summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-04-28 22:02:50 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2016-05-01 10:50:24 +0200
commit1af227c2eaad386f0917fc4f36c84fd5999b884e (patch)
treeb497994bda9566413ed517eebba22eb3226f49e7
parentf13b413a3bb1f03886ba7d8c43b08bd13836a663 (diff)
gpgv: handle expired sig as worthless
Signatures on data can have an expiration date, too, which we hadn't handled previously explicitly (no problem – gpg still has a non-zero exit code so apt notices the invalid signature) so the error message wasn't as helpful as it could be (aka mentioning the key signing it).
-rw-r--r--methods/gpgv.cc7
-rw-r--r--test/integration/framework6
-rwxr-xr-xtest/integration/test-releasefile-verification23
3 files changed, 34 insertions, 2 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 2ab8b9c97..53c3ff80e 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -37,6 +37,7 @@ using std::vector;
#define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
#define GNUPGGOODSIG "[GNUPG:] GOODSIG"
#define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG"
+#define GNUPGEXPSIG "[GNUPG:] EXPSIG"
#define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
#define GNUPGNODATA "[GNUPG:] NODATA"
@@ -188,6 +189,12 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
std::clog << "Got EXPKEYSIG! " << std::endl;
WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
}
+ else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0)
+ {
+ if (Debug == true)
+ std::clog << "Got EXPSIG!" << std::endl;
+ WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
+ }
else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
{
if (Debug == true)
diff --git a/test/integration/framework b/test/integration/framework
index a68209326..a5cc842ba 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1084,6 +1084,8 @@ setupaptarchive() {
signreleasefiles() {
local SIGNER="${1:-Joe Sixpack}"
local REPODIR="${2:-aptarchive}"
+ if [ -n "$1" ]; then shift; fi
+ if [ -n "$1" ]; then shift; fi
local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')"
local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}"
msgninfo "\tSign archive with $SIGNER key $KEY… "
@@ -1111,9 +1113,9 @@ signreleasefiles() {
fi
fi
for RELEASE in $(find "${REPODIR}/" -name Release); do
- testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
+ testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}"
local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
- testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
+ testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE"
# we might have set a specific date for the Release file, so copy it
touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}"
done
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 10b830449..a061832b6 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -129,6 +129,29 @@ runtest() {
failaptold
rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ msgmsg 'Cold archive expired signed by' 'Joe Sixpack'
+ if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+ touch rootdir/etc/apt/apt.conf.d/99gnupg2
+ elif gpg2 --version >/dev/null 2>&1; then
+ echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2
+ if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then
+ rm rootdir/etc/apt/apt.conf.d/99gnupg2
+ fi
+ fi
+ if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then
+ prepare "${PKGFILE}"
+ rm -rf rootdir/var/lib/apt/lists
+ signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01
+ find aptarchive/ -name "$DELETEFILE" -delete
+ updatewithwarnings '^W: .* EXPSIG'
+ testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+ failaptold
+ rm -f rootdir/etc/apt/apt.conf.d/99gnupg2
+ else
+ msgskip 'Not a new enough gpg available providing --fake-system-time'
+ fi
+
msgmsg 'Cold archive signed by' 'Marvin Paranoid'
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists