diff options
-rw-r--r-- | apt-pkg/acquire-item.cc | 6 | ||||
-rw-r--r-- | apt-pkg/pkgcachegen.cc | 2 | ||||
-rw-r--r-- | debian/changelog | 12 | ||||
-rwxr-xr-x | test/integration/test-hashsum-verification | 83 |
4 files changed, 100 insertions, 3 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index df83d1481..152a1e2ea 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1258,8 +1258,9 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash, / if (SigFile == "") { // There was no signature file, so we are finished. Download - // the indexes without verification. - QueueIndexes(false); + // the indexes and do only hashsum verification + MetaIndexParser->Load(DestFile); + QueueIndexes(true); } else { @@ -1396,6 +1397,7 @@ void pkgAcqMetaIndex::QueueIndexes(bool verify) /*{{{*/ { std::cerr << "Queueing: " << (*Target)->URI << std::endl; std::cerr << "Expected Hash: " << ExpectedIndexHash.toStr() << std::endl; + std::cerr << "For: " << Record->MetaKeyFilename << std::endl; } if (ExpectedIndexHash.empty() == true && (*Target)->IsOptional() == false) { diff --git a/apt-pkg/pkgcachegen.cc b/apt-pkg/pkgcachegen.cc index 3c21b2442..49a7f7adc 100644 --- a/apt-pkg/pkgcachegen.cc +++ b/apt-pkg/pkgcachegen.cc @@ -936,7 +936,7 @@ static bool CheckValidity(const string &CacheFile, return false; } - if (List.GetLastModifiedTime() < GetModificationTime(CacheFile)) + if (List.GetLastModifiedTime() > GetModificationTime(CacheFile)) { if (Debug == true) std::clog << "sources.list is newer than the cache" << std::endl; diff --git a/debian/changelog b/debian/changelog index 8311f641f..b00f829f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +apt (0.8.16~exp5ubuntu2) UNRELEASED; urgency=low + + * test/integration/test-hashsum-verification: + - add regression test for hashsum verification + * apt-pkg/acquire-item.cc: + - if no Release.gpg file is found, still load the hashes for + verification (closes: #636314) and add test + * apt-pkg/pkgcachegen.cc: + - fix incorrect comparision when checking sources.list freshness + + -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 08 Aug 2011 16:59:55 +0200 + apt (0.8.16~exp5ubuntu1) oneiric; urgency=low * merged new version from debian/experimental, this includes diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification new file mode 100755 index 000000000..033096ee8 --- /dev/null +++ b/test/integration/test-hashsum-verification @@ -0,0 +1,83 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +buildaptarchive +setupflataptarchive +changetowebserver + +prepare() { + local DATE="${2:-now}" + if [ "$DATE" = 'now' -a "$1" = "${PKGFILE}-new" ]; then + DATE='now + 6 days' + fi + for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do + touch -d 'now - 6 hours' $release + done + rm -rf rootdir/var/cache/apt/archives + rm -f rootdir/var/cache/apt/*.bin + cp $1 aptarchive/Packages + find aptarchive -name 'Release' -delete + cat aptarchive/Packages | gzip > aptarchive/Packages.gz + cat aptarchive/Packages | bzip2 > aptarchive/Packages.bz2 + cat aptarchive/Packages | lzma > aptarchive/Packages.lzma + # create Release file with incorret checksums + cat > aptarchive/Release <<EOF +Date: Fri, 05 Aug 2011 09:22:08 UTC +MD5Sum: + x15c483ac486f5dbe95095c7ec08626f 760 Packages + x0579797df4792164a17305fb0b317e9 546 Packages.bz2 + xc532a82873d2206b4e4503e92d167bd 489 Packages.gz + x4d1d25661377dd4bb95a1736e2624d3 527 Packages.lzma + xf1cc221194edbaa943d2375d6f44a88 572 Packages.xz +SHA1: + x0d3317839cf68cd40c28f0bddca8d2ce5a29cad 760 Packages + xffddf046ad8dfd8338a355d76fb08d143c8b636 546 Packages.bz2 + xa27a3df51ca4474b880a6594c4811957079b613 489 Packages.gz + x9d7bba4e6fa927a34dcd797694c2893c21f1004 527 Packages.lzma + x7d988fe59cf67298828e5299a15d329c0f00f1b 572 Packages.xz +SHA256: + x5a47d72f6b97bfa164b23326b6ad3cb019b5c6cc73769f8c0187616933d1b2b 760 Packages + x617252f5bfe3e9126352c7c2f8122d9c3b2c5e1a6c8a9616d62adc0ed164172 546 Packages.bz2 + xc6abc6fe9a4fcf0758ec5366dfd19bcba90af026a7017c3f6198c59eccd8ef5 489 Packages.gz + xb306e66e5e6a7169c8d281a888539d1fdca9cecc99ae605717df579d5b9c166 527 Packages.lzma + x9585d0e66b74c9385727fbea11fea9ab33c716b18a32f3036f037a2b9b57120 572 Packages.xz +EOF + cp aptarchive/Release aptarchive/InRelease +} + +# fake our downloadable file +touch aptarchive/apt.deb + +PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')" + +runtest() { + prepare ${PKGFILE} + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack' + find aptarchive/ -name "$DELETEFILE" -delete + + # test signed release file + msgtest 'apt-get update gets the expected hashsum mismatch' + aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail + msgtest 'No package from the source available' + [ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail + msgtest 'No Packages file in /var/lib/apt/lists' + [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail + + # now with the unsigned Release file + rm -rf rootdir/var/lib/apt/lists + rm aptarchive/InRelease aptarchive/Release.gpg + msgtest 'unsigned apt-get update gets the expected hashsum mismatch' + aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail + + +} + +runtest + |