From f87338d2da95ba7d55a1a67b4506717e94d49bca Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:07:20 +0100 Subject: cherry-pick ubuntus (disabled) net-update fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu. --- test/integration/test-apt-key-net-update | 95 ++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100755 test/integration/test-apt-key-net-update (limited to 'test/integration/test-apt-key-net-update') diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update new file mode 100755 index 000000000..d5205836f --- /dev/null +++ b/test/integration/test-apt-key-net-update @@ -0,0 +1,95 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# mock +requires_root() { + return 0 +} + +# extract net_update() and import it +func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key ) +eval "$func" + +mkdir -p ./etc/apt +TRUSTEDFILE=./etc/apt/trusted.gpg +mkdir -p ./var/lib/apt/keyrings +TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" +GPG="$GPG_CMD --keyring $TRUSTEDFILE" +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + + +msgtest "add_keys_with_verify_against_master_keyring" +if [ ! -e $MASTER_KEYRING ]; then + echo -n "No $MASTER_KEYRING found" + msgskip + exit 0 +fi + +# test bad keyring and ensure its not added (LP: #857472) +ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test another possible attack vector using subkeys (LP: #1013128) +msgtest "add_keys_with_verify_against_master_keyring with subkey attack" +ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test good keyring and ensure we get no errors +ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgpass +else + msgfail +fi + +testequal './etc/apt/trusted.gpg +--------------------- +pub 1024D/437D05B5 2004-09-12 +uid Ubuntu Archive Automatic Signing Key +sub 2048g/79164387 2004-09-12 + +pub 1024D/FBB75451 2004-12-30 +uid Ubuntu CD Image Automatic Signing Key + +pub 4096R/C0B21F32 2012-05-11 +uid Ubuntu Archive Automatic Signing Key (2012) + +pub 4096R/EFE21092 2012-05-11 +uid Ubuntu CD Image Automatic Signing Key (2012) +' $GPG --list-keys + -- cgit v1.2.3 From fc85b0d8f3c2d63efcad2590e021d70c2ba700da Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 11 Dec 2013 15:08:30 +0100 Subject: fix test/integration/test-apt-key-net-update (code copy/DRY violation) --- test/integration/test-apt-key-net-update | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'test/integration/test-apt-key-net-update') diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index d5205836f..2e72d1d62 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -24,6 +24,21 @@ GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" GPG="$GPG_CMD --keyring $TRUSTEDFILE" MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg +# COPYIED from apt-key.in -------------- + +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" +GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" +#----------------------------------------- END COPY msgtest "add_keys_with_verify_against_master_keyring" if [ ! -e $MASTER_KEYRING ]; then -- cgit v1.2.3 From 9b7c10509c534b7d413b5102231cb0ca387f1c65 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 12 Dec 2013 07:49:43 +0100 Subject: fix test/integration/test-apt-key-net-update --- test/integration/test-apt-key-net-update | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'test/integration/test-apt-key-net-update') diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index 2e72d1d62..73545aff7 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -21,8 +21,9 @@ TRUSTEDFILE=./etc/apt/trusted.gpg mkdir -p ./var/lib/apt/keyrings TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -GPG="$GPG_CMD --keyring $TRUSTEDFILE" -MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + +# FIXME: instead of copying this use apt-key and the buildin apt webserver +# to do a real test # COPYIED from apt-key.in -------------- @@ -40,6 +41,9 @@ GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" #----------------------------------------- END COPY +GPG="$GPG_CMD --keyring $TRUSTEDFILE" +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + msgtest "add_keys_with_verify_against_master_keyring" if [ ! -e $MASTER_KEYRING ]; then echo -n "No $MASTER_KEYRING found" -- cgit v1.2.3 From 5acf154d810a0225cc7d14637d101205e43ceba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 13 Dec 2013 14:37:14 +0100 Subject: make apt-key net-update actually testable --- test/integration/test-apt-key-net-update | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'test/integration/test-apt-key-net-update') diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index 73545aff7..e0869402e 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -6,6 +6,20 @@ TESTDIR=$(readlink -f $(dirname $0)) setupenvironment configarchitecture "i386" +changetowebserver + +# setup env +mkdir -p aptarchive/ubuntu/project var/lib/apt/keyrings +echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/ubuntu-archive-keyring.gpg";' >> ./aptconfig.conf +echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf + +# signed thing +echo "meep" > aptarchive/ubuntu/project/ubuntu-archive-keyring.gpg + +# test against the "real" webserver +aptkey --fakeroot net-update + +exit 1 # mock requires_root() { -- cgit v1.2.3 From e5543ea5a236426dd33e74e427e8485a030a2540 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 19 Dec 2013 16:43:50 +0100 Subject: fix apt-key net-update test to use the buildin webserver --- test/integration/test-apt-key-net-update | 133 ++++++------------------------- 1 file changed, 24 insertions(+), 109 deletions(-) (limited to 'test/integration/test-apt-key-net-update') diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index e0869402e..4b38cd9b5 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -9,120 +9,35 @@ configarchitecture "i386" changetowebserver # setup env -mkdir -p aptarchive/ubuntu/project var/lib/apt/keyrings -echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/ubuntu-archive-keyring.gpg";' >> ./aptconfig.conf -echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf - -# signed thing -echo "meep" > aptarchive/ubuntu/project/ubuntu-archive-keyring.gpg - -# test against the "real" webserver -aptkey --fakeroot net-update - -exit 1 - -# mock -requires_root() { - return 0 -} - -# extract net_update() and import it -func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key ) -eval "$func" - -mkdir -p ./etc/apt -TRUSTEDFILE=./etc/apt/trusted.gpg -mkdir -p ./var/lib/apt/keyrings -TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" - -# FIXME: instead of copying this use apt-key and the buildin apt webserver -# to do a real test - -# COPYIED from apt-key.in -------------- - -# gpg needs a trustdb to function, but it can't be invalid (not even empty) -# so we create a temporary directory to store our fresh readable trustdb in -TRUSTDBDIR="$(mktemp -d)" -CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -chmod 700 "$TRUSTDBDIR" -# We also don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available - and writeable for imports -SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" -touch $SECRETKEYRING -GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" -GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" -#----------------------------------------- END COPY +mkdir -p var/lib/apt/keyrings +mkdir -p usr/share/keyrings -GPG="$GPG_CMD --keyring $TRUSTEDFILE" -MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg - -msgtest "add_keys_with_verify_against_master_keyring" -if [ ! -e $MASTER_KEYRING ]; then - echo -n "No $MASTER_KEYRING found" - msgskip - exit 0 -fi - -# test bad keyring and ensure its not added (LP: #857472) -ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub -if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then - msgfail -else - msgpass -fi - -# ensure the keyring is still empty -gpg_out=$($GPG --list-keys) -msgtest "Test if keyring is empty" -if [ -n "" ]; then - msgfail -else - msgpass -fi - - -# test another possible attack vector using subkeys (LP: #1013128) -msgtest "add_keys_with_verify_against_master_keyring with subkey attack" -ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub -if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then - msgfail -else - msgpass -fi - -# ensure the keyring is still empty -gpg_out=$($GPG --list-keys) -msgtest "Test if keyring is empty" -if [ -n "" ]; then - msgfail -else - msgpass -fi +# install the fake master keyring +install -m0644 keys/test-master-keyring.pub usr/share/keyrings +echo "APT::Key::MasterKeyring \"${TMPWORKINGDIRECTORY}/usr/share/keyrings/test-master-keyring.pub\";" >> ./aptconfig.conf +# setup archive-keyring +mkdir -p aptarchive/ubuntu/project +install -m0644 keys/test-archive-keyring.pub aptarchive/ubuntu/project/ +echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/test-archive-keyring.pub";' >> ./aptconfig.conf +echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf -# test good keyring and ensure we get no errors -ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg -if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then - msgpass -else - msgfail -fi +# test against the "real" webserver +testequal 'Checking for new archive signing keys now +gpg: key F68C85A3: public key "Test Automatic Archive Signing Key " imported +gpg: Total number processed: 1 +gpg: imported: 1 (RSA: 1)' aptkey --fakeroot net-update -testequal './etc/apt/trusted.gpg ---------------------- -pub 1024D/437D05B5 2004-09-12 -uid Ubuntu Archive Automatic Signing Key -sub 2048g/79164387 2004-09-12 -pub 1024D/FBB75451 2004-12-30 -uid Ubuntu CD Image Automatic Signing Key +# now try a different one +# setup archive-keyring +mkdir -p aptarchive/ubuntu/project +install -m0644 keys/marvinparanoid.pub aptarchive/ubuntu/project/ +echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/marvinparanoid.pub";' >> ./aptconfig.conf +echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf -pub 4096R/C0B21F32 2012-05-11 -uid Ubuntu Archive Automatic Signing Key (2012) +# test against the "real" webserver +testequal "Checking for new archive signing keys now +Key 'E8525D47528144E2' not added. It is not signed with a master key" aptkey --fakeroot net-update -pub 4096R/EFE21092 2012-05-11 -uid Ubuntu CD Image Automatic Signing Key (2012) -' $GPG --list-keys -- cgit v1.2.3