summaryrefslogtreecommitdiff
path: root/test/integration
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2014-10-13 08:12:06 +0200
committerMichael Vogt <mvo@ubuntu.com>2014-10-13 11:29:46 +0200
commit07cb47e71f4de7e3c57f9dcfbfb82e4e5566aed6 (patch)
tree2a37a6e25fb33737919a222e8cd47257600f45b5 /test/integration
parent862bafea48af2ceaf96345db237b461307a021f6 (diff)
trusted=yes sources are secure, we just don't know why
Do not require a special flag to be present to update trusted=yes sources as this flag in the sources.list is obviously special enough. Note that this is just disabling the error message, the user will still be warned about all the (possible) failures the repository generated, it is just triggering the acceptance of the warnings on a source-by-source level. Similarily, the trusted=no flag doesn't require the user to pass additional flags to update, if the repository looks fine in the view of apt it will update just fine. The unauthenticated warnings will "just" be presented then the data is used. In case you wonder: Both was the behavior in previous versions, too.
Diffstat (limited to 'test/integration')
-rw-r--r--test/integration/framework9
-rwxr-xr-xtest/integration/test-sourceslist-trusted-options168
2 files changed, 174 insertions, 3 deletions
diff --git a/test/integration/framework b/test/integration/framework
index 75cec204c..76425f0c3 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -859,6 +859,7 @@ setupaptarchive() {
signreleasefiles() {
local SIGNER="${1:-Joe Sixpack}"
+ local REPODIR="${2:-aptarchive}"
local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes"
msgninfo "\tSign archive with $SIGNER key $KEY… "
@@ -885,7 +886,7 @@ signreleasefiles() {
cp ${REXKEY}.pub $PUBUNEXPIRED
fi
fi
- for RELEASE in $(find aptarchive/ -name Release); do
+ for RELEASE in $(find ${REPODIR}/ -name Release); do
$GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE}
local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
$GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE
@@ -1167,9 +1168,10 @@ testsuccess() {
if $@ >${OUTPUT} 2>&1; then
msgpass
else
+ local EXITCODE=$?
echo >&2
cat >&2 $OUTPUT
- msgfail
+ msgfail "exitcode $EXITCODE"
fi
}
@@ -1181,9 +1183,10 @@ testfailure() {
fi
local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
if $@ >${OUTPUT} 2>&1; then
+ local EXITCODE=$?
echo >&2
cat >&2 $OUTPUT
- msgfail
+ msgfail "exitcode $EXITCODE"
else
msgpass
fi
diff --git a/test/integration/test-sourceslist-trusted-options b/test/integration/test-sourceslist-trusted-options
new file mode 100755
index 000000000..ae65cca83
--- /dev/null
+++ b/test/integration/test-sourceslist-trusted-options
@@ -0,0 +1,168 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture 'amd64'
+
+buildsimplenativepackage 'foo' 'amd64' '1' 'stable'
+buildsimplenativepackage 'foo' 'amd64' '2' 'testing'
+
+setupaptarchive --no-update
+
+APTARCHIVE=$(readlink -f ./aptarchive)
+
+everythingsucceeds() {
+ testequal 'Listing...
+foo/testing 2 amd64
+foo/stable 1 amd64
+' apt list foo -a
+
+ rm -f foo_1_amd64.deb foo_2_amd64.deb
+ testsuccess aptget download foo "$@"
+ testsuccess test -s foo_1_amd64.deb -o -s foo_2_amd64.deb
+
+ rm -f foo_1.dsc foo_2.dsc
+ testsuccess aptget source foo --dsc-only -d "$@"
+ testsuccess test -s foo_1.dsc -o -s foo_2.dsc
+}
+
+everythingfails() {
+ testequal 'Listing...
+foo/testing 2 amd64
+foo/stable 1 amd64
+' apt list foo -a
+
+ local WARNING='WARNING: The following packages cannot be authenticated!
+ foo
+E: Some packages could not be authenticated'
+
+ rm -f foo_1_amd64.deb foo_2_amd64.deb
+ testfailure aptget download foo "$@"
+ testequal "$WARNING" tail -n 3 rootdir/tmp/testfailure.output
+ testfailure test -s foo_1_amd64.deb -o -s foo_2_amd64.deb
+
+ rm -f foo_1.dsc foo_2.dsc
+ testfailure aptget source foo --dsc-only -d "$@"
+ testequal "$WARNING" tail -n 3 rootdir/tmp/testfailure.output
+ testfailure test -s foo_1.dsc -o -s foo_2.dsc
+}
+
+cp -a rootdir/etc/apt/sources.list.d/ rootdir/etc/apt/sources.list.d.bak/
+
+aptgetupdate() {
+ rm -rf rootdir/var/lib/apt/lists
+ # note that insecure with trusted=yes are allowed
+ # as the trusted=yes indicates that security is provided by
+ # something above the understanding of apt
+ testsuccess aptget update --no-allow-insecure-repositories
+}
+
+insecureaptgetupdate() {
+ rm -rf rootdir/var/lib/apt/lists
+ testfailure aptget update
+ rm -rf rootdir/var/lib/apt/lists
+ testsuccess aptget update --allow-insecure-repositories
+}
+
+msgmsg 'Test without trusted option and good sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+aptgetupdate
+everythingsucceeds
+everythingsucceeds -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=yes option and good sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+aptgetupdate
+everythingsucceeds
+everythingsucceeds -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=no option and good sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=no] #' rootdir/etc/apt/sources.list.d/*
+# we want the warnings on the actions, but for 'update' everything is fine
+aptgetupdate
+everythingfails
+everythingfails -t stable
+everythingfails -t testing
+
+find aptarchive/dists/stable \( -name 'InRelease' -o -name 'Release.gpg' \) -delete
+
+msgmsg 'Test without trusted option and good and unsigned sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+insecureaptgetupdate
+everythingsucceeds
+everythingfails -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=yes option and good and unsigned sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+aptgetupdate
+everythingsucceeds
+everythingsucceeds -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=no option and good and unsigned sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=no] #' rootdir/etc/apt/sources.list.d/*
+insecureaptgetupdate
+everythingfails
+everythingfails -t stable
+everythingfails -t testing
+
+signreleasefiles 'Marvin Paranoid' 'aptarchive/dists/stable'
+
+msgmsg 'Test without trusted option and good and unknown sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+insecureaptgetupdate
+everythingsucceeds
+everythingfails -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=yes option and good and unknown sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+aptgetupdate
+everythingsucceeds
+everythingsucceeds -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=no option and good and unknown sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=no] #' rootdir/etc/apt/sources.list.d/*
+insecureaptgetupdate
+everythingfails
+everythingfails -t stable
+everythingfails -t testing
+
+signreleasefiles 'Rex Expired' 'aptarchive/dists/stable'
+cp -a keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+
+msgmsg 'Test without trusted option and good and expired sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+insecureaptgetupdate
+everythingsucceeds
+everythingfails -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=yes option and good and expired sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
+aptgetupdate
+everythingsucceeds
+everythingsucceeds -t stable
+everythingsucceeds -t testing
+
+msgmsg 'Test with trusted=no option and good and expired sources'
+cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
+sed -i 's#^deb\(-src\)\? #deb\1 [trusted=no] #' rootdir/etc/apt/sources.list.d/*
+insecureaptgetupdate
+everythingfails
+everythingfails -t stable
+everythingfails -t testing