diff options
author | Julian Andres Klode <jak@debian.org> | 2016-03-14 13:24:17 +0100 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2016-03-14 13:46:33 +0100 |
commit | 493a813e8a743cfe763bf5eb18073ef9f51dabc2 (patch) | |
tree | b6f6dabcba8d9c61b0dc31af5c7b66d3a56445b2 /test/integration | |
parent | a4b5567d5e989229a77227f30cfa36110bd12ec6 (diff) |
test: Use SHA512 digests for GPG, reject SHA1-based signatures
This makes the test suite safe if we ever need to reject SHA1
signatures in an update.
Diffstat (limited to 'test/integration')
-rw-r--r-- | test/integration/framework | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/test/integration/framework b/test/integration/framework index ffec06641..2b7f3f967 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -389,6 +389,10 @@ EOF echo "Acquire::https::CaInfo \"${TMPWORKINGDIRECTORY}/rootdir/etc/webserver.pem\";" > rootdir/etc/apt/apt.conf.d/99https echo "Apt::Cmd::Disable-Script-Warning \"1\";" > rootdir/etc/apt/apt.conf.d/apt-binary echo 'Acquire::Connect::AddrConfig "false";' > rootdir/etc/apt/apt.conf.d/connect-addrconfig + if aptkey verify --weak-digest SHA1 --help 2>/dev/null >/dev/null; then + echo 'Acquire::gpgv::Options { "--weak-digest"; "sha1"; };' > rootdir/etc/apt/apt.conf.d/no-sha1 + fi + configcompression '.' 'gz' #'bz2' 'lzma' 'xz' confighashes 'SHA256' # these are tests, not security best-practices @@ -1066,7 +1070,7 @@ signreleasefiles() { local SIGNER="${1:-Joe Sixpack}" local REPODIR="${2:-aptarchive}" local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')" - local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes" + local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo SHA512" msgninfo "\tSign archive with $SIGNER key $KEY… " local REXKEY='keys/rexexpired' local SECEXPIREBAK="${REXKEY}.sec.bak" |