summaryrefslogtreecommitdiff
path: root/test/integration
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2024-12-07 16:44:18 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2024-12-22 23:51:22 +0100
commitda9a05e0b0b2150dbb67090e8b0c3922e46bd5cf (patch)
treea777d725b72b0e2111b62ebed3412921d4ffe647 /test/integration
parentb85dd910dcc68b710e1843e8b67935cc96c2a4c9 (diff)
methods: Add new sqv method
The new sqv method uses sequoia's sqv tool to verify files. The tool's interface is quite simple: It returns 0 on success, and prints one line per good signer with the fingerprint. sqv has a configurable crypto policy. We have defined apt-specific override mechanisms for sequoia's standard policy, allowing both users, distributions, and apt package to provide overrides for Sequoia's default policy in meaningful ways. The sqv method will be built and be the standard method for verifying OpenPGP signatures provided that `sqv` is in the PATH during building. It is not built if there was no sqv at build time, so you need a rebuild to enable sqv later on. On the flip side, the gpgv method is always built, but it does need to be always built: If APT::Key::GPGVCommand is set, we need to fallback to it - this is important to support existing users of that interface such as mmdebstrap. Also we want to fall back to it when /usr/bin/sqv disappears - for example in our CI :D A couple of concessions have been made for test suite purposes: - Failure to split a clearsigned file only shows the summary, as the gpgv method also only showed it, and no details why it failed. - We write "Got GOODSIG <fingerprint>" in debug mode to mimic the gpgv code to keep the test suite happy. - In various places in the test suite we assert minimal output from sqv, but sqv's human output is not intended to be stable. This will incur additional work when it breaks. However we do not _parse_ the output, so actual operation of apt is unaffected. A couple of things are suboptimal here: - We are still doing clearsigned splitting ourselves. sqv only has support for detached signatures right now, whereas sqopv has support for clearsigned files as well (but sqopv does not provide any reasons for why signature verification fails or means to set a policy). - Deprecation of algorithms happens on a timebomb basis in sequoia. We have no means to give users warnings ahead of time if their configuration is outdated. We have implemented various bits that probably should be going away: - Fallback to trusted.gpg This is just annoying... - Support for fingerprints in Signed-By (no subkey matching though) The extra work here is arguably less compared to gpgv. - Check the keyring for correctness. With Signed-By everywhere, we should just error out rather than skip broken keyrings. Moo
Diffstat (limited to 'test/integration')
-rwxr-xr-xtest/integration/test-apt-update-ims2
-rwxr-xr-xtest/integration/test-apt-update-nofallback19
-rwxr-xr-xtest/integration/test-apt-update-repeated-ims-hit4
-rwxr-xr-xtest/integration/test-apt-update-rollback9
-rwxr-xr-xtest/integration/test-releasefile-verification77
-rwxr-xr-xtest/integration/test-signed-by-option2
6 files changed, 69 insertions, 44 deletions
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims
index 1894c3adf..101c2f298 100755
--- a/test/integration/test-apt-update-ims
+++ b/test/integration/test-apt-update-ims
@@ -48,7 +48,7 @@ runtest() {
# ensure that we still do a hash check for other files on ims hit of Release
if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then
- $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT
+ $TEST aptget update -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 $APTOPT
cp rootdir/tmp/${TEST}.output goodsign.output
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
testsuccess grep '^Got GOODSIG ' goodsign.output
diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback
index 18f12b1e3..c9ee75756 100755
--- a/test/integration/test-apt-update-nofallback
+++ b/test/integration/test-apt-update-nofallback
@@ -198,9 +198,16 @@ test_inrelease_to_invalid_inrelease()
sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease"
inject_evil_package
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
# ensure we keep the repo
testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease
@@ -218,10 +225,16 @@ test_release_gpg_to_invalid_release_release_gpg()
# now subvert Release do no longer verify
echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release"
inject_evil_package
-
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release
testfileequal lists.before "$(listcurrentlistsdirectory)"
diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit
index 74d46b31b..43871a31f 100755
--- a/test/integration/test-apt-update-repeated-ims-hit
+++ b/test/integration/test-apt-update-repeated-ims-hit
@@ -40,7 +40,11 @@ rm -f rootdir/etc/apt/trusted.gpg.d/*
sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
APTARCHIVE="$(readlink -f ./aptarchive)"
+if test -e /usr/bin/sqv; then
+GPGERROR="W: GPG error: file:$APTARCHIVE Release: The signatures couldn't be verified because no keyring is specified"
+else
GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE"
+fi
msgmsg 'Running update again does not change result' '0'
testwarningmsg "$GPGERROR" apt update
diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback
index 8235968bb..68505f6ba 100755
--- a/test/integration/test-apt-update-rollback
+++ b/test/integration/test-apt-update-rollback
@@ -156,9 +156,16 @@ test_inrelease_to_unauth_inrelease() {
signreleasefiles 'Marvin Paranoid'
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature.
+W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature.
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
testfileequal lists.before "$(listcurrentlistsdirectory)"
testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 1392a05d1..00c72d7d9 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -97,13 +97,20 @@ echo -n 'apt' > aptarchive/apt.deb
PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
updatewithwarnings() {
- testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}
foreachgpg() {
rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd
- "$@"
+ local sqv="true"
+ if [ "$1" = "--no-sqv" ]; then
+ local sqv=
+ shift
+ fi
+ if [ "$sqv" ]; then
+ "$@"
+ fi
for GPGV in "gpgv-sq" "gpgv-g10code"; do
msgmsg "Forcing $GPGV to be used"
echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd"
@@ -147,7 +154,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
- updatewithwarnings '^W: .* EXPKEYSIG'
+ updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
@@ -157,7 +164,7 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Marvin Paranoid'
- successfulaptgetupdate 'NO_PUBKEY'
+ successfulaptgetupdate 'NO_PUBKEY\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -167,7 +174,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Rex Expired'
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
- successfulaptgetupdate 'EXPKEYSIG'
+ successfulaptgetupdate 'EXPKEYSIG\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -177,7 +184,7 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
@@ -202,7 +209,7 @@ runtest() {
msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
prepare "${PKGFILE}-new"
signreleasefiles 'Marvin Paranoid'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -212,7 +219,7 @@ runtest() {
# Use a colon here to test weird filenames too
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg
signreleasefiles 'Rex Expired'
- updatewithwarnings '^W: .* EXPKEYSIG'
+ updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -230,7 +237,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
prepare "${PKGFILE}"
@@ -265,7 +272,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
- updatewithwarnings '^W: .* be verified because the public key is not available: .*'
+ updatewithwarnings '^W: .* (be verified because the public key is not available: .*|No good signature from required signer)'
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
rm -rf rootdir/var/lib/apt/lists
@@ -279,7 +286,7 @@ runtest() {
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid,Joe Sixpack'
- successfulaptgetupdate 'NoPubKey: GOODSIG'
+ successfulaptgetupdate 'NoPubKey: GOODSIG\|DE66AECA9151AFA1877EC31DE8525D47528144E2'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -324,7 +331,7 @@ Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- updatewithwarnings 'W: .* public key is not available: GOODSIG'
+ updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -373,22 +380,26 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
sed -i "/^Valid-Until: / a\
Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- updatewithwarnings 'W: .* public key is not available: GOODSIG'
+ updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E"
+ # This is only supported for gpgv, so require an explicit gpgv command,
+ # otherwise the default verification backend may be sqv.
+ if [ "$GPGV" ]; then
msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey'
rm -rf rootdir/var/lib/apt/lists
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
- sed -i "/^Valid-Until: / a\
+ sed -i "/^Valid-Until: / a\
Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release
- touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- successfulaptgetupdate
- testsuccessequal "$(cat "${PKGFILE}-new")
+ touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
+ successfulaptgetupdate
+ testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
- installaptnew
+ installaptnew
+ fi
rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
}
@@ -419,16 +430,6 @@ runtest2() {
find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \;
testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
- msgmsg 'Cold archive signed by' 'Empty inline'
- rm -rf rootdir/var/lib/apt/lists
- find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \;
- testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
-
- msgmsg 'Cold archive signed by' 'Bad inline'
- rm -rf rootdir/var/lib/apt/lists
- find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo SGVsbG8K; echo =nFa9; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \;
- testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
-
find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
# Unsigned archive from the beginning must also be detected.
@@ -463,7 +464,7 @@ EOF
export APT_TESTS_DIGEST_ALGO='SHA512'
successfulaptgetupdate() {
- testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
if [ -n "$1" ]; then
cp rootdir/tmp/testsuccess.output aptupdate.output
testsuccess grep "$1" aptupdate.output
@@ -472,13 +473,13 @@ successfulaptgetupdate() {
foreachgpg runtest3 'Trusted'
successfulaptgetupdate() {
- testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
if [ -n "$1" ]; then
testsuccess grep "$1" rootdir/tmp/testwarning.output
fi
testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output
}
-foreachgpg runtest3 'Weak'
+foreachgpg --no-sqv runtest3 'Weak'
msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
@@ -489,14 +490,14 @@ runfailure() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
- testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
- testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
+ testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
+ testsuccess grep 'The following signatures were invalid\|MD5 is not considered secure' rootdir/tmp/testfailure.output
testnopackage 'apt'
- testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
failaptold
rm -rf rootdir/var/lib/apt/lists
sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
- testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
failaptold
sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
@@ -504,13 +505,13 @@ runfailure() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
- testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
testnopackage 'apt'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
export APT_DONT_SIGN='Release.gpg'
done
}
-foreachgpg runfailure
+foreachgpg --no-sqv runfailure
diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option
index 8e1e9a8c2..e6a3fbb86 100755
--- a/test/integration/test-signed-by-option
+++ b/test/integration/test-signed-by-option
@@ -66,7 +66,7 @@ xSigned-By:
-----END PGP PUBLIC KEY BLOCK-----
EOF
testfailure apt update -o Debug::Acquire::gpgv=1
-testsuccess grep "NO_PUBKEY 5A90D141DBAC8DAE" rootdir/tmp/testfailure.output
+testsuccess grep -E "(NO_PUBKEY 5A90D141DBAC8DAE|no keyring is specified)" rootdir/tmp/testfailure.output
sed -i s/^xSigned-By/Signed-By/ rootdir/etc/apt/sources.list.d/deb822.sources
testsuccess apt update -o Debug::Acquire::gpgv=1
# make sure we did not leave leftover files (LP: #1995247)