diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2018-08-17 11:59:45 +0200 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2018-09-11 13:16:11 +0200 |
| commit | ff8fa4ab4b80384a9240f0df63181f71077a8d83 (patch) | |
| tree | 9e01aae054c99f8467dc5c2feb196378a33772ea /test/integration/test-releasefile-verification | |
| parent | a5953d914488c80c28fba6b59d2f0be461cd9f03 (diff) | |
Support subkeys properly in Signed-By options
If we limit a file to be signed by a certain key it should usually
accept also being signed by any of this keys subkeys instead of
requiring each subkey to be listed explicitly. If the later is really
wanted we support now also the same syntax as gpg does with appending an
exclamation mark at the end of the fingerprint to force no mapping.
Diffstat (limited to 'test/integration/test-releasefile-verification')
| -rwxr-xr-x | test/integration/test-releasefile-verification | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 36a90f9d5..f61d93f79 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -342,6 +342,44 @@ Signed-By: ${MARVIN} ${MARVIN}, \\ testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt installaptnew + + cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg + local SEBASTIAN="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 1 '^fpr' | cut -d':' -f 10)" + msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + signreleasefiles 'Sebastian Subkey' + sed -i "/^Valid-Until: / a\ +Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") +" aptcache show apt + installaptnew + + msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + sed -i "/^Valid-Until: / a\ +Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + updatewithwarnings 'W: .* public key is not available: GOODSIG' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + local SUBKEY="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 2 '^fpr' | tail -n -1 | cut -d':' -f 10)" + msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + sed -i "/^Valid-Until: / a\ +Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") +" aptcache show apt + installaptnew + rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg } runtest2() { |