From 27012a496a9da78f26e9e412a7118dbe00e5c1ec Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 21 Nov 2024 18:49:28 +0100 Subject: test-releasefile-verification: Fix signature time The key was only generated in 2010 and only bound in 2016, so we cannot have signatures from before then, so update the key accordingly, and change the default expiry to 2017. --- test/integration/test-releasefile-verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 810427620..c2e856d54 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -155,7 +155,7 @@ runtest() { if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists - signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01 + signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20160924T154812" --default-sig-expire 2017-04-01 updatewithwarnings '^W: .* EXPSIG' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt -- cgit v1.2.3-70-g09d2 From 222301d7a36a09db80a8832cd16db41f7946a9ea Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 21 Nov 2024 18:51:10 +0100 Subject: Accept BADSIG instead of EXPSIG for expired signatures Sequioa emits KEYEXPIRED + BADSIG instead of EXPSIG + VALIDSIG --- test/integration/test-releasefile-verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index c2e856d54..6b1f7d364 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -156,7 +156,7 @@ runtest() { prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20160924T154812" --default-sig-expire 2017-04-01 - updatewithwarnings '^W: .* EXPSIG' + updatewithwarnings '^W: .* (BADSIG|EXPSIG)' testsuccessequal "$(cat "${PKGFILE}") " aptcache show apt failaptold -- cgit v1.2.3-70-g09d2 From d2e34a441bad904798bf62fb850d4fb5b1b90656 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 21 Nov 2024 20:01:57 +0100 Subject: test-releasefile-verification: Test empty/invalid signatures --- test/integration/test-releasefile-verification | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'test/integration') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 6b1f7d364..fcd5d987c 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -420,6 +420,28 @@ runtest2() { " aptcache show apt failaptnew + msgmsg 'Cold archive signed by' 'Empty signature' + rm -rf rootdir/var/lib/apt/lists + find aptarchive -name Release -exec touch {}.gpg \; + testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update -o Debug::gpgv=1 + + msgmsg 'Cold archive signed by' 'Unknown format signature' + rm -rf rootdir/var/lib/apt/lists + find aptarchive -name Release -exec sh -c "echo Hello > {}.gpg" \; + testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} Release: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update + + msgmsg 'Cold archive signed by' 'Empty inline' + rm -rf rootdir/var/lib/apt/lists + find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; + testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update + + msgmsg 'Cold archive signed by' 'Bad inline' + rm -rf rootdir/var/lib/apt/lists + find aptarchive -name Release -exec sh -c '( echo -----BEGIN PGP SIGNED MESSAGE-----; echo Hash: SHA512; echo; cat {} ; echo; echo -----BEGIN PGP SIGNATURE-----; echo ; echo SGVsbG8K; echo =nFa9; echo -----END PGP SIGNATURE----- ) > $(dirname {})/In$(basename {})' \; + testfailuremsg "E: GPG error: http://localhost:${APTHTTPPORT} InRelease: Signed file isn't valid, got 'NODATA' (does the network require authentication?)" aptget update + + find aptarchive/ \( -name InRelease -o -name Release.gpg \) -delete + # Unsigned archive from the beginning must also be detected. msgmsg 'Cold archive signed by' 'nobody' rm -rf rootdir/var/lib/apt/lists -- cgit v1.2.3-70-g09d2 From de3f663d823f9c185514af69296d011e22161479 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 21 Nov 2024 20:10:47 +0100 Subject: test: Accept empty output from gpgv/apt-key Our internal code always generates ENODATA for empty output and this is checked by the previous commit, so this is entirely safe. --- test/integration/framework | 3 +++ 1 file changed, 3 insertions(+) (limited to 'test/integration') diff --git a/test/integration/framework b/test/integration/framework index 10cae70a5..ad87d17c7 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -2029,6 +2029,9 @@ testfailure() { BAD signature from signature could not be verified" "$OUTPUT"; then msgpass + elif [ -e "$OUTPUT" -a ! -s "$OUTPUT" ]; then + msgwarn "apt-key failed without output, this is normal for gpgv-sq (see sequoia-chameleon-gnupg#88)" + msgpass else msgfailoutput "run failed with exitcode ${EXITCODE}, but no signature error" "$OUTPUT" "$@" fi -- cgit v1.2.3-70-g09d2 From e983d98c4fcd952ffcbc010b185455913c8af650 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 22 Nov 2024 16:20:05 +0100 Subject: test: Ensure we test both gpgv-g10code and gpgv-sq --- debian/tests/control | 1 + test/integration/test-apt-key | 4 ++-- test/integration/test-releasefile-verification | 18 ++++++++++++++---- 3 files changed, 17 insertions(+), 6 deletions(-) (limited to 'test/integration') diff --git a/debian/tests/control b/debian/tests/control index 486930f46..c75f21bcf 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -7,6 +7,7 @@ Restrictions: allow-stderr Depends: @, @builddeps@, dpkg (>= 1.20.8), fakeroot, wget, stunnel4, lsof, db-util, gnupg (>= 2) | gnupg2, gnupg1 | gnupg (<< 2), gpgv (>= 2) | gpgv2, gpgv1 | gpgv (<< 2), + gpgv-sq, jq, libfile-fcntllock-perl, python3-apt, aptitude, valgrind-if-available [!armhf !ppc64el], gdb-minimal | gdb diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index a1e633ca3..c2180c5f1 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -258,7 +258,7 @@ gpg: unchanged: 1' aptkey --fakeroot update msgtest 'Test verify a file' 'with no sig' testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub.${EXT}" verify "${SIGNATURE}" "${SIGNATURE}2" - for GPGV in '' 'gpgv' 'gpgv1' 'gpgv2'; do + for GPGV in '' 'gpgv' 'gpgv1' 'gpgv2' 'gpgv-sq' 'gpgv-g10code'; do echo "APT::Key::GPGVCommand \"$GPGV\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi @@ -330,7 +330,7 @@ gpg: unchanged: 1' aptkey --fakeroot update adv --batch --yes -u 'Marvin' -u 'Joe' --armor --detach-sign --sign --output "${SIGNATURE}.gpg" "${SIGNATURE}" testsuccess test -s "${SIGNATURE}.gpg" -a -s "${SIGNATURE}" - for GPGV in '' 'gpgv' 'gpgv1' 'gpgv2'; do + for GPGV in '' 'gpgv' 'gpgv1' 'gpgv2' 'gpgv-sq' 'gpgv-g10code'; do echo "APT::Key::GPGVCommand \"$GPGV\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd" if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index fcd5d987c..0109f2954 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -101,6 +101,16 @@ updatewithwarnings() { testsuccess grep -E "$1" rootdir/tmp/testwarning.output } +foreachgpg() { + rm -f rootdir/etc/apt/apt.conf.d/00gpgvcmd + "$@" + for GPGV in "gpgv-sq" "gpgv-g10code"; do + msgmsg "Forcing $GPGV to be used" + echo "APT::Key::GPGVCommand \"$GPGV\";" > "rootdir/etc/apt/apt.conf.d/00gpgvcmd" + "$@" + done +} + runtest() { msgmsg 'Cold archive signed by' 'Joe Sixpack' prepare "${PKGFILE}" @@ -480,7 +490,7 @@ successfulaptgetupdate() { testsuccess grep "$1" aptupdate.output fi } -runtest3 'Trusted' +foreachgpg runtest3 'Trusted' successfulaptgetupdate() { testwarning aptget update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 @@ -489,7 +499,7 @@ successfulaptgetupdate() { fi testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output } -runtest3 'Weak' +foreachgpg runtest3 'Weak' msgmsg "Running test with apt-untrusted digest" echo "APT::Hashes::$APT_TESTS_DIGEST_ALGO::Untrusted \"yes\";" > rootdir/etc/apt/apt.conf.d/truststate @@ -524,8 +534,8 @@ runfailure() { export APT_DONT_SIGN='Release.gpg' done } -runfailure +foreachgpg runfailure msgmsg "Running test with gpgv-untrusted digest" export APT_TESTS_DIGEST_ALGO='MD5' -runfailure +foreachgpg runfailure -- cgit v1.2.3-70-g09d2