From fb7b11ebb852fa255053ecab605bc9cfe9de0603 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 29 Apr 2016 00:31:49 +0200 Subject: don't show NO_PUBKEY warning if repo is signed by another key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Daniel Kahn Gillmor highlights in the bugreport that security isn't improving by having the user import additional keys – especially as importing keys securely is hard. The bugreport was initially about dropping the warning to a notice, but in given the previously mentioned observation and the fact that we weren't printing a warning (or a notice) for expired or revoked keys providing a signature we drop it completely as the code to display a message if this was the only key is in another path – and is considered critical. Closes: 618445 --- test/integration/test-releasefile-verification | 31 +++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'test/integration/test-releasefile-verification') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index a061832b6..5da0a8292 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -127,7 +127,7 @@ runtest() { testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold - rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg msgmsg 'Cold archive expired signed by' 'Joe Sixpack' if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then @@ -152,6 +152,28 @@ runtest() { msgskip 'Not a new enough gpg available providing --fake-system-time' fi + msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Marvin Paranoid' + find aptarchive/ -name "$DELETEFILE" -delete + successfulaptgetupdate 'NO_PUBKEY' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + + msgmsg 'Cold archive signed by' 'Joe Sixpack,Rex Expired' + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack,Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + successfulaptgetupdate 'EXPKEYSIG' + rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + installaptold + msgmsg 'Cold archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists @@ -302,11 +324,18 @@ export APT_TESTS_DIGEST_ALGO='SHA224' successfulaptgetupdate() { testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + cp rootdir/tmp/testsuccess.output aptupdate.output + testsuccess grep "$1" aptupdate.output + fi } runtest3 'Trusted' successfulaptgetupdate() { testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + if [ -n "$1" ]; then + testsuccess grep "$1" rootdir/tmp/testwarning.output + fi testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output } runtest3 'Weak' -- cgit v1.2.3