diff options
author | David Kalnischkies <david@kalnischkies.de> | 2016-04-28 22:02:50 +0200 |
---|---|---|
committer | David Kalnischkies <david@kalnischkies.de> | 2016-05-01 10:50:24 +0200 |
commit | 1af227c2eaad386f0917fc4f36c84fd5999b884e (patch) | |
tree | b497994bda9566413ed517eebba22eb3226f49e7 | |
parent | f13b413a3bb1f03886ba7d8c43b08bd13836a663 (diff) |
gpgv: handle expired sig as worthless
Signatures on data can have an expiration date, too, which we hadn't
handled previously explicitly (no problem – gpg still has a non-zero
exit code so apt notices the invalid signature) so the error message
wasn't as helpful as it could be (aka mentioning the key signing it).
-rw-r--r-- | methods/gpgv.cc | 7 | ||||
-rw-r--r-- | test/integration/framework | 6 | ||||
-rwxr-xr-x | test/integration/test-releasefile-verification | 23 |
3 files changed, 34 insertions, 2 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 2ab8b9c97..53c3ff80e 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -37,6 +37,7 @@ using std::vector; #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG" #define GNUPGGOODSIG "[GNUPG:] GOODSIG" #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG" +#define GNUPGEXPSIG "[GNUPG:] EXPSIG" #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" #define GNUPGNODATA "[GNUPG:] NODATA" @@ -188,6 +189,12 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, std::clog << "Got EXPKEYSIG! " << std::endl; WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX))); } + else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0) + { + if (Debug == true) + std::clog << "Got EXPSIG!" << std::endl; + WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX))); + } else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0) { if (Debug == true) diff --git a/test/integration/framework b/test/integration/framework index a68209326..a5cc842ba 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1084,6 +1084,8 @@ setupaptarchive() { signreleasefiles() { local SIGNER="${1:-Joe Sixpack}" local REPODIR="${2:-aptarchive}" + if [ -n "$1" ]; then shift; fi + if [ -n "$1" ]; then shift; fi local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')" local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}" msgninfo "\tSign archive with $SIGNER key $KEY… " @@ -1111,9 +1113,9 @@ signreleasefiles() { fi fi for RELEASE in $(find "${REPODIR}/" -name Release); do - testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" + testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')" - testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE" + testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE" # we might have set a specific date for the Release file, so copy it touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}" done diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 10b830449..a061832b6 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -129,6 +129,29 @@ runtest() { failaptold rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + msgmsg 'Cold archive expired signed by' 'Joe Sixpack' + if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then + touch rootdir/etc/apt/apt.conf.d/99gnupg2 + elif gpg2 --version >/dev/null 2>&1; then + echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2 + if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then + rm rootdir/etc/apt/apt.conf.d/99gnupg2 + fi + fi + if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01 + find aptarchive/ -name "$DELETEFILE" -delete + updatewithwarnings '^W: .* EXPSIG' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + failaptold + rm -f rootdir/etc/apt/apt.conf.d/99gnupg2 + else + msgskip 'Not a new enough gpg available providing --fake-system-time' + fi + msgmsg 'Cold archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists |