summaryrefslogtreecommitdiff
path: root/test/integration/test-releasefile-verification
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-04-29 00:31:49 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2016-05-01 10:50:24 +0200
commitfb7b11ebb852fa255053ecab605bc9cfe9de0603 (patch)
tree409a82bf36e0be9d79666872a2165feb9c22b932 /test/integration/test-releasefile-verification
parent1af227c2eaad386f0917fc4f36c84fd5999b884e (diff)
don't show NO_PUBKEY warning if repo is signed by another key
Daniel Kahn Gillmor highlights in the bugreport that security isn't improving by having the user import additional keys – especially as importing keys securely is hard. The bugreport was initially about dropping the warning to a notice, but in given the previously mentioned observation and the fact that we weren't printing a warning (or a notice) for expired or revoked keys providing a signature we drop it completely as the code to display a message if this was the only key is in another path – and is considered critical. Closes: 618445
Diffstat (limited to 'test/integration/test-releasefile-verification')
-rwxr-xr-xtest/integration/test-releasefile-verification31
1 files changed, 30 insertions, 1 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index a061832b6..5da0a8292 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -127,7 +127,7 @@ runtest() {
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
- rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
@@ -152,6 +152,28 @@ runtest() {
msgskip 'Not a new enough gpg available providing --fake-system-time'
fi
+ msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid'
+ prepare "${PKGFILE}"
+ rm -rf rootdir/var/lib/apt/lists
+ signreleasefiles 'Joe Sixpack,Marvin Paranoid'
+ find aptarchive/ -name "$DELETEFILE" -delete
+ successfulaptgetupdate 'NO_PUBKEY'
+ testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+ installaptold
+
+ msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired'
+ prepare "${PKGFILE}"
+ rm -rf rootdir/var/lib/apt/lists
+ signreleasefiles 'Joe Sixpack,Rex Expired'
+ find aptarchive/ -name "$DELETEFILE" -delete
+ cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ successfulaptgetupdate 'EXPKEYSIG'
+ rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+ installaptold
+
msgmsg 'Cold archive signed by' 'Marvin Paranoid'
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
@@ -302,11 +324,18 @@ export APT_TESTS_DIGEST_ALGO='SHA224'
successfulaptgetupdate() {
testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ if [ -n "$1" ]; then
+ cp rootdir/tmp/testsuccess.output aptupdate.output
+ testsuccess grep "$1" aptupdate.output
+ fi
}
runtest3 'Trusted'
successfulaptgetupdate() {
testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ if [ -n "$1" ]; then
+ testsuccess grep "$1" rootdir/tmp/testwarning.output
+ fi
testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
}
runtest3 'Weak'