From 51c04562559d0924aa52cc8c9b69901bc8a5c945 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Sun, 13 Mar 2016 12:21:09 +0100 Subject: Do not consider SHA1 usable SHA1 is not reasonably secure anymore, so we should not consider it usable anymore. The test suite is adjusted to account for this. --- .../test-ubuntu-bug-1098738-apt-get-source-md5sum | 37 ++++++++++++++-------- 1 file changed, 23 insertions(+), 14 deletions(-) (limited to 'test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum') diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum index 015a803bc..7ac993d39 100755 --- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum +++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum @@ -17,6 +17,15 @@ Files: 9604ba9427a280db542279d9ed78400b 3 pkg-md5-ok_1.0.dsc db5570bf61464b46e2bde31ed61a7dc6 3 pkg-md5-ok_1.0.tar.gz +Package: pkg-sha1-ok +Binary: pkg-sha1-ok +Version: 1.0 +Maintainer: Joe Sixpack +Architecture: all +Files: + 324f464e6151a92cf57b26ef95dcfcf2059a8c44 3 pkg-sha1-ok_1.0.dsc + 680254bad1d7ca0d65ec46aaa315d363abf6a50a 3 pkg-sha1-ok_1.0.tar.gz + Package: pkg-sha256-ok Binary: pkg-sha256-ok Version: 1.0 @@ -139,7 +148,7 @@ Checksums-Sha256: EOF # create fetchable files -for x in 'pkg-md5-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \ +for x in 'pkg-md5-ok' 'pkg-sha1-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \ 'pkg-mixed-ok' 'pkg-mixed-sha1-bad' 'pkg-mixed-sha2-bad' \ 'pkg-md5-agree' 'pkg-md5-disagree' 'pkg-sha256-disagree' \ 'pkg-md5-bad'; do @@ -230,6 +239,7 @@ Download complete and in download only mode" aptget source --allow-unauthenticat } testnohash pkg-md5-ok +testnohash pkg-sha1-ok testok pkg-sha256-ok testkeep pkg-sha256-ok @@ -255,29 +265,28 @@ testfailure --nomsg test -e pkg-no-md5_1.0.dsc -a -e pkg-no-md5_1.0.tar.gz # deal with cases in which we haven't for all files the same checksum type # mostly pathologic as this shouldn't happen, but just to be sure -testok pkg-mixed-ok -testfailureequal "Reading package lists... -Need to get 6 B of source archives. +testsuccessequal "Reading package lists... +Skipping download of file 'pkg-mixed-ok_1.0.tar.gz' as requested hashsum is not available for authentication +Need to get 3 B of source archives. +Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-ok 1.0 (dsc) [3 B] +Download complete and in download only mode" aptget source -d pkg-mixed-ok + +testsuccessequal "Reading package lists... +Skipping download of file 'pkg-mixed-sha1-bad_1.0.dsc' as requested hashsum is not available for authentication +Need to get 3 B of source archives. Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (tar) [3 B] -Get:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (dsc) [3 B] -Err:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (dsc) - Hash Sum mismatch -E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha1-bad_1.0.dsc Hash Sum mismatch - -E: Failed to fetch some archives." aptget source -d pkg-mixed-sha1-bad +Download complete and in download only mode" aptget source -d pkg-mixed-sha1-bad msgtest 'Only tar file is downloaded as the dsc has hashsum mismatch' 'pkg-mixed-sha1-bad' testsuccess --nomsg test ! -e pkg-mixed-sha1-bad_1.0.dsc -a -e pkg-mixed-sha1-bad_1.0.tar.gz testfailureequal "Reading package lists... -Need to get 6 B of source archives. +Skipping download of file 'pkg-mixed-sha2-bad_1.0.dsc' as requested hashsum is not available for authentication +Need to get 3 B of source archives. Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (tar) [3 B] Err:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (tar) Hash Sum mismatch -Get:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (dsc) [3 B] E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha2-bad_1.0.tar.gz Hash Sum mismatch E: Failed to fetch some archives." aptget source -d pkg-mixed-sha2-bad -msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed-sha2-bad' -testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz # it gets even more pathologic: multiple entries for one file, some even disagreeing! testnohash pkg-md5-agree -- cgit v1.2.3