diff options
Diffstat (limited to 'test/integration')
| -rwxr-xr-x | test/integration/test-apt-update-ims | 2 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-nofallback | 19 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-repeated-ims-hit | 4 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-rollback | 9 | ||||
| -rwxr-xr-x | test/integration/test-releasefile-verification | 77 | ||||
| -rwxr-xr-x | test/integration/test-signed-by-option | 2 |
6 files changed, 69 insertions, 44 deletions
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 1894c3adf..101c2f298 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -48,7 +48,7 @@ runtest() { # ensure that we still do a hash check for other files on ims hit of Release if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then - $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT + $TEST aptget update -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 $APTOPT cp rootdir/tmp/${TEST}.output goodsign.output testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" testsuccess grep '^Got GOODSIG ' goodsign.output diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 18f12b1e3..c9ee75756 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -198,9 +198,16 @@ test_inrelease_to_invalid_inrelease() sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease" inject_evil_package - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi # ensure we keep the repo testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease @@ -218,10 +225,16 @@ test_release_gpg_to_invalid_release_release_gpg() # now subvert Release do no longer verify echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release" inject_evil_package - - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature: Message has been manipulated +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release testfileequal lists.before "$(listcurrentlistsdirectory)" diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit index 74d46b31b..43871a31f 100755 --- a/test/integration/test-apt-update-repeated-ims-hit +++ b/test/integration/test-apt-update-repeated-ims-hit @@ -40,7 +40,11 @@ rm -f rootdir/etc/apt/trusted.gpg.d/* sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/* APTARCHIVE="$(readlink -f ./aptarchive)" +if test -e /usr/bin/sqv; then +GPGERROR="W: GPG error: file:$APTARCHIVE Release: The signatures couldn't be verified because no keyring is specified" +else GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE" +fi msgmsg 'Running update again does not change result' '0' testwarningmsg "$GPGERROR" apt update diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index 8235968bb..68505f6ba 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -156,9 +156,16 @@ test_inrelease_to_unauth_inrelease() { signreleasefiles 'Marvin Paranoid' - testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 + if test -e /usr/bin/sqv; then + # FIXME: Do not assert sqv output + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature. +W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key DE66AECA9151AFA1877EC31DE8525D47528144E2, which is needed to verify signature. +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + else + testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + fi testfileequal lists.before "$(listcurrentlistsdirectory)" testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease' diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 1392a05d1..00c72d7d9 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -97,13 +97,20 @@ echo -n 'apt' > aptarchive/apt.deb PKGFILE="${TESTDIR}/$(echo "$(basename "$0")" | sed 's#^test-#Packages-#')" updatewithwarnings() { - testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 testsuccess grep -E "$1" rootdir/tmp/testwarning.output } foreachgpg() { rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd - "$@" + local sqv="true" + if [ "$1" = "--no-sqv" ]; then + local sqv= + shift + fi + if [ "$sqv" ]; then + "$@" + fi for GPGV in "gpgv-sq" "gpgv-g10code"; do msgmsg "Forcing $GPGV to be used" echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd" @@ -147,7 +154,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' - updatewithwarnings '^W: .* EXPKEYSIG' + updatewithwarnings '^W: .* (EXPKEYSIG|Expired)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold @@ -157,7 +164,7 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Marvin Paranoid' - successfulaptgetupdate 'NO_PUBKEY' + successfulaptgetupdate 'NO_PUBKEY\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -167,7 +174,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack,Rex Expired' cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg - successfulaptgetupdate 'EXPKEYSIG' + successfulaptgetupdate 'EXPKEYSIG\|GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt @@ -177,7 +184,7 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold @@ -202,7 +209,7 @@ runtest() { msgmsg 'Good warm archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}-new" signreleasefiles 'Marvin Paranoid' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -212,7 +219,7 @@ runtest() { # Use a colon here to test weird filenames too cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rex:expired.gpg signreleasefiles 'Rex Expired' - updatewithwarnings '^W: .* EXPKEYSIG' + updatewithwarnings '^W: .* (EXPKEYSIG|Expired)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -230,7 +237,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists local MARVIN="$(readlink -f keys/marvinparanoid.pub)" sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' msgmsg 'Cold archive signed by good keyring' 'Marvin Paranoid' prepare "${PKGFILE}" @@ -265,7 +272,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' sed -i "s#^\(deb\(-src\)\?\) #\1 [signed-by=$MARVIN] #" rootdir/etc/apt/sources.list.d/* - updatewithwarnings '^W: .* be verified because the public key is not available: .*' + updatewithwarnings '^W: .* (be verified because the public key is not available: .*|No good signature from required signer)' msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid' rm -rf rootdir/var/lib/apt/lists @@ -279,7 +286,7 @@ runtest() { msgmsg 'Cold archive signed by good keyid' 'Marvin Paranoid,Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid,Joe Sixpack' - successfulaptgetupdate 'NoPubKey: GOODSIG' + successfulaptgetupdate 'NoPubKey: GOODSIG\|DE66AECA9151AFA1877EC31DE8525D47528144E2' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -324,7 +331,7 @@ Signed-By: ${SIXPACK}" rootdir/var/lib/apt/lists/*Release sed -i "/^Valid-Until: / a\ Signed-By: ${MARVIN}" rootdir/var/lib/apt/lists/*Release touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - updatewithwarnings 'W: .* public key is not available: GOODSIG' + updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold @@ -373,22 +380,26 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release sed -i "/^Valid-Until: / a\ Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - updatewithwarnings 'W: .* public key is not available: GOODSIG' + updatewithwarnings 'W: .* (public key is not available: GOODSIG|No good signature from required signer:)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt installaptold local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E" + # This is only supported for gpgv, so require an explicit gpgv command, + # otherwise the default verification backend may be sqv. + if [ "$GPGV" ]; then msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists - sed -i "/^Valid-Until: / a\ + sed -i "/^Valid-Until: / a\ Signed-By: ${SUBKEY}!" rootdir/var/lib/apt/lists/*Release - touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release - successfulaptgetupdate - testsuccessequal "$(cat "${PKGFILE}-new") + touch -d 'now - 1 year' rootdir/var/lib/apt/lists/*Release + successfulaptgetupdate + testsuccessequal "$(cat "${PKGFILE}-new") " aptcache show apt - installaptnew + installaptnew + fi rm -f rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg } @@ -419,16 +430,6 @@ runtest2() { find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \; testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - msgmsg 'Cold archive signed by' 'Empty inline' - rm -rf rootdir/var/lib/apt/lists - find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; - testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - - msgmsg 'Cold archive signed by' 'Bad inline' - rm -rf rootdir/var/lib/apt/lists - find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo SGVsbG8K; echo =nFa9; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; - testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update - find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete # Unsigned archive from the beginning must also be detected. @@ -463,7 +464,7 @@ EOF export APT_TESTS_DIGEST_ALGO='SHA512' successfulaptgetupdate() { - testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 if [ -n "$1" ]; then cp rootdir/tmp/testsuccess.output aptupdate.output testsuccess grep "$1" aptupdate.output @@ -472,13 +473,13 @@ successfulaptgetupdate() { foreachgpg runtest3 'Trusted' successfulaptgetupdate() { - testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 if [ -n "$1" ]; then testsuccess grep "$1" rootdir/tmp/testwarning.output fi testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output } -foreachgpg runtest3 'Weak' +foreachgpg --no-sqv runtest3 'Weak' msgmsg "Running test with apt-untrusted digest" echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate @@ -489,14 +490,14 @@ runfailure() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 - testsuccess grep 'The following signatures were invalid' rootdir/tmp/testfailure.output + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 + testsuccess grep 'The following signatures were invalid\|MD5 is not considered secure' rootdir/tmp/testfailure.output testnopackage 'apt' - testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update --allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 failaptold rm -rf rootdir/var/lib/apt/lists sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/* - testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testwarning aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 failaptold sed -i 's#^deb\(-src\)\? \[allow-insecure=yes\] #deb\1 #' rootdir/etc/apt/sources.list.d/* @@ -504,13 +505,13 @@ runfailure() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' - testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 + testfailure aptget update --no-allow-insecure-repositories -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 -o Debug::Acquire::sqv=1 testnopackage 'apt' - updatewithwarnings '^W: .* NO_PUBKEY' + updatewithwarnings '^W: .* (NO_PUBKEY|Missing key)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold export APT_DONT_SIGN='Release.gpg' done } -foreachgpg runfailure +foreachgpg --no-sqv runfailure diff --git a/test/integration/test-signed-by-option b/test/integration/test-signed-by-option index 8e1e9a8c2..e6a3fbb86 100755 --- a/test/integration/test-signed-by-option +++ b/test/integration/test-signed-by-option @@ -66,7 +66,7 @@ xSigned-By: -----END PGP PUBLIC KEY BLOCK----- EOF testfailure apt update -o Debug::Acquire::gpgv=1 -testsuccess grep "NO_PUBKEY 5A90D141DBAC8DAE" rootdir/tmp/testfailure.output +testsuccess grep -E "(NO_PUBKEY 5A90D141DBAC8DAE|no keyring is specified)" rootdir/tmp/testfailure.output sed -i s/^xSigned-By/Signed-By/ rootdir/etc/apt/sources.list.d/deb822.sources testsuccess apt update -o Debug::Acquire::gpgv=1 # make sure we did not leave leftover files (LP: #1995247) |
