diff options
| -rw-r--r-- | test/integration/framework | 18 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-nofallback | 8 | ||||
| -rwxr-xr-x | test/integration/test-hashsum-verification | 2 | ||||
| -rwxr-xr-x | test/integration/test-releasefile-date-older | 13 | ||||
| -rwxr-xr-x | test/integration/test-releasefile-verification | 31 | ||||
| -rwxr-xr-x | test/integration/test-ubuntu-bug-784473-InRelease-one-message-only | 6 |
6 files changed, 33 insertions, 45 deletions
diff --git a/test/integration/framework b/test/integration/framework index 7eaa36415..1f843babf 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1134,11 +1134,21 @@ signreleasefiles() { fi local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}" for RELEASE in $(find "${REPODIR}/" -name Release); do - testsuccess $GPG "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" - local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')" - testsuccess $GPG "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE" # we might have set a specific date for the Release file, so copy it - touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}" + local DATE="$(stat --format "%y" "${RELEASE}")" + if [ "$APT_DONT_SIGN" = 'Release.gpg' ]; then + rm -f "${RELEASE}.gpg" + else + testsuccess $GPG "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" + touch -d "$DATE" "${RELEASE}.gpg" + fi + local INRELEASE="${RELEASE%/*}/InRelease" + if [ "$APT_DONT_SIGN" = 'InRelease' ]; then + rm -f "$INRELEASE" + else + testsuccess $GPG "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE" + touch -d "$DATE" "${INRELEASE}" + fi done if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then mv -f "$SECEXPIREBAK" "${REXKEY}.sec" diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index d9166eefd..4db67ee5d 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -9,8 +9,7 @@ set -e simulate_mitm_and_inject_evil_package() { redatereleasefiles '+1 hour' - rm -f "$APTARCHIVE/dists/unstable/InRelease" - rm -f "$APTARCHIVE/dists/unstable/Release.gpg" + rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg" inject_evil_package } @@ -126,11 +125,10 @@ test_cve_2012_0214() listcurrentlistsdirectory > lists.before # do what CVE-2012-0214 did - rm "$APTARCHIVE/dists/unstable/InRelease" - rm "$APTARCHIVE/dists/unstable/Release.gpg" + rm "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg" inject_evil_package # build valid Release file - aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release + aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release assert_update_is_refused_and_last_good_state_used testfileequal lists.before "$(listcurrentlistsdirectory)" diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index a31be6bcb..31923bd87 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -44,7 +44,6 @@ SHA256: xb306e66e5e6a7169c8d281a888539d1fdca9cecc99ae605717df579d5b9c166 527 Packages.lzma x9585d0e66b74c9385727fbea11fea9ab33c716b18a32f3036f037a2b9b57120 572 Packages.xz EOF - cp aptarchive/Release aptarchive/InRelease } # fake our downloadable file @@ -56,7 +55,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete # test signed release file msgtest 'apt-get update gets the expected hashsum mismatch' diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older index 2d6746b10..e38ddc3c5 100755 --- a/test/integration/test-releasefile-date-older +++ b/test/integration/test-releasefile-date-older @@ -26,40 +26,43 @@ testsuccess aptget update testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' rm -rf rootdir/var/lib/apt/lists generatereleasefiles 'now' 'now + 7 days' signreleasefiles -find aptarchive -name 'InRelease' -delete testsuccess aptget update listcurrentlistsdirectory > listsdir.lst redatereleasefiles 'now - 2 days' -find aptarchive -name 'InRelease' -delete testsuccess aptget update testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='Release.gpg' rm -rf rootdir/var/lib/apt/lists generatereleasefiles 'now' 'now + 7 days' signreleasefiles -find aptarchive -name 'Release.gpg' -delete testsuccess aptget update +export APT_DONT_SIGN='InRelease' listcurrentlistsdirectory > listsdir.lst redatereleasefiles 'now - 2 days' -find aptarchive -name 'InRelease' -delete testsuccess aptget update testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' rm -rf rootdir/var/lib/apt/lists generatereleasefiles 'now' 'now + 7 days' signreleasefiles find aptarchive -name 'InRelease' -delete testsuccess aptget update +export APT_DONT_SIGN='Release.gpg' listcurrentlistsdirectory > listsdir.lst redatereleasefiles 'now - 2 days' -find aptarchive -name 'Release.gpg' -delete testsuccess aptget update testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN msgmsg 'Release file has' 'no Date and no Valid-Until field' rm -rf rootdir/var/lib/apt/lists diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 24e7830aa..a95c20fd4 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -99,12 +99,10 @@ updatewithwarnings() { } runtest() { - local DELETEFILE="$1" msgmsg 'Cold archive signed by' 'Joe Sixpack' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -113,7 +111,6 @@ runtest() { msgmsg 'Good warm archive signed by' 'Joe Sixpack' prepare "${PKGFILE}-new" signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt @@ -124,7 +121,6 @@ runtest() { rm -rf rootdir/var/lib/apt/lists cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* EXPKEYSIG' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -144,7 +140,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01 - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* EXPSIG' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -158,7 +153,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate 'NO_PUBKEY' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -168,7 +162,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Rex Expired' - find aptarchive/ -name "$DELETEFILE" -delete cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg successfulaptgetupdate 'EXPKEYSIG' rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg @@ -180,7 +173,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* NO_PUBKEY' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -189,7 +181,6 @@ runtest() { msgmsg 'Bad warm archive signed by' 'Joe Sixpack' prepare "${PKGFILE}-new" signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt @@ -199,7 +190,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -208,7 +198,6 @@ runtest() { msgmsg 'Good warm archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}-new" signreleasefiles 'Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* NO_PUBKEY' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -218,7 +207,6 @@ runtest() { prepare "${PKGFILE}-new" cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* EXPKEYSIG' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -228,7 +216,6 @@ runtest() { msgmsg 'Good warm archive signed by' 'Joe Sixpack' prepare "${PKGFILE}-new" signreleasefiles - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt @@ -238,7 +225,6 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete local MARVIN="$(readlink -f keys/marvinparanoid.pub)" sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* successfulaptgetupdate @@ -249,7 +235,6 @@ runtest() { msgmsg 'Cold archive signed by bad keyring' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete updatewithwarnings '^W: .* NO_PUBKEY' sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 #" rootdir/etc/apt/sources.list.d/* @@ -257,14 +242,12 @@ runtest() { msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* updatewithwarnings '^W: .* be verified because the public key is not available: .*' msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete cp keys/marvinparanoid.pub rootdir/etc/apt/trusted.gpg.d/marvinparanoid.gpg successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}") @@ -274,7 +257,6 @@ runtest() { msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid,Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete successfulaptgetupdate 'NoPubKey: GOODSIG' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -284,7 +266,6 @@ runtest() { msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete sed -i "s#^\(deb\(-src\)\?\) \[signed-by=$MARVIN\] #\1 [signed-by=${SIXPACK},${MARVIN}] #" rootdir/etc/apt/sources.list.d/* successfulaptgetupdate testsuccessequal "$(cat "${PKGFILE}") @@ -306,7 +287,6 @@ runtest() { cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists-bak prepare "${PKGFILE}-new" signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete msgmsg 'Warm archive with signed-by' 'Joe Sixpack' sed -i "/^Valid-Until: / a\ @@ -364,8 +344,7 @@ runtest2() { # package verification. msgmsg 'Warm archive signed by' 'nobody' prepare "${PKGFILE}-new" - find aptarchive/ -name InRelease -delete - find aptarchive/ -name Release.gpg -delete + find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete updatewithwarnings 'W: .* no longer signed.' testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt @@ -386,8 +365,10 @@ runtest3() { runtest2 for DELETEFILE in 'InRelease' 'Release.gpg'; do + export APT_DONT_SIGN="$DELETEFILE" msgmsg "Running test with deletion of $DELETEFILE and $1 digest" - runtest "$DELETEFILE" + runtest + unset APT_DONT_SIGN done } @@ -422,11 +403,11 @@ msgmsg "Running test with apt-untrusted digest" echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate runfailure() { for DELETEFILE in 'InRelease' 'Release.gpg'; do + export APT_DONT_SIGN="$DELETEFILE" msgmsg 'Cold archive signed by' 'Joe Sixpack' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - find aptarchive/ -name "$DELETEFILE" -delete testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output testnopackage 'apt' @@ -437,13 +418,13 @@ runfailure() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - find aptarchive/ -name "$DELETEFILE" -delete testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 testnopackage 'apt' updatewithwarnings '^W: .* NO_PUBKEY' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold + unset APT_DONT_SIGN done } runfailure diff --git a/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only index 21d7129ae..fe42ba83d 100755 --- a/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only +++ b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only @@ -8,11 +8,9 @@ configarchitecture 'i386' insertpackage 'unstable' 'apt' 'i386' '0.8.11' -setupaptarchive +export APT_DONT_SIGN='Release.gpg' +setupaptarchive --no-update -rm -rf rootdir/var/lib/apt/lists - -find aptarchive/ -name 'Release.gpg' -delete find aptarchive/ -name 'InRelease' -exec cp {} {}.old \; for RELEASE in $(find aptarchive/ -name 'InRelease'); do |