From 515d18c9b271e4188dd4c59939c3c3cfeaf575a8 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Fri, 5 Aug 2011 11:49:59 +0200
Subject: * test/integration/test-hashsum-verification:   - add regression test
 for hashsum verification

---
 test/integration/test-hashsum-verification | 76 ++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100755 test/integration/test-hashsum-verification

(limited to 'test/integration')

diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
new file mode 100755
index 000000000..29420c098
--- /dev/null
+++ b/test/integration/test-hashsum-verification
@@ -0,0 +1,76 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+buildaptarchive
+setupflataptarchive
+changetowebserver
+
+prepare() {
+	local DATE="${2:-now}"
+	if [ "$DATE" = 'now' -a "$1" = "${PKGFILE}-new" ]; then
+		DATE='now + 6 days'
+	fi
+	for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do
+		touch -d 'now - 6 hours' $release
+	done
+	rm -rf rootdir/var/cache/apt/archives
+	rm -f rootdir/var/cache/apt/*.bin
+	cp $1 aptarchive/Packages
+	find aptarchive -name 'Release' -delete
+	cat aptarchive/Packages | gzip > aptarchive/Packages.gz
+	cat aptarchive/Packages | bzip2 > aptarchive/Packages.bz2
+	cat aptarchive/Packages | lzma > aptarchive/Packages.lzma
+        # create Release file with incorret checksums
+	cat > aptarchive/Release <<EOF
+Date: Fri, 05 Aug 2011 09:22:08 UTC
+MD5Sum:
+ x15c483ac486f5dbe95095c7ec08626f              760 Packages
+ x0579797df4792164a17305fb0b317e9              546 Packages.bz2
+ xc532a82873d2206b4e4503e92d167bd              489 Packages.gz
+ x4d1d25661377dd4bb95a1736e2624d3              527 Packages.lzma
+ xf1cc221194edbaa943d2375d6f44a88              572 Packages.xz
+SHA1:
+ x0d3317839cf68cd40c28f0bddca8d2ce5a29cad              760 Packages
+ xffddf046ad8dfd8338a355d76fb08d143c8b636              546 Packages.bz2
+ xa27a3df51ca4474b880a6594c4811957079b613              489 Packages.gz
+ x9d7bba4e6fa927a34dcd797694c2893c21f1004              527 Packages.lzma
+ x7d988fe59cf67298828e5299a15d329c0f00f1b              572 Packages.xz
+SHA256:
+ x5a47d72f6b97bfa164b23326b6ad3cb019b5c6cc73769f8c0187616933d1b2b              760 Packages
+ x617252f5bfe3e9126352c7c2f8122d9c3b2c5e1a6c8a9616d62adc0ed164172              546 Packages.bz2
+ xc6abc6fe9a4fcf0758ec5366dfd19bcba90af026a7017c3f6198c59eccd8ef5              489 Packages.gz
+ xb306e66e5e6a7169c8d281a888539d1fdca9cecc99ae605717df579d5b9c166              527 Packages.lzma
+ x9585d0e66b74c9385727fbea11fea9ab33c716b18a32f3036f037a2b9b57120              572 Packages.xz
+EOF
+        cp aptarchive/Release aptarchive/InRelease
+}
+
+# fake our downloadable file
+touch aptarchive/apt.deb
+
+PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')"
+
+runtest() {
+	prepare ${PKGFILE}
+	rm -rf rootdir/var/lib/apt/lists
+	signreleasefiles 'Joe Sixpack'
+	find aptarchive/ -name "$DELETEFILE" -delete
+
+        # test signed release file
+        msgtest 'apt-get update gets the expected hashsum mismatch'
+	aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail
+        msgtest 'No package from the source available'
+        [ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail
+        msgtest 'No Packages file in /var/lib/apt/lists'
+        [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail 
+        
+}
+
+runtest
+
-- 
cgit v1.2.3


From 3568a640bd363409cdeb1cb69eaa3261c79f2ff2 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Fri, 5 Aug 2011 12:26:35 +0200
Subject: * apt-pkg/acquire-item.cc:   - if no Release.gpg file is found, still
 load the hashes for     verification (closes: #636314) and add test

---
 test/integration/test-hashsum-verification | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'test/integration')

diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
index 29420c098..033096ee8 100755
--- a/test/integration/test-hashsum-verification
+++ b/test/integration/test-hashsum-verification
@@ -70,6 +70,13 @@ runtest() {
         msgtest 'No Packages file in /var/lib/apt/lists'
         [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail 
         
+        # now with the unsigned Release file
+        rm -rf rootdir/var/lib/apt/lists
+        rm aptarchive/InRelease aptarchive/Release.gpg
+        msgtest 'unsigned apt-get update gets the expected hashsum mismatch'
+	aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail
+
+
 }
 
 runtest
-- 
cgit v1.2.3


From 851d681d0af7f3346d77738e4708b21ed6e2cc98 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Fri, 12 Aug 2011 09:58:55 +0200
Subject: cherry pick test/integration/Packages-hashsum-verification addition
 from lp:~mvo/apt/mvo

---
 test/integration/Packages-hashsum-verification | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 test/integration/Packages-hashsum-verification

(limited to 'test/integration')

diff --git a/test/integration/Packages-hashsum-verification b/test/integration/Packages-hashsum-verification
new file mode 100644
index 000000000..29a385f4f
--- /dev/null
+++ b/test/integration/Packages-hashsum-verification
@@ -0,0 +1,18 @@
+Package: apt
+Version: 0.7.25.3
+Architecture: i386
+Maintainer: APT Development Team <deity@lists.debian.org>
+Installed-Size: 5244
+Replaces: libapt-pkg-dev (<< 0.3.7), libapt-pkg-doc (<< 0.3.7)
+Provides: libapt-pkg-libc6.9-6-4.8
+Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, bzip2, lzma, python-apt
+Filename: apt.deb
+Size: 0
+MD5sum: d41d8cd98f00b204e9800998ecf8427e
+Description: Advanced front-end for dpkg
+ This is Debian's next generation front-end for the dpkg package manager.
+ It provides the apt-get utility and APT dselect method that provides a
+ simpler, safer way to install and upgrade packages.
+ .
+ APT features complete installation ordering, multiple source capability
+ and several other unique features, see the Users Guide in apt-doc.
-- 
cgit v1.2.3