From a00fbbdb28cc31e78882301c2efe7218583ab4cb Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 19 Dec 2024 22:11:04 +0100 Subject: Use sq in the test suite, remove apt-key Remove the test case for MD5 and expired signatures, as we can't create them (can't set signing digest, and can't set signature expiry). Tests for them have been added to test-method-gpgv instead. We override sq in a function with cert-store and key-store set to none. This supports both sq 0.40 and sq 1.0. --- test/integration/framework | 94 +++++++--------------- test/integration/run-tests | 10 --- .../integration/test-bug-733028-gpg-resource-limit | 1 - .../test-bug-921685-binary-detached-signature | 7 +- test/integration/test-method-gpgv | 52 ++++++++++++ test/integration/test-method-gpgv-legacy-keyring | 14 ++-- test/integration/test-releasefile-verification | 36 ++------- .../test-releasefile-verification-noflat | 2 +- 8 files changed, 100 insertions(+), 116 deletions(-) (limited to 'test/integration') diff --git a/test/integration/framework b/test/integration/framework index a93168278..bae14e984 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -199,7 +199,6 @@ aptcache() { runapt apt-cache "$@"; } aptcdrom() { runapt apt-cdrom "$@"; } aptget() { runapt apt-get "$@"; } aptftparchive() { runapt "${APTFTPARCHIVEBINDIR}/apt-ftparchive" "$@"; } -aptkey() { runapt "${APTTESTHELPERSBINDIR}/apt-key" "$@"; } aptmark() { runapt apt-mark "$@"; } aptsortpkgs() { runapt apt-sortpkgs "$@"; } apt() { runapt apt "$@"; } @@ -210,6 +209,7 @@ aptextracttemplates() { runapt apt-extracttemplates "$@"; } aptinternalsolver() { runapt "${APTINTERNALSOLVER}" "$@"; } aptdumpsolver() { runapt "${APTDUMPSOLVER}" "$@"; } aptinternalplanner() { runapt "${APTINTERNALPLANNER}" "$@"; } +sq() { command sq --key-store=none --cert-store=none "$@"; } dpkg() { "${TMPWORKINGDIRECTORY}/rootdir/usr/bin/dpkg" "$@" @@ -587,11 +587,6 @@ EOF echo 'DPkg::Path "";' >> aptconfig.conf echo 'Dir::Bin::ischroot "/bin/false";' >> aptconfig.conf - # If gpgv supports --weak-digest, pass it to make sure we can disable SHA1 - if aptkey verify --weak-digest SHA1 --help 2>/dev/null >/dev/null; then - echo 'Acquire::gpgv::Options { "--weak-digest"; "sha1"; };' > rootdir/etc/apt/apt.conf.d/no-sha1 - fi - # most tests just need one signed Release file, not both export APT_DONT_SIGN='Release.gpg' @@ -881,9 +876,8 @@ buildsimplenativepackage() { | while read SRC; do echo "pool/${SRC}" >> "${BUILDDIR}/../${RELEASE}.${DISTSECTION}.srclist" # if expr match "${SRC}" '.*\.dsc' >/dev/null 2>&1; then -# aptkey --keyring ./keys/joesixpack.pub --secret-keyring ./keys/joesixpack.sec --quiet --readonly \ -# adv --yes --default-key 'Joe Sixpack' \ -# --clearsign -o "${BUILDDIR}/../${SRC}.sign" "${BUILDDIR}/../$SRC" +# sq sign --signer-file ./keys/joesixpack.sec +# -o "${BUILDDIR}/../${SRC}.sign" --cleartext "${BUILDDIR}/../$SRC" # mv "${BUILDDIR}/../${SRC}.sign" "${BUILDDIR}/../$SRC" # fi done @@ -1301,22 +1295,7 @@ killgpgagent() { GNUPGHOME="${GPGHOME}" gpgconf --kill gpg-agent >/dev/null 2>&1 || true rm -rf "$GPGHOME" } -dosigning() { - local KEY="$1" - shift - local GPGHOME="${TMPWORKINGDIRECTORY}/signinghome" - if [ -n "$APT_TEST_SIGNINGHOME" ]; then - GPGHOME="$APT_TEST_SIGNINGHOME" - else - if [ ! -e "$GPGHOME" ]; then - mkdir -p --mode=700 "${GPGHOME}" - addtrap 'prefix' 'killgpgagent;' - fi - fi - testsuccess aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly \ - --homedir "${GPGHOME}" adv --batch --yes --digest-algo "${APT_TESTS_DIGEST_ALGO:-SHA512}" \ - "$@" -} + signreleasefiles() { local SIGNERS="${1:-Joe Sixpack}" local REPODIR="${2:-aptarchive}" @@ -1348,20 +1327,22 @@ signreleasefiles() { cp "$SECUNEXPIRED" "${REXKEY}.sec" cp "$PUBUNEXPIRED" "${REXKEY}.pub" else - if ! printf "expire\n1w\nsave\n" | aptkey --quiet --keyring "${REXKEY}.pub" --secret-keyring "${REXKEY}.sec" \ - --readonly adv --batch --yes --digest-algo "${APT_TESTS_DIGEST_ALGO:-SHA512}" \ - --default-key "$SIGNER" --command-fd 0 --edit-key "${SIGNER}" >setexpire.gpg 2>&1; then - cat setexpire.gpg - exit 1 - fi - cp "${REXKEY}.sec" "$SECUNEXPIRED" - cp "${REXKEY}.pub" "$PUBUNEXPIRED" + chronic sq key expire --expiration 1w --cert-file "${REXKEY}.sec" --output "$SECUNEXPIRED" + chronic sq key subkey expire --expiration 1w --policy-as-of 2020-01-01 --cert-file "$SECUNEXPIRED" --output "$SECUNEXPIRED" --overwrite --key B3C9747B5FFD84E5585C3055DB4B332DD8DA0F4F + chronic sq key delete --cert-file "${SECUNEXPIRED}" --output "$PUBUNEXPIRED" + cp "${SECUNEXPIRED}" "${REXKEY}.sec" + cp "${PUBUNEXPIRED}" "${REXKEY}.pub" fi fi if [ ! -e "${KEY}.pub" ]; then local K="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | tr -d ' ,')" - cat "${K}.pub" >> "${KEY}.new.pub" - cat "${K}.sec" >> "${KEY}.new.sec" + if [ ! -e "${KEY}.new.pub" ]; then + cp "${K}.pub" "${KEY}.new.pub" + cp "${K}.sec" "${KEY}.new.sec" + else + chronic sq keyring merge "${KEY}.new.pub" "${K}.pub" --output "${KEY}.new.pub" --overwrite + chronic sq keyring merge "${KEY}.new.sec" "${K}.sec" --output "${KEY}.new.sec" --overwrite + fi fi done if [ ! -e "${KEY}.pub" ]; then @@ -1374,14 +1355,18 @@ signreleasefiles() { if [ "$APT_DONT_SIGN" = 'Release.gpg' ]; then rm -f "${RELEASE}.gpg" else - dosigning "$KEY" "$@" $SIGUSERS --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" + if command sq --cli-version 0.40 version 2>/dev/null; then + sq sign $time --signer-file "$KEY.sec" "$@" --overwrite --output "${RELEASE}.gpg" --signature-file "${RELEASE}" + else + sq sign $time --signer-file "$KEY.sec" "$@" --overwrite --signature-file "${RELEASE}.gpg" "${RELEASE}" + fi touch -d "$DATE" "${RELEASE}.gpg" fi local INRELEASE="${RELEASE%/*}/InRelease" if [ "$APT_DONT_SIGN" = 'InRelease' ]; then rm -f "$INRELEASE" else - dosigning "$KEY" "$@" $SIGUSERS --clearsign --output "$INRELEASE" "$RELEASE" + sq sign $time --signer-file "$KEY.sec" "$@" --overwrite --output "${INRELEASE}" --cleartext "${RELEASE}" touch -d "$DATE" "${INRELEASE}" fi done @@ -2024,27 +2009,14 @@ testfailure() { else local EXITCODE=$? if expr match "$1" '^apt.*' >/dev/null; then - if [ "$1" = 'aptkey' ]; then - if grep -q " Can't check signature: - BAD signature from - signature could not be verified" "$OUTPUT"; then - msgpass - elif [ -e "$OUTPUT" -a ! -s "$OUTPUT" ]; then - msgwarn "apt-key failed without output, this is normal for gpgv-sq (see sequoia-chameleon-gnupg#88)" - msgpass - else - msgfailoutput "run failed with exitcode ${EXITCODE}, but no signature error" "$OUTPUT" "$@" - fi + if grep -q -E ' runtime error: ' "$OUTPUT"; then + msgfailoutput 'compiler detected undefined behavior' "$OUTPUT" "$@" + elif grep -q -E '==ERROR' "$OUTPUT"; then + msgfailoutput 'compiler sanitizers reported errors' "$OUTPUT" "$@" + elif ! grep -q -E '^E: ' "$OUTPUT"; then + msgfailoutput "run failed with exitcode ${EXITCODE}, but with no errors" "$OUTPUT" "$@" else - if grep -q -E ' runtime error: ' "$OUTPUT"; then - msgfailoutput 'compiler detected undefined behavior' "$OUTPUT" "$@" - elif grep -q -E '==ERROR' "$OUTPUT"; then - msgfailoutput 'compiler sanitizers reported errors' "$OUTPUT" "$@" - elif ! grep -q -E '^E: ' "$OUTPUT"; then - msgfailoutput "run failed with exitcode ${EXITCODE}, but with no errors" "$OUTPUT" "$@" - else - msgpass - fi + msgpass fi else msgpass @@ -2182,14 +2154,6 @@ mapkeynametokeyid() { shift done } -testaptkeys() { - local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylist.output" - if ! aptkey list --with-colon 2>/dev/null | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then - echo -n > "$OUTPUT" - fi - testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")" -} - pause() { echo "STOPPED execution. Press enter to continue" local IGNORE diff --git a/test/integration/run-tests b/test/integration/run-tests index 331adfcfa..24d0cc00f 100755 --- a/test/integration/run-tests +++ b/test/integration/run-tests @@ -156,16 +156,6 @@ if [ -n "$APT_TEST_JOBS" ]; then exit $((FAIL <= 255 ? FAIL : 255)) fi -APT_TEST_SIGNINGHOME="$(mktemp --directory --tmpdir 'apt-key-signinghome.XXXXXXXXXX')" -removesigninghome() { - if [ -z "$APT_TEST_SIGNINGHOME" ]; then return; fi - GNUPGHOME="${APT_TEST_SIGNINGHOME}" gpgconf --kill gpg-agent >/dev/null 2>&1 || true - rm -rf -- "$APT_TEST_SIGNINGHOME" -} -trap "exit 1" 0 HUP INT ILL ABRT FPE SEGV PIPE TERM -trap "removesigninghome" 0 QUIT -export APT_TEST_SIGNINGHOME - TOTAL="$(echo "$TESTLIST" | wc -l)" if [ "$MSGLEVEL" -le 1 ]; then printf "${CTEST}Running testcases${CRESET}: " diff --git a/test/integration/test-bug-733028-gpg-resource-limit b/test/integration/test-bug-733028-gpg-resource-limit index b44facda3..2fc5ed3ee 100755 --- a/test/integration/test-bug-733028-gpg-resource-limit +++ b/test/integration/test-bug-733028-gpg-resource-limit @@ -13,7 +13,6 @@ setupaptarchive --no-update for i in $(seq 1 50); do touch rootdir/etc/apt/trusted.gpg.d/emptykey-${i}.gpg done -testaptkeys 'Joe Sixpack' testsuccess aptget update msgtest 'Test for no gpg errors/warnings in' 'apt-get update' diff --git a/test/integration/test-bug-921685-binary-detached-signature b/test/integration/test-bug-921685-binary-detached-signature index df863197a..e9bbb809b 100755 --- a/test/integration/test-bug-921685-binary-detached-signature +++ b/test/integration/test-bug-921685-binary-detached-signature @@ -13,10 +13,13 @@ setupdistsaptarchive for RELEASE in $(find aptarchive -name 'Release'); do # note the missing --armor - dosigning "keys/joesixpack" --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" + if command sq --cli-version 0.40 version 2>/dev/null; then + sq sign --binary --signer-file "keys/joesixpack.sec" --output "${RELEASE}.gpg" --signature-file "${RELEASE}" + else + sq sign --binary --signer-file "keys/joesixpack.sec" --signature-file "${RELEASE}.gpg" "${RELEASE}" + fi done testfailure apt show foo testfailure aptget update -testsuccess grep 'W: .* Detached signature file .* is in unsupported binary format' rootdir/tmp/testfailure.output testfailure apt show foo diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index 5ce685c8b..7d0d867fe 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -38,61 +38,113 @@ testgpgv() { testrun() { testgpgv 'Good signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Good signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Good signed with long keyid and asserted' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Good signed with fingerprint and asserted' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Not asserted in the next level' 'SoonWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Not asserted in the future level' 'LaterWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 nistp256' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^201 URI Done$' method.output testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^400 URI Failure$' method.output testsuccess grep '^\s\+Good:\s\+$' method.output testgpgv 'Untrusted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output testgpgv 'Unasserted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output testgpgv 'Unaserted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output testgpgv 'Weak signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output + testsuccess grep '^201 URI Done$' method.output testgpgv 'Weak signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output + testsuccess grep '^201 URI Done$' method.output testgpgv 'No Pubkey with long keyid' 'NoPubKey: NO_PUBKEY E8525D47528144E2' '' '[GNUPG:] ERRSIG E8525D47528144E2 1 11 00 1472744666 9 [GNUPG:] NO_PUBKEY E8525D47528144E2' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: .*public key is not available' method.output testgpgv 'No Pubkey with fingerprint' 'NoPubKey: NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2' '' '[GNUPG:] ERRSIG DE66AECA9151AFA1877EC31DE8525D47528144E2 1 11 00 1472744666 9 [GNUPG:] NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: .*public key is not available' method.output testgpgv 'Expired key with long keyid' 'Worthless: EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired , ' '' '[GNUPG:] EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: The following signatures were invalid: EXPKEYSIG' method.output testgpgv 'Expired key with fingerprint' 'Worthless: EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired , ' '' '[GNUPG:] EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: The following signatures were invalid: EXPKEYSIG' method.output + + testgpgv 'Expired signature (gpgv-g10code)' 'Worthless: EXPSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) , ' '' '[GNUPG:] NEWSIG joe@example.org +[GNUPG:] KEY_CONSIDERED 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 +[GNUPG:] SIG_ID pwbegSQxpqXn4lSZ1N4DLwyM4rc 2016-09-24 1474732092 +[GNUPG:] KEY_CONSIDERED 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 +[GNUPG:] EXPSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-24 1474732092 1491040800 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: The following signatures were invalid: EXPSIG' method.output + + testgpgv 'Expired signature (gpgv-sq)' 'Bad: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) ' '' '[GNUPG:] NEWSIG joe@example.org +[GNUPG:] KEY_CONSIDERED 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 +[GNUPG:] KEYEXPIRED 1491040800 +[GNUPG:] BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) +' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: The following signatures were invalid: BADSIG' method.output + + testgpgv 'GPG-untrusted digest (MD5)' 'Worthless: ERRSIG 5A90D141DBAC8DAE, ' '' '[GNUPG:] NEWSIG joe@example.org +[GNUPG:] KEY_CONSIDERED 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 +[GNUPG:] ERRSIG 5A90D141DBAC8DAE 1 1 00 1734647007 5 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^400 URI Failure$' method.output + testsuccess grep 'Message: The following signatures were invalid: ERRSIG' method.output } echo 'Test' > message.data diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring index 8afa5671b..cc7ddf097 100755 --- a/test/integration/test-method-gpgv-legacy-keyring +++ b/test/integration/test-method-gpgv-legacy-keyring @@ -12,8 +12,10 @@ insertpackage 'unstable' 'foo' 'all' '1' buildaptarchive setupaptarchive --no-update -testsuccessequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] -Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +alias inrelease_size="stat -c %s aptarchive/dists/unstable/InRelease" + +testsuccessequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] +Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main all Packages [246 B] Get:3 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main Translation-en [224 B] Reading package lists..." aptget update -q @@ -21,15 +23,15 @@ Reading package lists..." aptget update -q cat rootdir/etc/apt/trusted.gpg.d/*.gpg > rootdir/etc/apt/trusted.gpg rm rootdir/etc/apt/trusted.gpg.d/*.gpg -testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] -Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] +Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] Reading package lists... W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q # 2.4.0 regression: If the InRelease file was signed with two keys, fallback to trusted.gpg did not # work: It ran the fallback, but then ignored the result, as keys were still missing. signreleasefiles 'Joe Sixpack,Marvin Paranoid' -testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1867 B] -Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1867 B] +testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] +Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B] Reading package lists... W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q -omsg=with-two-signatures diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 171792a10..1392a05d1 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -153,28 +153,6 @@ runtest() { failaptold rm -f rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg - msgmsg 'Cold archive expired signed by' 'Joe Sixpack' - if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then - touch rootdir/etc/apt/apt.conf.d/99gnupg2 - elif gpg2 --version >/dev/null 2>&1; then - echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2 - if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then - rm rootdir/etc/apt/apt.conf.d/99gnupg2 - fi - fi - if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then - prepare "${PKGFILE}" - rm -rf rootdir/var/lib/apt/lists - signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20160924T154812" --default-sig-expire 2017-04-01 - updatewithwarnings '^W: .* (BADSIG|EXPSIG)' - testsuccessequal "$(cat "${PKGFILE}") -" aptcache show apt - failaptold - rm -f rootdir/etc/apt/apt.conf.d/99gnupg2 - else - msgskip 'Not a new enough gpg available providing --fake-system-time' - fi - msgmsg 'Cold archive signed by' 'Joe Sixpack,Marvin Paranoid' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists @@ -282,7 +260,7 @@ runtest() { installaptold sed -i "s# \[signed-by=[^]]\+\] # #" rootdir/etc/apt/sources.list.d/* - local MARVIN="$(aptkey --keyring $MARVIN finger --with-colons | grep '^fpr' | cut -d':' -f 10)" + local MARVIN="DE66AECA9151AFA1877EC31DE8525D47528144E2" msgmsg 'Cold archive signed by bad keyid' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' @@ -306,7 +284,7 @@ runtest() { " aptcache show apt installaptold - local SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger --with-colons | grep '^fpr' | cut -d':' -f 10)" + local SIXPACK="34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE" msgmsg 'Cold archive signed by good keyids' 'Joe Sixpack' rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' @@ -376,7 +354,7 @@ Signed-By: ${MARVIN} ${MARVIN}, \\ installaptnew cp -a keys/sebastiansubkey.pub rootdir/etc/apt/trusted.gpg.d/sebastiansubkey.gpg - local SEBASTIAN="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 1 '^fpr' | cut -d':' -f 10)" + local SEBASTIAN="648E6A33FDE5CB5BA2D896A3CA3E1DFF1E6BE149" msgmsg 'Warm archive with subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists @@ -400,7 +378,7 @@ Signed-By: ${SEBASTIAN}!" rootdir/var/lib/apt/lists/*Release " aptcache show apt installaptold - local SUBKEY="$(aptkey --keyring keys/sebastiansubkey.pub finger --with-colons | grep -m 2 '^fpr' | tail -n -1 | cut -d':' -f 10)" + local SUBKEY="4281DEDBD466EAE8C1F4157E5B6896415D44C43E" msgmsg 'Warm archive with correct exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists @@ -482,7 +460,7 @@ Acquire::AllowInsecureRepositories "1"; Acquire::AllowDowngradeToInsecureRepositories "1"; EOF # the hash marked as configurable in our gpgv method -export APT_TESTS_DIGEST_ALGO='SHA224' +export APT_TESTS_DIGEST_ALGO='SHA512' successfulaptgetupdate() { testsuccess aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 @@ -536,7 +514,3 @@ runfailure() { done } foreachgpg runfailure - -msgmsg "Running test with gpgv-untrusted digest" -export APT_TESTS_DIGEST_ALGO='MD5' -foreachgpg runfailure diff --git a/test/integration/test-releasefile-verification-noflat b/test/integration/test-releasefile-verification-noflat index 3953c6492..d1b1d845f 100755 --- a/test/integration/test-releasefile-verification-noflat +++ b/test/integration/test-releasefile-verification-noflat @@ -12,7 +12,7 @@ insertpackage 'unstable' 'foo' 'i386' '1.0' setupaptarchive "now" "now + 1 year" changetowebserver -SIXPACK="$(aptkey --keyring keys/joesixpack.pub finger | grep 'Key fingerprint' | cut -d'=' -f 2 | tr -d ' ')" +SIXPACK="34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE" testsuccess aptget update -- cgit v1.2.3-70-g09d2