diff options
author | Julian Andres Klode <jak@debian.org> | 2018-10-14 19:23:41 +0000 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2018-10-14 19:23:41 +0000 |
commit | b80e48783c183aeaf1d30d898a7743f091d96336 (patch) | |
tree | 7a0e3711dd68bbd8fdfd0d07f9af6f33aa9d2d51 /test/integration | |
parent | bb2f6c8c2a965ac1ff01582b93e64da8991dcbfc (diff) | |
parent | 8375d5b58038fc026098dcccc3de87cd9d740334 (diff) |
Merge branch 'feature/subkeys' into 'master'
Support subkeys and multiple keyrings in Signed-By options
See merge request apt-team/apt!27
Diffstat (limited to 'test/integration')
-rw-r--r-- | test/integration/framework | 1 | ||||
-rw-r--r-- | test/integration/sebastiansubkey.master.sec | bin | 0 -> 4829 bytes | |||
-rw-r--r-- | test/integration/sebastiansubkey.pub | bin | 0 -> 2567 bytes | |||
-rw-r--r-- | test/integration/sebastiansubkey.sec | bin | 0 -> 3546 bytes | |||
-rwxr-xr-x | test/integration/test-apt-key | 16 | ||||
-rwxr-xr-x | test/integration/test-method-gpgv | 49 | ||||
-rwxr-xr-x | test/integration/test-releasefile-verification | 69 | ||||
-rwxr-xr-x | test/integration/test-signed-by-option | 22 |
8 files changed, 147 insertions, 10 deletions
diff --git a/test/integration/framework b/test/integration/framework index b0456096c..8ec2e80cf 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1988,6 +1988,7 @@ mapkeynametokeyid() { *Joe*|*Sixpack*|newarchive) echo '5A90D141DBAC8DAE';; *Rex*|*Expired*) echo '4BC0A39C27CE74F9';; *Marvin*|*Paranoid*) echo 'E8525D47528144E2';; + *Sebastian*|*Subkey*) echo '5B6896415D44C43E';; oldarchive) echo 'FDD2DB85F68C85A3';; *) echo 'UNKNOWN KEY';; esac diff --git a/test/integration/sebastiansubkey.master.sec b/test/integration/sebastiansubkey.master.sec Binary files differnew file mode 100644 index 000000000..4d86fb983 --- /dev/null +++ b/test/integration/sebastiansubkey.master.sec diff --git a/test/integration/sebastiansubkey.pub b/test/integration/sebastiansubkey.pub Binary files differnew file mode 100644 index 000000000..c5f198c77 --- /dev/null +++ b/test/integration/sebastiansubkey.pub diff --git a/test/integration/sebastiansubkey.sec b/test/integration/sebastiansubkey.sec Binary files differnew file mode 100644 index 000000000..fd40889da --- /dev/null +++ b/test/integration/sebastiansubkey.sec diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index d690a9026..a1e633ca3 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -89,6 +89,14 @@ gpg: unchanged: 1' aptkey --fakeroot update testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export" testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall" + msgtest 'Check that multiple keys can be' 'exported' + aptkey export 'Sixpack' 'Expired' > "${TMPWORKINGDIRECTORY}/aptkey.export" 2>/dev/null + aptkey --keyring "${KEYDIR}/rexexpired.pub.${EXT}" \ + --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall" + testsuccess --nomsg cmp "${TMPWORKINGDIRECTORY}/aptkey.export" "${TMPWORKINGDIRECTORY}/aptkey.exportall" + testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export" + testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall" + msgtest 'Execute update again to trigger removal of' 'Rex Expired key' ${TESTSTATE} --nomsg aptkey --fakeroot update @@ -274,6 +282,14 @@ gpg: unchanged: 1' aptkey --fakeroot update msgtest 'Test verify a file' 'with good keyring' testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}" + msgtest 'Test verify a file' 'with good keyrings 1' + testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/joesixpack.pub.${EXT}" \ + --keyring "${KEYDIR}/marvinparanoid.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}" + + msgtest 'Test verify a file' 'with good keyrings 2' + testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/marvinparanoid.pub.${EXT}" \ + --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}" + msgtest 'Test fail verify a file' 'with bad keyring' testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}" diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index 5e00b1f13..b7cf11bdc 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -40,6 +40,11 @@ testrun() { testgpgv 'Good signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E,' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E,' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^\s\+Good:\s\+$' method.output @@ -87,7 +92,21 @@ Config-Item: APT::Hashes::SHA1::Weak=true 600 URI Acquire URI: file:///dev/null Filename: /dev/zero -Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +Signed-By: /dev/null,34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +' | runapt "${METHODSDIR}/gpgv" +} +testrun + +gpgvmethod() { + echo '601 Configuration +Config-Item: Debug::Acquire::gpgv=1 +Config-Item: Dir::Bin::apt-key=./faked-apt-key +Config-Item: APT::Hashes::SHA1::Weak=true + +600 URI Acquire +URI: file:///dev/null +Filename: /dev/zero +Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,/dev/null ' | runapt "${METHODSDIR}/gpgv" } testrun @@ -96,7 +115,33 @@ testgpgv 'Good signed with long keyid but not signed-by key' 'NoPubKey: GOODSIG [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742625 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' testsuccess grep '^\s\+Good:\s\+$' method.output testsuccess grep 'verified because the public key is not available: GOODSIG' method.output -testgpgv 'Good signed with fingerprint' 'NoPubKey: GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9,' '[GNUPG:] GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org> +testgpgv 'Good signed with fingerprint but not signed-by key' 'NoPubKey: GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9,' '[GNUPG:] GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org> [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742625 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' testsuccess grep '^\s\+Good:\s\+$' method.output testsuccess grep 'verified because the public key is not available: GOODSIG' method.output + +gpgvmethod() { + echo '601 Configuration +Config-Item: Debug::Acquire::gpgv=1 +Config-Item: Dir::Bin::apt-key=./faked-apt-key +Config-Item: APT::Hashes::SHA1::Weak=true + +600 URI Acquire +URI: file:///dev/null +Filename: /dev/zero +Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE! +' | runapt "${METHODSDIR}/gpgv" +} +testgpgv 'Exact matched subkey signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' +testgpgv 'Exact matched subkey signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' + +testgpgv 'Exact unmatched subkey signed with long keyid' 'NoPubKey: GOODSIG 5B6896415D44C43E,' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' +testsuccess grep '^\s\+Good:\s\+$' method.output +testsuccess grep 'verified because the public key is not available: GOODSIG' method.output +testgpgv 'Exact unmatched subkey signed with fingerprint' 'NoPubKey: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E,' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org> +[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' +testsuccess grep '^\s\+Good:\s\+$' method.output +testsuccess grep 'verified because the public key is not available: GOODSIG' method.output diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 36a90f9d5..382d89ecd 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -233,22 +233,39 @@ runtest() { " aptcache show apt installaptnew - msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' - prepare "${PKGFILE}" + msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists - signreleasefiles 'Marvin Paranoid' local MARVIN="$(readlink -f keys/marvinparanoid.pub)" sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* + updatewithwarnings '^W: .* NO_PUBKEY' + + msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' + prepare "${PKGFILE}" + signreleasefiles 'Marvin Paranoid' + rm -rf rootdir/var/lib/apt/lists successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold - msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack' + msgmsg 'Cold archive signed by good keyrings' 'Marvin Paranoid, Joe Sixpack' rm -rf rootdir/var/lib/apt/lists - signreleasefiles 'Joe Sixpack' - updatewithwarnings '^W: .* NO_PUBKEY' - sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/* + local SIXPACK="$(readlink -f keys/joesixpack.pub)" + sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$MARVIN,$SIXPACK] #" rootdir/etc/apt/sources.list.d/* + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + msgmsg 'Cold archive signed by good keyrings' 'Joe Sixpack, Marvin Paranoid' + rm -rf rootdir/var/lib/apt/lists + local SIXPACK="$(readlink -f keys/joesixpack.pub)" + sed -i "s# \[signed-by=[^]]\+\] # [signed-by=$SIXPACK,$MARVIN] #" rootdir/etc/apt/sources.list.d/* + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + sed -i "s# \[signed-by=[^]]\+\] # #" rootdir/etc/apt/sources.list.d/* local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons | grep '^fpr' | cut -d':' -f 10)" msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack' @@ -342,6 +359,44 @@ Signed-By: ${MARVIN} ${MARVIN}, \\ testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt installaptnew + + cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg + local SEBASTIAN="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 1 '^fpr' | cut -d':' -f 10)" + msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + signreleasefiles 'Sebastian Subkey' + sed -i "/^Valid-Until: / a\ +Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") +" aptcache show apt + installaptnew + + msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + sed -i "/^Valid-Until: / a\ +Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + updatewithwarnings 'W: .* public key is not available: GOODSIG' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + local SUBKEY="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 2 '^fpr' | tail -n -1 | cut -d':' -f 10)" + msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey' + rm -rf rootdir/var/lib/apt/lists + cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists + sed -i "/^Valid-Until: / a\ +Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") +" aptcache show apt + installaptnew + rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg } runtest2() { diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option index 4ab2e28bb..faa7dec44 100755 --- a/test/integration/test-signed-by-option +++ b/test/integration/test-signed-by-option @@ -7,7 +7,27 @@ TESTDIR="$(readlink -f "$(dirname "$0")")" setupenvironment configarchitecture 'amd64' -msgtest "Check that a repository with signed-by and two components works" +msgtest 'Check that a repository with' 'signed-by and two components works' echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list +testsuccess --nomsg aptcache policy + +msgtest 'Check that a repository with' 'two fingerprints work' +echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list +testsuccess --nomsg aptcache policy + +msgtest 'Check that a repository with' 'exact fingerprint works' +echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386!] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list +testsuccess --nomsg aptcache policy +msgtest 'Check that a repository with' 'whitespaced fingerprints work' +echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386!,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list +cat > rootdir/etc/apt/sources.list.d/people.sources <<EOF +Types: deb +URIs: mirror+file:/var/lib/apt/mirror.lst +Suites: stable testing +Components: main contrib +Architectures: amd64 i386 +Signed-By: CDE5618B8805FD6E202CE9C2D73C39E56580B386! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + , , BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB +EOF testsuccess --nomsg aptcache policy |