test Release file handling with expired keys

Signing files with expired keys is not as easy as it sounds, so the
framework jumps a few loops to do it, but it might come in handy to have
an expired key around for later tests even if it is not that different
from having no key in regards to APT behaviour.

Git-Dch: Ignore

4 files changed, 62 insertions, 8 deletions

diff --git a/test/integration/framework b/test/integration/framework
index 7dd7c20a7..f64b8482c 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -711,22 +711,45 @@ setupaptarchive() {
 
 signreleasefiles() {
 	local SIGNER="${1:-Joe Sixpack}"
+	local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg"
 	msgninfo "\tSign archive with $SIGNER key… "
-	local SECKEYS=""
+	local REXKEY='keys/rexexpired'
+	local SECEXPIREBAK="${REXKEY}.sec.bak"
+	local PUBEXPIREBAK="${REXKEY}.pub.bak"
+	if [ "${SIGNER}" = 'Rex Expired' ]; then
+		# the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
+		# option doesn't exist anymore (and using faketime would add a new obscure dependency)
+		# therefore we 'temporary' make the key not expired and restore a backup after signing
+		cp ${REXKEY}.sec $SECEXPIREBAK
+		cp ${REXKEY}.pub $PUBEXPIREBAK
+		local SECUNEXPIRED="${REXKEY}.sec.unexpired"
+		local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
+		if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
+			cp $SECUNEXPIRED ${REXKEY}.sec
+			cp $PUBUNEXPIRED ${REXKEY}.pub
+		else
+			printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true
+			cp ${REXKEY}.sec $SECUNEXPIRED
+			cp ${REXKEY}.pub $PUBUNEXPIRED
+		fi
+	fi
 	for KEY in $(find keys/ -name '*.sec'); do
-		SECKEYS="$SECKEYS --secret-keyring $KEY"
+		GPG="$GPG --secret-keyring $KEY"
 	done
-	local PUBKEYS=""
 	for KEY in $(find keys/ -name '*.pub'); do
-		PUBKEYS="$PUBKEYS --keyring $KEY"
+		GPG="$GPG --keyring $KEY"
 	done
 	for RELEASE in $(find aptarchive/ -name Release); do
-		gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE}
+		$GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE}
 		local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
-		gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE
+		$GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE
 		# we might have set a specific date for the Release file, so copy it
 		touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE}
 	done
+	if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
+		mv -f $SECEXPIREBAK ${REXKEY}.sec
+		mv -f $PUBEXPIREBAK ${REXKEY}.pub
+	fi
 	msgdone "info"
 }
 
diff --git a/test/integration/rexexpired.pub b/test/integration/rexexpired.pub
new file mode 100644
index 000000000..5ab2e489a
--- /dev/null
+++ b/test/integration/rexexpired.pub
diff --git a/test/integration/rexexpired.sec b/test/integration/rexexpired.sec
new file mode 100644
index 000000000..dc00168cd
--- /dev/null
+++ b/test/integration/rexexpired.sec
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index e56f458d3..daba3919b 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -107,13 +107,24 @@ runtest() {
 " aptcache show apt
 	installaptnew
 
+	prepare ${PKGFILE}
+	rm -rf rootdir/var/lib/apt/lists
+	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+	signreleasefiles 'Rex Expired'
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Cold archive signed by' 'Rex Expired'
+	aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
+	testequal "$(cat ${PKGFILE})
+" aptcache show apt
+	failaptold
+	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 
 	prepare ${PKGFILE}
 	rm -rf rootdir/var/lib/apt/lists
 	signreleasefiles 'Marvin Paranoid'
 	find aptarchive/ -name "$DELETEFILE" -delete
 	msgtest 'Cold archive signed by' 'Marvin Paranoid'
-	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+	aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
 	testequal "$(cat ${PKGFILE})
 " aptcache show apt
 	failaptold
@@ -147,10 +158,30 @@ runtest() {
 	signreleasefiles 'Marvin Paranoid'
 	find aptarchive/ -name "$DELETEFILE" -delete
 	msgtest 'Good warm archive signed by' 'Marvin Paranoid'
-	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+	aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
+	testequal "$(cat ${PKGFILE})
+" aptcache show apt
+	installaptold
+
+	prepare ${PKGFILE}-new
+	cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+	signreleasefiles 'Rex Expired'
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Good warm archive signed by' 'Rex Expired'
+	aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
 	testequal "$(cat ${PKGFILE})
 " aptcache show apt
 	installaptold
+	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+
+	prepare ${PKGFILE}-new
+	signreleasefiles
+	find aptarchive/ -name "$DELETEFILE" -delete
+	msgtest 'Good warm archive signed by' 'Joe Sixpack'
+	aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass
+	testequal "$(cat ${PKGFILE}-new)
+" aptcache show apt
+	installaptnew
 }
 
 runtest2() {