summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2015-05-18 22:15:06 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2015-05-18 22:15:06 +0200
commit6bf93605fdb8e858d3f0a79a124c1d39f760094d (patch)
tree4f1fb6549db04d6b39845e8587316460b493f249 /test
parent8eafc759544298211cd0bfaa3919afc0fadd47d1 (diff)
treat older Release files than we already have as an IMSHit
Valid-Until protects us from long-living downgrade attacks, but not all repositories have it and an attacker could still use older but still valid files to downgrade us. While this makes it sounds like a security improvement now, its a bit theoretical at best as an attacker with capabilities to pull this off could just as well always keep us days (but in the valid period) behind and always knows which state we have, as we tell him with the If-Modified-Since header. This is also why this is 'silently' ignored and treated as an IMSHit rather than screamed at the user as this can at best be an annoyance for attackers. An error here would 'regularily' be encountered by users by out-of-sync mirrors serving a single run (e.g. load balancer) or in two consecutive runs on the other hand, so it would just help teaching people ignore it. That said, most of the code churn is caused by enforcing this additional requirement. Crisscross from InRelease to Release.gpg is e.g. very unlikely in practice, but if we would ignore it an attacker could sidestep it this way.
Diffstat (limited to 'test')
-rw-r--r--test/integration/framework7
-rwxr-xr-xtest/integration/test-apt-update-ims12
-rwxr-xr-xtest/integration/test-apt-update-nofallback5
-rwxr-xr-xtest/integration/test-apt-update-not-modified4
-rwxr-xr-xtest/integration/test-apt-update-rollback4
-rwxr-xr-xtest/integration/test-releasefile-date-older62
-rwxr-xr-xtest/integration/test-releasefile-valid-until37
-rwxr-xr-xtest/integration/test-releasefile-verification70
8 files changed, 121 insertions, 80 deletions
diff --git a/test/integration/framework b/test/integration/framework
index 8c8936ead..b253deb91 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1164,9 +1164,9 @@ testfileequal() {
shift
msgtest "Test for correctness of file" "$FILE"
if [ -z "$*" ]; then
- echo -n "" | checkdiff $FILE - && msgpass || msgfail
+ echo -n "" | checkdiff - $FILE && msgpass || msgfail
else
- echo "$*" | checkdiff $FILE - && msgpass || msgfail
+ echo "$*" | checkdiff - $FILE && msgpass || msgfail
fi
}
@@ -1547,7 +1547,8 @@ aptautotest_aptcdrom_add() { aptautotest_aptget_update "$@"; }
testaptautotestnodpkgwarning() {
local TESTCALL="$1"
while [ -n "$2" ]; do
- if expr match "$2" '^-[a-z]*s' >/dev/null 2>&1; then return; fi
+ if expr match "$2" '^-[a-z]*s' >/dev/null 2>&1; then return; fi # simulation mode
+ if expr match "$2" '^-dy\?' >/dev/null 2>&1; then return; fi # download-only mode
shift
done
testfailure grep '^dpkg: warning:.*ignor.*' "${TMPWORKINGDIRECTORY}/rootdir/tmp-before/${TESTCALL}.output"
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims
index f091bffaa..7385e701a 100755
--- a/test/integration/test-apt-update-ims
+++ b/test/integration/test-apt-update-ims
@@ -43,7 +43,7 @@ runtest() {
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
# ensure that we still do a hash check for other files on ims hit of Release
- if grep -q '^Hit .* \(InRelease\|Release.gpg\)$' expected.output ; then
+ if grep -q '^Hit .* InRelease$' expected.output || ! grep -q '^Ign .* Release\(\.gpg\)\?$' expected.output; then
$TEST aptget update -o Debug::Acquire::gpgv=1
cp rootdir/tmp/${TEST}.output goodsign.output
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
@@ -66,7 +66,6 @@ msgmsg 'Release/Release.gpg'
EXPECT='Ign http://localhost:8080 unstable InRelease
404 Not Found
Hit http://localhost:8080 unstable Release
-Hit http://localhost:8080 unstable Release.gpg
Reading package lists...'
find aptarchive -name 'InRelease' -delete
echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
@@ -81,7 +80,7 @@ Hit http://localhost:8080 unstable Release
Ign http://localhost:8080 unstable Release.gpg
404 Not Found
Reading package lists...
-W: The data from 'http://localhost:8080 unstable Release.gpg' is not signed. Packages from that repository can not be authenticated."
+W: The data from 'http://localhost:8080 unstable Release' is not signed. Packages from that repository can not be authenticated."
find aptarchive -name 'Release.gpg' -delete
echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
runtest 'warning'
@@ -108,8 +107,7 @@ msgmsg 'expired Release/Release.gpg'
EXPECT='Ign http://localhost:8080 unstable InRelease
404 Not Found
Hit http://localhost:8080 unstable Release
-Hit http://localhost:8080 unstable Release.gpg
-E: Release file for http://localhost:8080/dists/unstable/Release.gpg is expired (invalid since). Updates for this repository will not be applied.'
+E: Release file for http://localhost:8080/dists/unstable/Release is expired (invalid since). Updates for this repository will not be applied.'
find aptarchive -name 'InRelease' -delete
echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
runtest 'failure'
@@ -122,8 +120,8 @@ EXPECT="Ign http://localhost:8080 unstable InRelease
Hit http://localhost:8080 unstable Release
Ign http://localhost:8080 unstable Release.gpg
404 Not Found
-W: The data from 'http://localhost:8080 unstable Release.gpg' is not signed. Packages from that repository can not be authenticated.
-E: Release file for http://localhost:8080/dists/unstable/InRelease is expired (invalid since). Updates for this repository will not be applied."
+W: The data from 'http://localhost:8080 unstable Release' is not signed. Packages from that repository can not be authenticated.
+E: Release file for http://localhost:8080/dists/unstable/Release is expired (invalid since). Updates for this repository will not be applied."
find aptarchive -name 'Release.gpg' -delete
echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
runtest 'failure' 'warning'
diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback
index 71576de81..db4430ea3 100755
--- a/test/integration/test-apt-update-nofallback
+++ b/test/integration/test-apt-update-nofallback
@@ -8,6 +8,7 @@ set -e
simulate_mitm_and_inject_evil_package()
{
+ redatereleasefiles '+1 hour'
rm -f $APTARCHIVE/dists/unstable/InRelease
rm -f $APTARCHIVE/dists/unstable/Release.gpg
inject_evil_package
@@ -31,7 +32,7 @@ EOF
assert_update_is_refused_and_last_good_state_used()
{
- testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq
+ testfailuremsg "E: The repository 'file: unstable Release' is no longer signed." aptget update
assert_repo_is_intact
}
@@ -193,7 +194,7 @@ test_release_gpg_to_invalid_release_release_gpg()
echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release
inject_evil_package
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release.gpg: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
diff --git a/test/integration/test-apt-update-not-modified b/test/integration/test-apt-update-not-modified
index a67ecb760..b1d55c156 100755
--- a/test/integration/test-apt-update-not-modified
+++ b/test/integration/test-apt-update-not-modified
@@ -56,7 +56,6 @@ Reading package lists..." aptget update
testsuccessequal "Ign $1 unstable InRelease
404 Not Found
Hit $1 unstable Release
-Hit $1 unstable Release.gpg
Reading package lists..." aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
@@ -66,7 +65,6 @@ Reading package lists..." aptget update
testsuccessequal "Ign $1 unstable InRelease
404 Not Found
Hit $1 unstable Release
-Hit $1 unstable Release.gpg
Reading package lists..." aptget update
testfileequal 'listsdir-without-amd64.lst' "$(listcurrentlistsdirectory)"
@@ -75,7 +73,6 @@ Reading package lists..." aptget update
testsuccessequal "Ign $1 unstable InRelease
404 Not Found
Hit $1 unstable Release
-Hit $1 unstable Release.gpg
Get:1 $1 unstable/main amd64 Packages [$(stat -c '%s' 'aptarchive/dists/unstable/main/binary-amd64/Packages.gz') B]
Reading package lists..." aptget update
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
@@ -85,7 +82,6 @@ Reading package lists..." aptget update
testsuccessequal "Ign $1 unstable InRelease
404 Not Found
Get:1 $1 unstable Release [$(stat -c '%s' 'aptarchive/dists/unstable/Release') B]
-Get:2 $1 unstable Release.gpg [$(stat -c '%s' 'aptarchive/dists/unstable/Release.gpg') B]
Reading package lists..." aptget update
webserverconfig 'aptwebserver::support::modified-since' 'true'
webserverconfig 'aptwebserver::support::last-modified' 'true'
diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback
index 29fe1ab56..b464a04a1 100755
--- a/test/integration/test-apt-update-rollback
+++ b/test/integration/test-apt-update-rollback
@@ -78,7 +78,7 @@ test_inrelease_to_valid_release() {
rm $APTARCHIVE/dists/unstable/Release.gpg
# update fails
- testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq
+ testfailureequal "E: The repository 'file: unstable Release' is no longer signed." aptget update -qq
# test that security downgrade was not successful
testfileequal lists.before "$(listcurrentlistsdirectory)"
@@ -101,7 +101,7 @@ test_inrelease_to_release_reverts_all() {
break_repository_sources_index '+1hour'
# ensure error
- testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
+ testfailureequal "E: The repository 'file: unstable Release' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
# ensure that the Packages file is also rolled back
testfileequal lists.before "$(listcurrentlistsdirectory)"
diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older
new file mode 100755
index 000000000..5cdc34fac
--- /dev/null
+++ b/test/integration/test-releasefile-date-older
@@ -0,0 +1,62 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+setupenvironment
+configarchitecture 'i386'
+
+insertpackage 'wheezy' 'apt' 'all' '0.8.15'
+
+setupaptarchive --no-update
+
+# we don't complain as the server could have just sent a 'Hit' here and this
+# 'downgrade attack' is usually performed by out-of-sync mirrors. Valid-Until
+# catches the 'real' downgrade attacks (expect that it finds stale mirrors).
+# Scaring users with an error here serves hence no point.
+
+msgmsg 'InRelease file is silently rejected if' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+find aptarchive -name 'InRelease' -delete
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+find aptarchive -name 'InRelease' -delete
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+find aptarchive -name 'Release.gpg' -delete
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+find aptarchive -name 'InRelease' -delete
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
+
+msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date'
+rm -rf rootdir/var/lib/apt/lists
+generatereleasefiles 'now' 'now + 7 days'
+signreleasefiles
+find aptarchive -name 'InRelease' -delete
+testsuccess aptget update
+listcurrentlistsdirectory > listsdir.lst
+redatereleasefiles 'now - 2 days'
+find aptarchive -name 'Release.gpg' -delete
+testsuccess aptget update
+testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
diff --git a/test/integration/test-releasefile-valid-until b/test/integration/test-releasefile-valid-until
index 0d9a91254..e000abf5d 100755
--- a/test/integration/test-releasefile-valid-until
+++ b/test/integration/test-releasefile-valid-until
@@ -16,13 +16,12 @@ setupaptarchive --no-update
runtest() {
local MSG="$1"
- msgtest "$1" "$2"
+ msgtest "Release file is $MSG as it has" "$2"
rm -rf rootdir/var/lib/apt/lists
- aptget clean
generatereleasefiles "$3" "$4"
signreleasefiles
shift 4
- if expr match "$MSG" '.*accepted.*' >/dev/null; then
+ if [ "$MSG" = 'accepted' ]; then
testsuccess --nomsg aptget update "$@"
testfailure grep -q 'is expired' rootdir/tmp/testsuccess.output
else
@@ -31,19 +30,19 @@ runtest() {
fi
}
-runtest 'Release file is accepted as it has' 'no Until' '' ''
-runtest 'Release file is accepted as it has' 'no Until and good Max-Valid' '' '' -o Acquire::Max-ValidTime=3600
-runtest 'Release file is rejected as it has' 'no Until, but bad Max-Valid' 'now - 2 days' '' -o Acquire::Max-ValidTime=3600
-runtest 'Release file is accepted as it has' 'good Until' 'now - 3 days' 'now + 1 day'
-runtest 'Release file is rejected as it has' 'bad Until' 'now - 7 days' 'now - 4 days'
-runtest 'Release file is rejected as it has' 'bad Until (ignore good Max-Valid)' 'now - 7 days' 'now - 4 days' -o Acquire::Max-ValidTime=1209600
-runtest 'Release file is rejected as it has' 'bad Max-Valid (bad Until)' 'now - 7 days' 'now - 4 days' -o Acquire::Max-ValidTime=86400
-runtest 'Release file is rejected as it has' 'bad Max-Valid (good Until)' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=86400
-runtest 'Release file is accepted as it has' 'good labeled Max-Valid' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=86400 -o Acquire::Max-ValidTime::Testcases=1209600
-runtest 'Release file is rejected as it has' 'bad labeled Max-Valid' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=1209600 -o Acquire::Max-ValidTime::Testcases=86400
-runtest 'Release file is accepted as it has' 'good Until (good Min-Valid, no Max-Valid)' 'now - 7 days' 'now + 1 days' -o Acquire::Min-ValidTime=1209600
-runtest 'Release file is accepted as it has' 'good Min-Valid (bad Until, no Max-Valid)' 'now - 7 days' 'now - 4 days' -o Acquire::Min-ValidTime=1209600
-runtest 'Release file is accepted as it has' 'good Min-Valid (bad Until, good Max-Valid) <' 'now - 7 days' 'now - 2 days' -o Acquire::Min-ValidTime=1209600 -o Acquire::Max-ValidTime=2419200
-runtest 'Release file is rejected as it has' 'bad Max-Valid (bad Until, good Min-Valid) >' 'now - 7 days' 'now - 2 days' -o Acquire::Max-ValidTime=12096 -o Acquire::Min-ValidTime=2419200
-runtest 'Release file is rejected as it has' 'bad Max-Valid (bad Until, bad Min-Valid) <' 'now - 7 days' 'now - 2 days' -o Acquire::Min-ValidTime=12096 -o Acquire::Max-ValidTime=241920
-runtest 'Release file is rejected as it has' 'bad Max-Valid (bad Until, bad Min-Valid) >' 'now - 7 days' 'now - 2 days' -o Acquire::Max-ValidTime=12096 -o Acquire::Min-ValidTime=241920
+runtest 'accepted' 'no Until' '' ''
+runtest 'accepted' 'no Until and good Max-Valid' '' '' -o Acquire::Max-ValidTime=3600
+runtest 'rejected' 'no Until, but bad Max-Valid' 'now - 2 days' '' -o Acquire::Max-ValidTime=3600
+runtest 'accepted' 'good Until' 'now - 3 days' 'now + 1 day'
+runtest 'rejected' 'bad Until' 'now - 7 days' 'now - 4 days'
+runtest 'rejected' 'bad Until (ignore good Max-Valid)' 'now - 7 days' 'now - 4 days' -o Acquire::Max-ValidTime=1209600
+runtest 'rejected' 'bad Max-Valid (bad Until)' 'now - 7 days' 'now - 4 days' -o Acquire::Max-ValidTime=86400
+runtest 'rejected' 'bad Max-Valid (good Until)' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=86400
+runtest 'accepted' 'good labeled Max-Valid' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=86400 -o Acquire::Max-ValidTime::Testcases=1209600
+runtest 'rejected' 'bad labeled Max-Valid' 'now - 7 days' 'now + 4 days' -o Acquire::Max-ValidTime=1209600 -o Acquire::Max-ValidTime::Testcases=86400
+runtest 'accepted' 'good Until (good Min-Valid, no Max-Valid)' 'now - 7 days' 'now + 1 days' -o Acquire::Min-ValidTime=1209600
+runtest 'accepted' 'good Min-Valid (bad Until, no Max-Valid)' 'now - 7 days' 'now - 4 days' -o Acquire::Min-ValidTime=1209600
+runtest 'accepted' 'good Min-Valid (bad Until, good Max-Valid) <' 'now - 7 days' 'now - 2 days' -o Acquire::Min-ValidTime=1209600 -o Acquire::Max-ValidTime=2419200
+runtest 'rejected' 'bad Max-Valid (bad Until, good Min-Valid) >' 'now - 7 days' 'now - 2 days' -o Acquire::Max-ValidTime=12096 -o Acquire::Min-ValidTime=2419200
+runtest 'rejected' 'bad Max-Valid (bad Until, bad Min-Valid) <' 'now - 7 days' 'now - 2 days' -o Acquire::Min-ValidTime=12096 -o Acquire::Max-ValidTime=241920
+runtest 'rejected' 'bad Max-Valid (bad Until, bad Min-Valid) >' 'now - 7 days' 'now - 2 days' -o Acquire::Max-ValidTime=12096 -o Acquire::Min-ValidTime=241920
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 363b7fe5b..469ed34d2 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -91,25 +91,9 @@ touch aptarchive/apt.deb
PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')"
-updatesuccess() {
- local LOG='update.log'
- if aptget update >$LOG 2>&1 || grep -q -E '^(W|E): ' $LOG; then
- msgpass
- else
- cat $LOG
- msgfail
- fi
-}
-
-updatefailure() {
- local LOG='update.log'
- aptget update >$LOG 2>&1 || true
- if grep -q -E "$1" $LOG; then
- msgpass
- else
- cat $LOG
- msgfail
- fi
+updatewithwarnings() {
+ testwarning aptget update
+ testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}
runtest() {
@@ -117,8 +101,8 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Cold archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Cold archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
installaptold
@@ -126,8 +110,8 @@ runtest() {
prepare ${PKGFILE}-new
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Good warm archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Good warm archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
installaptnew
@@ -137,8 +121,8 @@ runtest() {
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Cold archive signed by' 'Rex Expired'
- updatefailure '^W: .* KEYEXPIRED'
+ msgmsg 'Cold archive signed by' 'Rex Expired'
+ updatewithwarnings '^W: .* KEYEXPIRED'
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
failaptold
@@ -148,8 +132,8 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Cold archive signed by' 'Marvin Paranoid'
- updatefailure '^W: .* NO_PUBKEY'
+ msgmsg 'Cold archive signed by' 'Marvin Paranoid'
+ updatewithwarnings '^W: .* NO_PUBKEY'
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
failaptold
@@ -162,8 +146,8 @@ runtest() {
done
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Bad warm archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Bad warm archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
installaptnew
@@ -173,8 +157,8 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Cold archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Cold archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
installaptold
@@ -182,8 +166,8 @@ runtest() {
prepare ${PKGFILE}-new
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Good warm archive signed by' 'Marvin Paranoid'
- updatefailure '^W: .* NO_PUBKEY'
+ msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
+ updatewithwarnings '^W: .* NO_PUBKEY'
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
installaptold
@@ -192,8 +176,8 @@ runtest() {
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Good warm archive signed by' 'Rex Expired'
- updatefailure '^W: .* KEYEXPIRED'
+ msgmsg 'Good warm archive signed by' 'Rex Expired'
+ updatewithwarnings '^W: .* KEYEXPIRED'
testsuccessequal "$(cat ${PKGFILE})
" aptcache show apt
installaptold
@@ -202,8 +186,8 @@ runtest() {
prepare ${PKGFILE}-new
signreleasefiles
find aptarchive/ -name "$DELETEFILE" -delete
- msgtest 'Good warm archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Good warm archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
installaptnew
@@ -213,24 +197,24 @@ runtest2() {
prepare ${PKGFILE}
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
- msgtest 'Cold archive signed by' 'Joe Sixpack'
- updatesuccess
+ msgmsg 'Cold archive signed by' 'Joe Sixpack'
+ testsuccess aptget update
# New .deb but now an unsigned archive. For example MITM to circumvent
# package verification.
prepare ${PKGFILE}-new
find aptarchive/ -name InRelease -delete
find aptarchive/ -name Release.gpg -delete
- msgtest 'Warm archive signed by' 'nobody'
- updatesuccess
+ msgmsg 'Warm archive signed by' 'nobody'
+ updatewithwarnings 'W: .* no longer signed.'
testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
failaptnew
# Unsigned archive from the beginning must also be detected.
rm -rf rootdir/var/lib/apt/lists
- msgtest 'Cold archive signed by' 'nobody'
- updatesuccess
+ msgmsg 'Cold archive signed by' 'nobody'
+ updatewithwarnings 'W: .* is not signed.'
testsuccessequal "$(cat ${PKGFILE}-new)
" aptcache show apt
failaptnew