be verified because the public key is not available: .*'
  245. sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/*
  246. }
  247. runtest2() {
  248. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  249. prepare "${PKGFILE}"
  250. rm -rf rootdir/var/lib/apt/lists
  251. signreleasefiles 'Joe Sixpack'
  252. successfulaptgetupdate
  253. # New .deb but now an unsigned archive. For example MITM to circumvent
  254. # package verification.
  255. msgmsg 'Warm archive signed by' 'nobody'
  256. prepare "${PKGFILE}-new"
  257. find aptarchive/ -name InRelease -delete
  258. find aptarchive/ -name Release.gpg -delete
  259. updatewithwarnings 'W: .* no longer signed.'
  260. testsuccessequal "$(cat "${PKGFILE}-new")
  261. " aptcache show apt
  262. failaptnew
  263. # Unsigned archive from the beginning must also be detected.
  264. msgmsg 'Cold archive signed by' 'nobody'
  265. rm -rf rootdir/var/lib/apt/lists
  266. updatewithwarnings 'W: .* is not signed.'
  267. testsuccessequal "$(cat "${PKGFILE}-new")
  268. " aptcache show apt
  269. failaptnew
  270. }
  271. runtest3() {
  272. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::$1 \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  273. msgmsg "Running base test with $1 digest"
  274. runtest2
  275. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  276. msgmsg "Running test with deletion of $DELETEFILE and $1 digest"
  277. runtest "$DELETEFILE"
  278. done
  279. }
  280. # diable some protection by default and ensure we still do the verification
  281. # correctly
  282. cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF
  283. Acquire::AllowInsecureRepositories "1";
  284. Acquire::AllowDowngradeToInsecureRepositories "1";
  285. EOF
  286. # the hash marked as configureable in our gpgv method
  287. export APT_TESTS_DIGEST_ALGO='SHA224'
  288. successfulaptgetupdate() {
  289. testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  290. if [ -n "$1" ]; then
  291. cp rootdir/tmp/testsuccess.output aptupdate.output
  292. testsuccess grep "$1" aptupdate.output
  293. fi
  294. }
  295. runtest3 'Trusted'
  296. successfulaptgetupdate() {
  297. testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  298. if [ -n "$1" ]; then
  299. testsuccess grep "$1" rootdir/tmp/testwarning.output
  300. fi
  301. testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
  302. }
  303. runtest3 'Weak'
  304. msgmsg "Running test with apt-untrusted digest"
  305. echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
  306. runfailure() {
  307. for DELETEFILE in 'InRelease' 'Release.gpg'; do
  308. msgmsg 'Cold archive signed by' 'Joe Sixpack'
  309. prepare "${PKGFILE}"
  310. rm -rf rootdir/var/lib/apt/lists
  311. signreleasefiles 'Joe Sixpack'
  312. find aptarchive/ -name "$DELETEFILE" -delete
  313. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  314. testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
  315. testnopackage 'apt'
  316. testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  317. failaptold
  318. msgmsg 'Cold archive signed by' 'Marvin Paranoid'
  319. prepare "${PKGFILE}"
  320. rm -rf rootdir/var/lib/apt/lists
  321. signreleasefiles 'Marvin Paranoid'
  322. find aptarchive/ -name "$DELETEFILE" -delete
  323. testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
  324. testnopackage 'apt'
  325. updatewithwarnings '^W: .* NO_PUBKEY'
  326. testsuccessequal "$(cat "${PKGFILE}")
  327. " aptcache show apt
  328. failaptold
  329. done
  330. }
  331. runfailure
  332. msgmsg "Running test with gpgv-untrusted digest"
  333. export APT_TESTS_DIGEST_ALGO='MD5'
  334. runfailure