summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2018-08-17 11:59:45 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2018-09-11 13:16:11 +0200
commitff8fa4ab4b80384a9240f0df63181f71077a8d83 (patch)
tree9e01aae054c99f8467dc5c2feb196378a33772ea /test
parenta5953d914488c80c28fba6b59d2f0be461cd9f03 (diff)
Support subkeys properly in Signed-By options
If we limit a file to be signed by a certain key it should usually accept also being signed by any of this keys subkeys instead of requiring each subkey to be listed explicitly. If the later is really wanted we support now also the same syntax as gpg does with appending an exclamation mark at the end of the fingerprint to force no mapping.
Diffstat (limited to 'test')
-rw-r--r--test/integration/framework1
-rw-r--r--test/integration/sebastiansubkey.master.secbin0 -> 4829 bytes
-rw-r--r--test/integration/sebastiansubkey.pubbin0 -> 2567 bytes
-rw-r--r--test/integration/sebastiansubkey.secbin0 -> 3546 bytes
-rwxr-xr-xtest/integration/test-method-gpgv33
-rwxr-xr-xtest/integration/test-releasefile-verification38
-rwxr-xr-xtest/integration/test-signed-by-option22
7 files changed, 92 insertions, 2 deletions
diff --git a/test/integration/framework b/test/integration/framework
index b0456096c..8ec2e80cf 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1988,6 +1988,7 @@ mapkeynametokeyid() {
*Joe*|*Sixpack*|newarchive) echo '5A90D141DBAC8DAE';;
*Rex*|*Expired*) echo '4BC0A39C27CE74F9';;
*Marvin*|*Paranoid*) echo 'E8525D47528144E2';;
+ *Sebastian*|*Subkey*) echo '5B6896415D44C43E';;
oldarchive) echo 'FDD2DB85F68C85A3';;
*) echo 'UNKNOWN KEY';;
esac
diff --git a/test/integration/sebastiansubkey.master.sec b/test/integration/sebastiansubkey.master.sec
new file mode 100644
index 000000000..4d86fb983
--- /dev/null
+++ b/test/integration/sebastiansubkey.master.sec
Binary files differ
diff --git a/test/integration/sebastiansubkey.pub b/test/integration/sebastiansubkey.pub
new file mode 100644
index 000000000..c5f198c77
--- /dev/null
+++ b/test/integration/sebastiansubkey.pub
Binary files differ
diff --git a/test/integration/sebastiansubkey.sec b/test/integration/sebastiansubkey.sec
new file mode 100644
index 000000000..fd40889da
--- /dev/null
+++ b/test/integration/sebastiansubkey.sec
Binary files differ
diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv
index 5e00b1f13..2b53648f0 100755
--- a/test/integration/test-method-gpgv
+++ b/test/integration/test-method-gpgv
@@ -40,6 +40,11 @@ testrun() {
testgpgv 'Good signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
+ testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E,' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
+ testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E,' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
+
testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
testsuccess grep '^\s\+Good:\s\+$' method.output
@@ -96,7 +101,33 @@ testgpgv 'Good signed with long keyid but not signed-by key' 'NoPubKey: GOODSIG
[GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742625 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9'
testsuccess grep '^\s\+Good:\s\+$' method.output
testsuccess grep 'verified because the public key is not available: GOODSIG' method.output
-testgpgv 'Good signed with fingerprint' 'NoPubKey: GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9,' '[GNUPG:] GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>
+testgpgv 'Good signed with fingerprint but not signed-by key' 'NoPubKey: GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9,' '[GNUPG:] GOODSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>
[GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742625 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9'
testsuccess grep '^\s\+Good:\s\+$' method.output
testsuccess grep 'verified because the public key is not available: GOODSIG' method.output
+
+gpgvmethod() {
+ echo '601 Configuration
+Config-Item: Debug::Acquire::gpgv=1
+Config-Item: Dir::Bin::apt-key=./faked-apt-key
+Config-Item: APT::Hashes::SHA1::Weak=true
+
+600 URI Acquire
+URI: file:///dev/null
+Filename: /dev/zero
+Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!
+' | runapt "${METHODSDIR}/gpgv"
+}
+testgpgv 'Exact matched subkey signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E'
+testgpgv 'Exact matched subkey signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE,' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E'
+
+testgpgv 'Exact unmatched subkey signed with long keyid' 'NoPubKey: GOODSIG 5B6896415D44C43E,' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
+testsuccess grep '^\s\+Good:\s\+$' method.output
+testsuccess grep 'verified because the public key is not available: GOODSIG' method.output
+testgpgv 'Exact unmatched subkey signed with fingerprint' 'NoPubKey: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E,' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org>
+[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
+testsuccess grep '^\s\+Good:\s\+$' method.output
+testsuccess grep 'verified because the public key is not available: GOODSIG' method.output
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 36a90f9d5..f61d93f79 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -342,6 +342,44 @@ Signed-By: ${MARVIN} ${MARVIN}, \\
testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
installaptnew
+
+ cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
+ local SEBASTIAN="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 1 '^fpr' | cut -d':' -f 10)"
+ msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey'
+ rm -rf rootdir/var/lib/apt/lists
+ cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
+ signreleasefiles 'Sebastian Subkey'
+ sed -i "/^Valid-Until: / a\
+Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
+ touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
+ successfulaptgetupdate
+ testsuccessequal "$(cat "${PKGFILE}-new")
+" aptcache show apt
+ installaptnew
+
+ msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey'
+ rm -rf rootdir/var/lib/apt/lists
+ cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
+ sed -i "/^Valid-Until: / a\
+Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release
+ touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
+ updatewithwarnings 'W: .* public key is not available: GOODSIG'
+ testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+ installaptold
+
+ local SUBKEY="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 2 '^fpr' | tail -n -1 | cut -d':' -f 10)"
+ msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey'
+ rm -rf rootdir/var/lib/apt/lists
+ cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
+ sed -i "/^Valid-Until: / a\
+Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release
+ touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
+ successfulaptgetupdate
+ testsuccessequal "$(cat "${PKGFILE}-new")
+" aptcache show apt
+ installaptnew
+ rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
}
runtest2() {
diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option
index 4ab2e28bb..faa7dec44 100755
--- a/test/integration/test-signed-by-option
+++ b/test/integration/test-signed-by-option
@@ -7,7 +7,27 @@ TESTDIR="$(readlink -f "$(dirname "$0")")"
setupenvironment
configarchitecture 'amd64'
-msgtest "Check that a repository with signed-by and two components works"
+msgtest 'Check that a repository with' 'signed-by and two components works'
echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list
+testsuccess --nomsg aptcache policy
+
+msgtest 'Check that a repository with' 'two fingerprints work'
+echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list
+testsuccess --nomsg aptcache policy
+
+msgtest 'Check that a repository with' 'exact fingerprint works'
+echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386!] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list
+testsuccess --nomsg aptcache policy
+msgtest 'Check that a repository with' 'whitespaced fingerprints work'
+echo 'deb [signed-by=CDE5618B8805FD6E202CE9C2D73C39E56580B386!,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] https://people.debian.org/~jak/debian/ stable main contrib # Äffchen' > rootdir/etc/apt/sources.list
+cat > rootdir/etc/apt/sources.list.d/people.sources <<EOF
+Types: deb
+URIs: mirror+file:/var/lib/apt/mirror.lst
+Suites: stable testing
+Components: main contrib
+Architectures: amd64 i386
+Signed-By: CDE5618B8805FD6E202CE9C2D73C39E56580B386! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ , , BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
+EOF
testsuccess --nomsg aptcache policy