#!/bin/sh set -e TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework setupenvironment configarchitecture "i386" buildaptarchive setupflataptarchive changetowebserver webserverconfig 'aptwebserver::support::range' 'false' prepare() { local DATE="${2:-now}" if [ "$DATE" = 'now' ]; then if [ "$1" = "${PKGFILE}-new" ]; then DATE='now - 1 day' else DATE='now - 7 day' fi fi for release in $(find rootdir/var/lib/apt/lists 2> /dev/null); do touch -d 'now - 1 year' $release done aptget clean cp $1 aptarchive/Packages find aptarchive -name 'Release' -delete compressfile 'aptarchive/Packages' "$DATE" generatereleasefiles "$DATE" } installaptold() { testsuccessequal 'Reading package lists... Building dependency tree... Suggested packages: aptitude synaptic wajig dpkg-dev apt-doc bzip2 lzma python-apt The following NEW packages will be installed: apt 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. After this operation, 5370 kB of additional disk space will be used. Get:1 http://localhost:8080/ apt 0.7.25.3 Download complete and in download only mode' aptget install apt -dy } installaptnew() { testsuccessequal 'Reading package lists... Building dependency tree... Suggested packages: aptitude synaptic wajig dpkg-dev apt-doc bzip2 lzma python-apt The following NEW packages will be installed: apt 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. After this operation, 5808 kB of additional disk space will be used. Get:1 http://localhost:8080/ apt 0.8.0~pre1 Download complete and in download only mode' aptget install apt -dy } failaptold() { testfailureequal 'Reading package lists... Building dependency tree... Suggested packages: aptitude synaptic wajig dpkg-dev apt-doc bzip2 lzma python-apt The following NEW packages will be installed: apt 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. After this operation, 5370 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! apt E: There are problems and -y was used without --force-yes' aptget install apt -dy } failaptnew() { testfailureequal 'Reading package lists... Building dependency tree... Suggested packages: aptitude synaptic wajig dpkg-dev apt-doc bzip2 lzma python-apt The following NEW packages will be installed: apt 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. After this operation, 5808 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! apt E: There are problems and -y was used without --force-yes' aptget install apt -dy } # fake our downloadable file touch aptarchive/apt.deb PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')" updatesuccess() { local LOG='update.log' if aptget update >$LOG 2>&1 || grep -q -E '^(W|E): ' $LOG; then msgpass else cat $LOG msgfail fi } updatefailure() { local LOG='update.log' aptget update >$LOG 2>&1 || true if grep -q -E "$1" $LOG; then msgpass else cat $LOG msgfail fi } runtest() { prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Joe Sixpack' updatesuccess testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold prepare ${PKGFILE}-new signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Joe Sixpack' updatesuccess testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Rex Expired' updatefailure '^W: .* KEYEXPIRED' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt failaptold rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Marvin Paranoid' updatefailure '^W: .* NO_PUBKEY' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt failaptold prepare ${PKGFILE}-new # weborf doesn't support If-Range for release in $(find rootdir/var/lib/apt/lists/partial/ -name '*Release'); do rm $release touch $release done signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Bad warm archive signed by' 'Joe Sixpack' updatesuccess testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Joe Sixpack' updatesuccess testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold prepare ${PKGFILE}-new signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Marvin Paranoid' updatefailure '^W: .* NO_PUBKEY' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold prepare ${PKGFILE}-new cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Rex Expired' updatefailure '^W: .* KEYEXPIRED' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg prepare ${PKGFILE}-new signreleasefiles find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Joe Sixpack' updatesuccess testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew } runtest2() { prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' msgtest 'Cold archive signed by' 'Joe Sixpack' updatesuccess # New .deb but now an unsigned archive. For example MITM to circumvent # package verification. prepare ${PKGFILE}-new find aptarchive/ -name InRelease -delete find aptarchive/ -name Release.gpg -delete msgtest 'Warm archive signed by' 'nobody' updatesuccess testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt failaptnew # Unsigned archive from the beginning must also be detected. rm -rf rootdir/var/lib/apt/lists msgtest 'Cold archive signed by' 'nobody' updatesuccess testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt failaptnew } # diable some protection by default and ensure we still do the verification # correctly cat > rootdir/etc/apt/apt.conf.d/weaken-security <<EOF Acquire::AllowInsecureRepositories "1"; Acquire::AllowDowngradeToInsecureRepositories "1"; EOF msgmsg "Runing base test" runtest2 DELETEFILE="InRelease" msgmsg "Running test with deletion of $DELETEFILE" runtest DELETEFILE="Release.gpg" msgmsg "Running test with deletion of $DELETEFILE" runtest