diff options
Diffstat (limited to 'test/integration/test-releasefile-verification')
| -rwxr-xr-x | test/integration/test-releasefile-verification | 61 |
1 files changed, 45 insertions, 16 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 54483ba9a..ffb5073b6 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -97,6 +97,7 @@ updatewithwarnings() { } runtest() { + local DELETEFILE="$1" msgmsg 'Cold archive signed by' 'Joe Sixpack' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists @@ -257,19 +258,14 @@ runtest2() { } runtest3() { - export APT_TESTS_DIGEST_ALGO="$1" - msgmsg "Running base test with digest $1" + echo "Debug::Acquire::gpgv::configdigest::truststate \"$1\";" > rootdir/etc/apt/apt.conf.d/truststate + msgmsg "Running base test with $1 digest" runtest2 - DELETEFILE="InRelease" - msgmsg "Running test with deletion of $DELETEFILE and digest $1" - runtest - - DELETEFILE="Release.gpg" - msgmsg "Running test with deletion of $DELETEFILE and digest $1" - runtest - - unset APT_TESTS_DIGEST_ALGO + for DELETEFILE in 'InRelease' 'Release.gpg'; do + msgmsg "Running test with deletion of $DELETEFILE and $1 digest" + runtest "$DELETEFILE" + done } # diable some protection by default and ensure we still do the verification @@ -278,17 +274,50 @@ cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF Acquire::AllowInsecureRepositories "1"; Acquire::AllowDowngradeToInsecureRepositories "1"; EOF +# the hash marked as configureable in our gpgv method +export APT_TESTS_DIGEST_ALGO='SHA224' -# an all-round good hash successfulaptgetupdate() { testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 } -runtest3 'SHA512' +runtest3 'trusted' -# a hash we consider weak and therefore warn about -rm -f rootdir/etc/apt/apt.conf.d/no-sha1 successfulaptgetupdate() { testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output } -runtest3 'SHA1' +runtest3 'weak' + +msgmsg "Running test with apt-untrusted digest" +echo "Debug::Acquire::gpgv::configdigest::truststate \"untrusted\";" > rootdir/etc/apt/apt.conf.d/truststate +runfailure() { + for DELETEFILE in 'InRelease' 'Release.gpg'; do + msgmsg 'Cold archive signed by' 'Joe Sixpack' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack' + find aptarchive/ -name "$DELETEFILE" -delete + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output + testnopackage 'apt' + testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + failaptold + + msgmsg 'Cold archive signed by' 'Marvin Paranoid' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Marvin Paranoid' + find aptarchive/ -name "$DELETEFILE" -delete + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testnopackage 'apt' + updatewithwarnings '^W: .* NO_PUBKEY' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + failaptold + done +} +runfailure + +msgmsg "Running test with gpgv-untrusted digest" +export APT_TESTS_DIGEST_ALGO='MD5' +runfailure |