From 448c38bdcd72b52f11ec5f326f822cf57653f81c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 6 Jun 2015 12:28:00 +0200 Subject: rework hashsum verification in the acquire system MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Having every item having its own code to verify the file(s) it handles is an errorprune process and easy to break, especially if items move through various stages (download, uncompress, patching, …). With a giant rework we centralize (most of) the verification to have a better enforcement rate and (hopefully) less chance for bugs, but it breaks the ABI bigtime in exchange – and as we break it anyway, it is broken even harder. It shouldn't effect most frontends as they don't deal with the acquire system at all or implement their own items, but some do and will need to be patched (might be an opportunity to use apt on-board material). The theory is simple: Items implement methods to decide if hashes need to be checked (in this stage) and to return the expected hashes for this item (in this stage). The verification itself is done in worker message passing which has the benefit that a hashsum error is now a proper error for the acquire system rather than a Done() which is later revised to a Failed(). --- test/integration/test-apt-update-nofallback | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'test/integration/test-apt-update-nofallback') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index db4430ea3..f132bcf8e 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -28,6 +28,7 @@ Description: an autogenerated evil package EOF # avoid ims hit touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages + compressfile aptarchive/dists/unstable/main/binary-i386/Packages } assert_update_is_refused_and_last_good_state_used() @@ -87,16 +88,16 @@ test_from_inrelease_to_unsigned_with_override() { # setup archive with InRelease file setupaptarchive_with_lists_clean - # FIXME: is not what the server reported 4104 4106 - testsuccess aptget update #-o Debug::pkgAcquire::Worker=1 + testsuccess aptget update # simulate moving to a unsigned but otherwise valid repo simulate_mitm_and_inject_evil_package - generatereleasefiles + generatereleasefiles '+2 hours' + find $APTARCHIVE -name '*Packages*' -exec touch -d '+2 hours' {} \; # and ensure we can update to it (with enough force) testwarning aptget update --allow-insecure-repositories \ - -o Acquire::AllowDowngradeToInsecureRepositories=1 + -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 # but that the individual packages are still considered untrusted testfailureequal "WARNING: The following packages cannot be authenticated! evil @@ -167,7 +168,7 @@ test_inrelease_to_invalid_inrelease() listcurrentlistsdirectory > lists.before # now remove InRelease and subvert Release do no longer verify - sed -i 's/Codename.*/Codename: evil!'/ $APTARCHIVE/dists/unstable/InRelease + sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease inject_evil_package testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) -- cgit v1.2.3 From 1da3b7b8e15b642135b54684e70a0c271471f07a Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 11 Jun 2015 10:56:31 +0200 Subject: show URI.Path in all acquire item descriptions It is a rather strange sight that index items use SiteOnly which strips the Path, while e.g. deb files are downloaded with NoUserPassword which does not. Important to note here is that for the file transport Path is pretty important as there is no Host which would be displayed by Site, which always resulted in "interesting" unspecific errors for "file:". Adding a 'middle' ground between the two which does show the Path but potentially modifies it (it strips a pending / at the end if existing) solves this "file:" issue, syncs the output and in the end helps to identify which file is meant exactly in progress output and co as a single site can have multiple repositories in different paths. --- test/integration/test-apt-update-nofallback | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'test/integration/test-apt-update-nofallback') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index f132bcf8e..2ded73122 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -33,7 +33,7 @@ EOF assert_update_is_refused_and_last_good_state_used() { - testfailuremsg "E: The repository 'file: unstable Release' is no longer signed." aptget update + testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update assert_repo_is_intact } @@ -171,7 +171,7 @@ test_inrelease_to_invalid_inrelease() sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease inject_evil_package - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) @@ -195,7 +195,7 @@ test_release_gpg_to_invalid_release_release_gpg() echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release inject_evil_package - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) -- cgit v1.2.3 From dd676dc71e31c20f66d5b9d9ac1c5a4c8883cd79 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 9 Aug 2015 17:40:57 +0200 Subject: enhance "hit paywall" error message to mention the probable cause MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reporting errors from Done() is bad for progress reporting and such, so factoring this out is a good idea and we start with moving the supposed- to-be clearsigned file isn't clearsigned out first – improving the error message in the process as we use the same message for a similar case (NODATA) as this is what I have to look at with the venue wifi at DebCamp and the old errormessage doesn't really say anything. --- test/integration/test-apt-update-nofallback | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'test/integration/test-apt-update-nofallback') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 2ded73122..5bffab6ee 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -151,9 +151,8 @@ test_subvert_inrelease() # replace InRelease with something else mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease - testfailureequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature - -E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update # ensure we keep the repo testfileequal lists.before "$(listcurrentlistsdirectory)" -- cgit v1.2.3 From 0efb29eb36184bbe6de7b1013d1898796d94b171 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 9 Aug 2015 19:01:49 +0200 Subject: drop extra newline in 'Failed to fetch' and 'GPG error' message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I never understood why there is an extra newline in those messages, so now is as good time as any to drop them. Lets see if someone complains with a good reason to keep it… --- test/integration/test-apt-update-nofallback | 4 ---- 1 file changed, 4 deletions(-) (limited to 'test/integration/test-apt-update-nofallback') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 5bffab6ee..2f4ddc016 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -171,9 +171,7 @@ test_inrelease_to_invalid_inrelease() inject_evil_package testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) - W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) - W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # ensure we keep the repo @@ -195,9 +193,7 @@ test_release_gpg_to_invalid_release_release_gpg() inject_evil_package testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) - W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) - W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release -- cgit v1.2.3 From b381a482eab0fc7b65b63cf0512ef1f97d775e34 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 14 Aug 2015 11:49:45 +0200 Subject: Replace --force-yes by various options starting with --allow This enables more fine grained control over such exceptions. --- test/integration/test-apt-update-nofallback | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-nofallback') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 2f4ddc016..6e9db2cae 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -101,7 +101,7 @@ test_from_inrelease_to_unsigned_with_override() # but that the individual packages are still considered untrusted testfailureequal "WARNING: The following packages cannot be authenticated! evil -E: There are problems and -y was used without --force-yes" aptget install -qq -y evil +E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil } test_cve_2012_0214() -- cgit v1.2.3