diff options
author | David Kalnischkies <kalnischkies@gmail.com> | 2013-08-09 22:20:27 +0200 |
---|---|---|
committer | David Kalnischkies <kalnischkies@gmail.com> | 2013-08-12 18:01:37 +0200 |
commit | 29a59c460403820d0f039398194e321b7e0921fc (patch) | |
tree | fb6c6655bb9cee83493949465b56d23d62230d3c | |
parent | 7dd5854b48f5d59c02fb0068d850384f3e678c67 (diff) |
test Release file handling with expired keys
Signing files with expired keys is not as easy as it sounds, so the
framework jumps a few loops to do it, but it might come in handy to have
an expired key around for later tests even if it is not that different
from having no key in regards to APT behaviour.
Git-Dch: Ignore
-rw-r--r-- | test/integration/framework | 35 | ||||
-rw-r--r-- | test/integration/rexexpired.pub | bin | 0 -> 1200 bytes | |||
-rw-r--r-- | test/integration/rexexpired.sec | bin | 0 -> 2502 bytes | |||
-rwxr-xr-x | test/integration/test-releasefile-verification | 35 |
4 files changed, 62 insertions, 8 deletions
diff --git a/test/integration/framework b/test/integration/framework index 7dd7c20a7..f64b8482c 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -711,22 +711,45 @@ setupaptarchive() { signreleasefiles() { local SIGNER="${1:-Joe Sixpack}" + local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg" msgninfo "\tSign archive with $SIGNER key… " - local SECKEYS="" + local REXKEY='keys/rexexpired' + local SECEXPIREBAK="${REXKEY}.sec.bak" + local PUBEXPIREBAK="${REXKEY}.pub.bak" + if [ "${SIGNER}" = 'Rex Expired' ]; then + # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time + # option doesn't exist anymore (and using faketime would add a new obscure dependency) + # therefore we 'temporary' make the key not expired and restore a backup after signing + cp ${REXKEY}.sec $SECEXPIREBAK + cp ${REXKEY}.pub $PUBEXPIREBAK + local SECUNEXPIRED="${REXKEY}.sec.unexpired" + local PUBUNEXPIRED="${REXKEY}.pub.unexpired" + if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then + cp $SECUNEXPIRED ${REXKEY}.sec + cp $PUBUNEXPIRED ${REXKEY}.pub + else + printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true + cp ${REXKEY}.sec $SECUNEXPIRED + cp ${REXKEY}.pub $PUBUNEXPIRED + fi + fi for KEY in $(find keys/ -name '*.sec'); do - SECKEYS="$SECKEYS --secret-keyring $KEY" + GPG="$GPG --secret-keyring $KEY" done - local PUBKEYS="" for KEY in $(find keys/ -name '*.pub'); do - PUBKEYS="$PUBKEYS --keyring $KEY" + GPG="$GPG --keyring $KEY" done for RELEASE in $(find aptarchive/ -name Release); do - gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE} + $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE} local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')" - gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE + $GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE # we might have set a specific date for the Release file, so copy it touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE} done + if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then + mv -f $SECEXPIREBAK ${REXKEY}.sec + mv -f $PUBEXPIREBAK ${REXKEY}.pub + fi msgdone "info" } diff --git a/test/integration/rexexpired.pub b/test/integration/rexexpired.pub Binary files differnew file mode 100644 index 000000000..5ab2e489a --- /dev/null +++ b/test/integration/rexexpired.pub diff --git a/test/integration/rexexpired.sec b/test/integration/rexexpired.sec Binary files differnew file mode 100644 index 000000000..dc00168cd --- /dev/null +++ b/test/integration/rexexpired.sec diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index e56f458d3..daba3919b 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -107,13 +107,24 @@ runtest() { " aptcache show apt installaptnew + prepare ${PKGFILE} + rm -rf rootdir/var/lib/apt/lists + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + signreleasefiles 'Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Cold archive signed by' 'Rex Expired' + aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail + testequal "$(cat ${PKGFILE}) +" aptcache show apt + failaptold + rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Cold archive signed by' 'Marvin Paranoid' - aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail + aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail testequal "$(cat ${PKGFILE}) " aptcache show apt failaptold @@ -147,10 +158,30 @@ runtest() { signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete msgtest 'Good warm archive signed by' 'Marvin Paranoid' - aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail + aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail + testequal "$(cat ${PKGFILE}) +" aptcache show apt + installaptold + + prepare ${PKGFILE}-new + cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + signreleasefiles 'Rex Expired' + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Good warm archive signed by' 'Rex Expired' + aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail testequal "$(cat ${PKGFILE}) " aptcache show apt installaptold + rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + + prepare ${PKGFILE}-new + signreleasefiles + find aptarchive/ -name "$DELETEFILE" -delete + msgtest 'Good warm archive signed by' 'Joe Sixpack' + aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass + testequal "$(cat ${PKGFILE}-new) +" aptcache show apt + installaptnew } runtest2() { |