diff options
| author | Julian Andres Klode <jak@debian.org> | 2024-12-07 16:44:18 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-12-22 23:51:22 +0100 |
| commit | da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf (patch) | |
| tree | a777d725b72b0e2111b62ebed3412921d4ffe647 /test/integration | |
| parent | b85dd910dcc68b710e1843e8b67935cc96c2a4c9 (diff) | |
methods: Add new sqv method
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.
sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.
The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.
On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D
A couple of concessions have been made for test suite purposes:
- Failure to split a clearsigned file only shows the summary,
as the gpgv method also only showed it, and no details why
it failed.
- We write "Got GOODSIG <fingerprint>" in debug mode to mimic
the gpgv code to keep the test suite happy.
- In various places in the test suite we assert minimal output
from sqv, but sqv's human output is not intended to be stable.
This will incur additional work when it breaks. However we do
not _parse_ the output, so actual operation of apt is unaffected.
A couple of things are suboptimal here:
- We are still doing clearsigned splitting ourselves. sqv only
has support for detached signatures right now, whereas sqopv
has support for clearsigned files as well (but sqopv does not
provide any reasons for why signature verification fails or
means to set a policy).
- Deprecation of algorithms happens on a timebomb basis in
sequoia. We have no means to give users warnings ahead of
time if their configuration is outdated.
We have implemented various bits that probably should be going away:
- Fallback to trusted.gpg
This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
With Signed-By everywhere, we should just error out rather than
skip broken keyrings.
Moo
Diffstat (limited to 'test/integration')
| -rwxr-xr-x | test/integration/test-apt-update-ims | 2 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-nofallback | 19 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-repeated-ims-hit | 4 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-rollback | 9 | ||||
| -rwxr-xr-x | test/integration/test-releasefile-verification | 77 | ||||
| -rwxr-xr-x | test/integration/test-signed-by-option | 2 |
6 files changed, 69 insertions, 44 deletions
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 1894c3adf..101c2f298 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -48,7 +48,7 @@ runtest() { # ensure that we still do a hash check for other files on ims hit of Release if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then - $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT + $TEST aptget update -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 $APTOPT cp rootdir/tmp/${TEST}.output goodsign.output testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" testsuccess grep '^Got GOODSIG ' goodsign.output diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 18f12b1e3..c9ee75756 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -198,9 +198,16 @@ test_inrelease_to_invalid_inrelease() sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease" inject_evil_package - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi # ensure we keep the repo testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease @@ -218,10 +225,16 @@ test_release_gpg_to_invalid_release_release_gpg() # now subvert Release do no longer verify echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release" inject_evil_package - - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release testfileequal lists.before "$(listcurrentlistsdirectory)" diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit index 74d46b31b..43871a31f 100755 --- a/test/integration/test-apt-update-repeated-ims-hit +++ b/test/integration/test-apt-update-repeated-ims-hit @@ -40,7 +40,11 @@ rm -f rootdir/etc/apt/trusted.gpg.d/* sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/* APTARCHIVE="$(readlink -f ./aptarchive)" +if test -e /usr/bin/sqv; then +GPGERROR="W: GPG error: file:$APTARCHIVE Release: The signatures couldn't be verified because no keyring is specified" +else GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE" +fi msgmsg 'Running update again does not change result' '0' testwarningmsg "$GPGERROR" apt update diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index 8235968bb..68505f6ba 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -156,9 +156,16 @@ test_inrelease_to_unauth_inrelease() { signreleasefiles 'Marvin Paranoid' - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature. +W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature. +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi testfileequal lists.before "$(listcurrentlistsdirectory)" testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease' diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 1392a05d1..00c72d7d9 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -97,13 +97,20 @@ echo -n 'apt' > aptarchive/apt.deb PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')" updatewithwarnings() { - testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 testsuccess grep -E "$1" rootdir/tmp/testwarning.output } foreachgpg() { rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd - "$@" + local sqv="true" + if [ "$1" = "--no-sqv" ]; then + local sqv= + shift + fi + if [ "$sqv" ]; then + "$@" + fi for GPGV in "gpgv-sq" "gpgv-g10code"; do msgmsg "Forcing $GPGV to be used" echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd" @@ -147,7 +154,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' - updatewithwarnings '^W: .* EXPKEYSIG' + updatewithwarnings '^W: .* (EXPKEYSIG|Expired)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold @@ -157,7 +164,7 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Marvin Paranoid' - successfulaptgetupdate 'NO_PUBKEY' + successfulaptgetupdate 'NO_PUBKEY\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -167,7 +174,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Rex Expired' cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg - successfulaptgetupdate 'EXPKEYSIG' + successfulaptgetupdate 'EXPKEYSIG\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -177,7 +184,7 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold @@ -202,7 +209,7 @@ runtest() { msgmsg 'Good warm archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}-new" signreleasefiles 'Marvin Paranoid' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -212,7 +219,7 @@ runtest() { # Use a colon here to test weird filenames too cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg signreleasefiles 'Rex Expired' - updatewithwarnings '^W: .* EXPKEYSIG' + updatewithwarnings '^W: .* (EXPKEYSIG|Expired)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -230,7 +237,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists local MARVIN="$(readlink -f keys/marvinparanoid.pub)" sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' prepare "${PKGFILE}" @@ -265,7 +272,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* - updatewithwarnings '^W: .* be verified because the public key is not available: .*' + updatewithwarnings '^W: .* (be verified because the public key is not available: .*|No good signature from required signer)' msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid' rm -rf rootdir/var/lib/apt/lists @@ -279,7 +286,7 @@ runtest() { msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid,Joe Sixpack' - successfulaptgetupdate 'NoPubKey: GOODSIG' + successfulaptgetupdate 'NoPubKey: GOODSIG\|DE66AECA9151AFA1877EC31DE8525D47528144E2' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -324,7 +331,7 @@ Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release sed -i "/^Valid-Until: / a\ Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - updatewithwarnings 'W: .* public key is not available: GOODSIG' + updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -373,22 +380,26 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release sed -i "/^Valid-Until: / a\ Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - updatewithwarnings 'W: .* public key is not available: GOODSIG' + updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E" + # This is only supported for gpgv, so require an explicit gpgv command, + # otherwise the default verification backend may be sqv. + if [ "$GPGV" ]; then msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists - sed -i "/^Valid-Until: / a\ + sed -i "/^Valid-Until: / a\ Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release - touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - successfulaptgetupdate - testsuccessequal "$(cat "${PKGFILE}-new") + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt - installaptnew + installaptnew + fi rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg } @@ -419,16 +430,6 @@ runtest2() { find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \; testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - msgmsg 'Cold archive signed by' 'Empty inline' - rm -rf rootdir/var/lib/apt/lists - find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; - testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - - msgmsg 'Cold archive signed by' 'Bad inline' - rm -rf rootdir/var/lib/apt/lists - find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo SGVsbG8K; echo =nFa9; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; - testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete # Unsigned archive from the beginning must also be detected. @@ -463,7 +464,7 @@ EOF export APT_TESTS_DIGEST_ALGO='SHA512' successfulaptgetupdate() { - testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 if [ -n "$1" ]; then cp rootdir/tmp/testsuccess.output aptupdate.output testsuccess grep "$1" aptupdate.output @@ -472,13 +473,13 @@ successfulaptgetupdate() { foreachgpg runtest3 'Trusted' successfulaptgetupdate() { - testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 if [ -n "$1" ]; then testsuccess grep "$1" rootdir/tmp/testwarning.output fi testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output } -foreachgpg runtest3 'Weak' +foreachgpg --no-sqv runtest3 'Weak' msgmsg "Running test with apt-untrusted digest" echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate @@ -489,14 +490,14 @@ runfailure() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 - testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 + testsuccess grep 'The following signatures were invalid\|MD5 is not considered secure' rootdir/tmp/testfailure.output testnopackage 'apt' - testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 failaptold rm -rf rootdir/var/lib/apt/lists sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/* - testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 failaptold sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/* @@ -504,13 +505,13 @@ runfailure() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 testnopackage 'apt' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold export APT_DONT_SIGN='Release.gpg' done } -foreachgpg runfailure +foreachgpg --no-sqv runfailure diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option index 8e1e9a8c2..e6a3fbb86 100755 --- a/test/integration/test-signed-by-option +++ b/test/integration/test-signed-by-option @@ -66,7 +66,7 @@ xSigned-By: -----END PGP PUBLIC KEY BLOCK----- EOF testfailure apt update -o Debug::Acquire::gpgv=1 -testsuccess grep "NO_PUBKEY 5A90D141DBAC8DAE" rootdir/tmp/testfailure.output +testsuccess grep -E "(NO_PUBKEY 5A90D141DBAC8DAE|no keyring is specified)" rootdir/tmp/testfailure.output sed -i s/^xSigned-By/Signed-By/ rootdir/etc/apt/sources.list.d/deb822.sources testsuccess apt update -o Debug::Acquire::gpgv=1 # make sure we did not leave leftover files (LP: #1995247) |
