diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2016-04-29 00:31:49 +0200 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2016-05-10 20:53:16 +0200 |
| commit | f5b1b479cfcebcac2f4ac1b9266c1d871d3cd988 (patch) | |
| tree | e06c24611909b807cc1599094f325293ff9949c8 /test/integration/test-releasefile-verification | |
| parent | bddb663c5d46072c1dbd72a69c1745d598e9c0eb (diff) | |
don't show NO_PUBKEY warning if repo is signed by another key
Daniel Kahn Gillmor highlights in the bugreport that security isn't
improving by having the user import additional keys – especially as
importing keys securely is hard.
The bugreport was initially about dropping the warning to a notice, but
in given the previously mentioned observation and the fact that we
weren't printing a warning (or a notice) for expired or revoked keys
providing a signature we drop it completely as the code to display a
message if this was the only key is in another path – and is considered
critical.
Closes: 618445
(Backported from commit fb7b11ebb852fa255053ecab605bc9cfe9de0603)
Diffstat (limited to 'test/integration/test-releasefile-verification')
| -rwxr-xr-x | test/integration/test-releasefile-verification | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index c349c4428..19d5cb9bc 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -127,7 +127,29 @@ runtest() { testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold - rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + + msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Marvin Paranoid' + find aptarchive/ -name "$DELETEFILE" -delete + successfulaptgetupdate 'NO_PUBKEY' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + successfulaptgetupdate 'EXPKEYSIG' + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold msgmsg 'Cold archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}" @@ -279,11 +301,18 @@ export APT_TESTS_DIGEST_ALGO='SHA224' successfulaptgetupdate() { testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + cp rootdir/tmp/testsuccess.output aptupdate.output + testsuccess grep "$1" aptupdate.output + fi } runtest3 'Trusted' successfulaptgetupdate() { testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + testsuccess grep "$1" rootdir/tmp/testwarning.output + fi testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output } runtest3 'Weak' |