summaryrefslogtreecommitdiff
path: root/test/integration
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration')
-rwxr-xr-xtest/integration/test-apt-update-ims2
-rwxr-xr-xtest/integration/test-apt-update-nofallback19
-rwxr-xr-xtest/integration/test-apt-update-repeated-ims-hit4
-rwxr-xr-xtest/integration/test-apt-update-rollback9
-rwxr-xr-xtest/integration/test-releasefile-verification77
-rwxr-xr-xtest/integration/test-signed-by-option2
6 files changed, 69 insertions, 44 deletions
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims
index 1894c3adf..101c2f298 100755
--- a/test/integration/test-apt-update-ims
+++ b/test/integration/test-apt-update-ims
@@ -48,7 +48,7 @@ runtest() {
# ensure that we still do a hash check for other files on ims hit of Release
if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then
- $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT
+ $TEST aptget update -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 $APTOPT
cp rootdir/tmp/${TEST}.output goodsign.output
testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
testsuccess grep '^Got GOODSIG ' goodsign.output
diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback
index 18f12b1e3..c9ee75756 100755
--- a/test/integration/test-apt-update-nofallback
+++ b/test/integration/test-apt-update-nofallback
@@ -198,9 +198,16 @@ test_inrelease_to_invalid_inrelease()
sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease"
inject_evil_package
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
# ensure we keep the repo
testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease
@@ -218,10 +225,16 @@ test_release_gpg_to_invalid_release_release_gpg()
# now subvert Release do no longer verify
echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release"
inject_evil_package
-
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release
testfileequal lists.before "$(listcurrentlistsdirectory)"
diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit
index 74d46b31b..43871a31f 100755
--- a/test/integration/test-apt-update-repeated-ims-hit
+++ b/test/integration/test-apt-update-repeated-ims-hit
@@ -40,7 +40,11 @@ rm -f rootdir/etc/apt/trusted.gpg.d/*
sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
APTARCHIVE="$(readlink -f ./aptarchive)"
+if test -e /usr/bin/sqv; then
+GPGERROR="W: GPG error: file:$APTARCHIVE Release: The signatures couldn't be verified because no keyring is specified"
+else
GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE"
+fi
msgmsg 'Running update again does not change result' '0'
testwarningmsg "$GPGERROR" apt update
diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback
index 8235968bb..68505f6ba 100755
--- a/test/integration/test-apt-update-rollback
+++ b/test/integration/test-apt-update-rollback
@@ -156,9 +156,16 @@ test_inrelease_to_unauth_inrelease() {
signreleasefiles 'Marvin Paranoid'
- testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
+ if test -e /usr/bin/sqv; then
+ # FIXME: Do not assert sqv output
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature.
+W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature.
+W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ else
+ testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+ fi
testfileequal lists.before "$(listcurrentlistsdirectory)"
testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 1392a05d1..00c72d7d9 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -97,13 +97,20 @@ echo -n 'apt' > aptarchive/apt.deb
PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')"
updatewithwarnings() {
- testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
testsuccess grep -E "$1" rootdir/tmp/testwarning.output
}
foreachgpg() {
rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd
- "$@"
+ local sqv="true"
+ if [ "$1" = "--no-sqv" ]; then
+ local sqv=
+ shift
+ fi
+ if [ "$sqv" ]; then
+ "$@"
+ fi
for GPGV in "gpgv-sq" "gpgv-g10code"; do
msgmsg "Forcing $GPGV to be used"
echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd"
@@ -147,7 +154,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
signreleasefiles 'Rex Expired'
- updatewithwarnings '^W: .* EXPKEYSIG'
+ updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
@@ -157,7 +164,7 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Marvin Paranoid'
- successfulaptgetupdate 'NO_PUBKEY'
+ successfulaptgetupdate 'NO_PUBKEY\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -167,7 +174,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack,Rex Expired'
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
- successfulaptgetupdate 'EXPKEYSIG'
+ successfulaptgetupdate 'EXPKEYSIG\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
@@ -177,7 +184,7 @@ runtest() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
@@ -202,7 +209,7 @@ runtest() {
msgmsg 'Good warm archive signed by' 'Marvin Paranoid'
prepare "${PKGFILE}-new"
signreleasefiles 'Marvin Paranoid'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -212,7 +219,7 @@ runtest() {
# Use a colon here to test weird filenames too
cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg
signreleasefiles 'Rex Expired'
- updatewithwarnings '^W: .* EXPKEYSIG'
+ updatewithwarnings '^W: .* (EXPKEYSIG|Expired)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -230,7 +237,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
local MARVIN="$(readlink -f keys/marvinparanoid.pub)"
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid'
prepare "${PKGFILE}"
@@ -265,7 +272,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/*
- updatewithwarnings '^W: .* be verified because the public key is not available: .*'
+ updatewithwarnings '^W: .* (be verified because the public key is not available: .*|No good signature from required signer)'
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid'
rm -rf rootdir/var/lib/apt/lists
@@ -279,7 +286,7 @@ runtest() {
msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack'
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid,Joe Sixpack'
- successfulaptgetupdate 'NoPubKey: GOODSIG'
+ successfulaptgetupdate 'NoPubKey: GOODSIG\|DE66AECA9151AFA1877EC31DE8525D47528144E2'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -324,7 +331,7 @@ Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release
sed -i "/^Valid-Until: / a\
Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- updatewithwarnings 'W: .* public key is not available: GOODSIG'
+ updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
@@ -373,22 +380,26 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
sed -i "/^Valid-Until: / a\
Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release
touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- updatewithwarnings 'W: .* public key is not available: GOODSIG'
+ updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
installaptold
local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E"
+ # This is only supported for gpgv, so require an explicit gpgv command,
+ # otherwise the default verification backend may be sqv.
+ if [ "$GPGV" ]; then
msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey'
rm -rf rootdir/var/lib/apt/lists
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists
- sed -i "/^Valid-Until: / a\
+ sed -i "/^Valid-Until: / a\
Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release
- touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
- successfulaptgetupdate
- testsuccessequal "$(cat "${PKGFILE}-new")
+ touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release
+ successfulaptgetupdate
+ testsuccessequal "$(cat "${PKGFILE}-new")
" aptcache show apt
- installaptnew
+ installaptnew
+ fi
rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg
}
@@ -419,16 +430,6 @@ runtest2() {
find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \;
testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
- msgmsg 'Cold archive signed by' 'Empty inline'
- rm -rf rootdir/var/lib/apt/lists
- find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \;
- testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
-
- msgmsg 'Cold archive signed by' 'Bad inline'
- rm -rf rootdir/var/lib/apt/lists
- find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo SGVsbG8K; echo =nFa9; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \;
- testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update
-
find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete
# Unsigned archive from the beginning must also be detected.
@@ -463,7 +464,7 @@ EOF
export APT_TESTS_DIGEST_ALGO='SHA512'
successfulaptgetupdate() {
- testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
if [ -n "$1" ]; then
cp rootdir/tmp/testsuccess.output aptupdate.output
testsuccess grep "$1" aptupdate.output
@@ -472,13 +473,13 @@ successfulaptgetupdate() {
foreachgpg runtest3 'Trusted'
successfulaptgetupdate() {
- testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
if [ -n "$1" ]; then
testsuccess grep "$1" rootdir/tmp/testwarning.output
fi
testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output
}
-foreachgpg runtest3 'Weak'
+foreachgpg --no-sqv runtest3 'Weak'
msgmsg "Running test with apt-untrusted digest"
echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate
@@ -489,14 +490,14 @@ runfailure() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Joe Sixpack'
- testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
- testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output
+ testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
+ testsuccess grep 'The following signatures were invalid\|MD5 is not considered secure' rootdir/tmp/testfailure.output
testnopackage 'apt'
- testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
failaptold
rm -rf rootdir/var/lib/apt/lists
sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/*
- testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
failaptold
sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/*
@@ -504,13 +505,13 @@ runfailure() {
prepare "${PKGFILE}"
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
- testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
+ testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1
testnopackage 'apt'
- updatewithwarnings '^W: .* NO_PUBKEY'
+ updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)'
testsuccessequal "$(cat "${PKGFILE}")
" aptcache show apt
failaptold
export APT_DONT_SIGN='Release.gpg'
done
}
-foreachgpg runfailure
+foreachgpg --no-sqv runfailure
diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option
index 8e1e9a8c2..e6a3fbb86 100755
--- a/test/integration/test-signed-by-option
+++ b/test/integration/test-signed-by-option
@@ -66,7 +66,7 @@ xSigned-By:
-----END PGP PUBLIC KEY BLOCK-----
EOF
testfailure apt update -o Debug::Acquire::gpgv=1
-testsuccess grep "NO_PUBKEY 5A90D141DBAC8DAE" rootdir/tmp/testfailure.output
+testsuccess grep -E "(NO_PUBKEY 5A90D141DBAC8DAE|no keyring is specified)" rootdir/tmp/testfailure.output
sed -i s/^xSigned-By/Signed-By/ rootdir/etc/apt/sources.list.d/deb822.sources
testsuccess apt update -o Debug::Acquire::gpgv=1
# make sure we did not leave leftover files (LP: #1995247)