diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2016-04-29 00:31:49 +0200 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2016-05-01 10:50:24 +0200 |
| commit | fb7b11ebb852fa255053ecab605bc9cfe9de0603 (patch) | |
| tree | 409a82bf36e0be9d79666872a2165feb9c22b932 /test/integration/test-releasefile-verification | |
| parent | 1af227c2eaad386f0917fc4f36c84fd5999b884e (diff) | |
don't show NO_PUBKEY warning if repo is signed by another key
Daniel Kahn Gillmor highlights in the bugreport that security isn't
improving by having the user import additional keys – especially as
importing keys securely is hard.
The bugreport was initially about dropping the warning to a notice, but
in given the previously mentioned observation and the fact that we
weren't printing a warning (or a notice) for expired or revoked keys
providing a signature we drop it completely as the code to display a
message if this was the only key is in another path – and is considered
critical.
Closes: 618445
Diffstat (limited to 'test/integration/test-releasefile-verification')
| -rwxr-xr-x | test/integration/test-releasefile-verification | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index a061832b6..5da0a8292 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -127,7 +127,7 @@ runtest() { testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold - rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg msgmsg 'Cold archive expired signed by' 'Joe Sixpack' if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then @@ -152,6 +152,28 @@ runtest() { msgskip 'Not a new enough gpg available providing --fake-system-time' fi + msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Marvin Paranoid' + find aptarchive/ -name "$DELETEFILE" -delete + successfulaptgetupdate 'NO_PUBKEY' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + successfulaptgetupdate 'EXPKEYSIG' + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + msgmsg 'Cold archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists @@ -302,11 +324,18 @@ export APT_TESTS_DIGEST_ALGO='SHA224' successfulaptgetupdate() { testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + cp rootdir/tmp/testsuccess.output aptupdate.output + testsuccess grep "$1" aptupdate.output + fi } runtest3 'Trusted' successfulaptgetupdate() { testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + testsuccess grep "$1" rootdir/tmp/testwarning.output + fi testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output } runtest3 'Weak' |