From 1af227c2eaad386f0917fc4f36c84fd5999b884e Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Thu, 28 Apr 2016 22:02:50 +0200
Subject: gpgv: handle expired sig as worthless
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signatures on data can have an expiration date, too, which we hadn't
handled previously explicitly (no problem – gpg still has a non-zero
exit code so apt notices the invalid signature) so the error message
wasn't as helpful as it could be (aka mentioning the key signing it).
---
 methods/gpgv.cc                                |  7 +++++++
 test/integration/framework                     |  6 ++++--
 test/integration/test-releasefile-verification | 23 +++++++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 2ab8b9c97..53c3ff80e 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -37,6 +37,7 @@ using std::vector;
 #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
 #define GNUPGGOODSIG "[GNUPG:] GOODSIG"
 #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG"
+#define GNUPGEXPSIG "[GNUPG:] EXPSIG"
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
 
@@ -188,6 +189,12 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
             std::clog << "Got EXPKEYSIG! " << std::endl;
          WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
+      else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0)
+      {
+         if (Debug == true)
+            std::clog << "Got EXPSIG!" << std::endl;
+         WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
+      }
       else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
       {
          if (Debug == true)
diff --git a/test/integration/framework b/test/integration/framework
index a68209326..a5cc842ba 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1084,6 +1084,8 @@ setupaptarchive() {
 signreleasefiles() {
 	local SIGNER="${1:-Joe Sixpack}"
 	local REPODIR="${2:-aptarchive}"
+	if [ -n "$1" ]; then shift; fi
+	if [ -n "$1" ]; then shift; fi
 	local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
 	local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
 	msgninfo "\tSign archive with $SIGNER key $KEY… "
@@ -1111,9 +1113,9 @@ signreleasefiles() {
 		fi
 	fi
 	for RELEASE in $(find "${REPODIR}/" -name Release); do
-		testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
+		testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
 		local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
-		testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
+		testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
 		# we might have set a specific date for the Release file, so copy it
 		touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
 	done
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 10b830449..a061832b6 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -129,6 +129,29 @@ runtest() {
 	failaptold
 	rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
 
+	msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
+	if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+		touch rootdir/etc/apt/apt.conf.d/99gnupg2
+	elif gpg2 --version >/dev/null 2>&1; then
+		echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
+		if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+			rm rootdir/etc/apt/apt.conf.d/99gnupg2
+		fi
+	fi
+	if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
+		prepare "${PKGFILE}"
+		rm -rf rootdir/var/lib/apt/lists
+		signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
+		find aptarchive/ -name "$DELETEFILE" -delete
+		updatewithwarnings '^W: .* EXPSIG'
+		testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+		failaptold
+		rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
+	else
+		msgskip 'Not a new enough gpg available providing --fake-system-time'
+	fi
+
 	msgmsg 'Cold archive signed by' 'Marvin Paranoid'
 	prepare "${PKGFILE}"
 	rm -rf rootdir/var/lib/apt/lists
-- 
cgit v1.2.3