From f6d4ab9ad8a2cfe52737ab620dd252cf8ceec43d Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 29 Sep 2014 22:45:52 +0200 Subject: support parsing of all hashes for pdiff The fileformat of a pdiff index stores currently only SHA1 hashes. With this change, we look for all other hashes we support as well and take what we get, so that we can work after the release of jessie to get right of SHA1 if we want to. Note that the completely patched file is and was checked against the hashes collected from the Release file, so this transition isn't mission critical. --- test/integration/test-pdiff-usage | 48 ++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 6 deletions(-) (limited to 'test') diff --git a/test/integration/test-pdiff-usage b/test/integration/test-pdiff-usage index 74749d6ab..0d5261429 100755 --- a/test/integration/test-pdiff-usage +++ b/test/integration/test-pdiff-usage @@ -76,8 +76,15 @@ SHA1-History: 9f4148e06d7faa37062994ff10d0c842d7017513 33053002 2010-08-18-2013.28 $(sha1sum $PKGFILE | cut -d' ' -f 1) $(stat -c%s $PKGFILE) $(basename $PATCHFILE) SHA1-Patches: - 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-0814.28 - $(sha1sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE)" > $PATCHINDEX + 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-2013.28 + $(sha1sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE) +SHA256-Current: $(sha256sum ${PKGFILE}-new | cut -d' ' -f 1) $(stat -c%s ${PKGFILE}-new) +SHA256-History: + 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 33053002 2010-08-18-2013.28 + $(sha256sum $PKGFILE | cut -d' ' -f 1) $(stat -c%s $PKGFILE) $(basename $PATCHFILE) +SHA256-Patches: + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 19722 2010-08-18-2013.28 + $(sha256sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE)" > $PATCHINDEX generatereleasefiles '+1hour' signreleasefiles find aptarchive -name 'Packages*' -type f -delete @@ -119,9 +126,18 @@ SHA1-History: $(sha1sum ${PKGFILE} | cut -d' ' -f 1) $(stat -c%s ${PKGFILE}) $(basename ${PATCHFILE}) $(sha1sum ${PKGFILE}-new | cut -d' ' -f 1) $(stat -c%s ${PKGFILE}-new) $(basename ${PATCHFILE2}) SHA1-Patches: - 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-0814.28 + 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-2013.28 $(sha1sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE) - $(sha1sum ${PATCHFILE2} | cut -d' ' -f 1) $(stat -c%s ${PATCHFILE2}) $(basename ${PATCHFILE2})" > $PATCHINDEX + $(sha1sum ${PATCHFILE2} | cut -d' ' -f 1) $(stat -c%s ${PATCHFILE2}) $(basename ${PATCHFILE2}) +SHA256-Current: $(sha256sum aptarchive/Packages | cut -d' ' -f 1) $(stat -c%s aptarchive/Packages) +SHA256-History: + 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 33053002 2010-08-18-2013.28 + $(sha256sum $PKGFILE | cut -d' ' -f 1) $(stat -c%s $PKGFILE) $(basename $PATCHFILE) + $(sha256sum ${PKGFILE}-new | cut -d' ' -f 1) $(stat -c%s ${PKGFILE}-new) $(basename ${PATCHFILE2}) +SHA256-Patches: + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 19722 2010-08-18-2013.28 + $(sha256sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE) + $(sha256sum ${PATCHFILE2} | cut -d' ' -f 1) $(stat -c%s ${PATCHFILE2}) $(basename ${PATCHFILE2})" > $PATCHINDEX generatereleasefiles '+2hour' signreleasefiles cp -a aptarchive/Packages Packages-future @@ -147,8 +163,15 @@ SHA1-History: 9f4148e06d7faa37062994ff10d0c842d7017513 33053002 2010-08-18-2013.28 $(sha1sum $PKGFILE | cut -d' ' -f 1) $(stat -c%s $PKGFILE) $(basename $PATCHFILE) SHA1-Patches: - 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-0814.28 - $(sha1sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE)" > $PATCHINDEX + 7651fc0ac57cd83d41c63195a9342e2db5650257 19722 2010-08-18-2013.28 + $(sha1sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE) +SHA256-Current: $(sha256sum ${PKGFILE}-new | cut -d' ' -f 1) $(stat -c%s ${PKGFILE}-new) +SHA256-History: + 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 33053002 2010-08-18-2013.28 + $(sha256sum $PKGFILE | cut -d' ' -f 1) $(stat -c%s $PKGFILE) $(basename $PATCHFILE) +SHA256-Patches: + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 19722 2010-08-18-2013.28 + $(sha256sum $PATCHFILE | cut -d' ' -f 1) $(stat -c%s $PATCHFILE) $(basename $PATCHFILE)" > $PATCHINDEX echo 'I am Mallory and I change files' >> $PATCHFILE cat $PATCHFILE | gzip > ${PATCHFILE}.gz generatereleasefiles '+1hour' @@ -165,3 +188,16 @@ testrun -o Acquire::PDiffs::Merge=0 -o APT::Get::List-Cleanup=1 testrun -o Acquire::PDiffs::Merge=1 -o APT::Get::List-Cleanup=1 testrun -o Acquire::PDiffs::Merge=0 -o APT::Get::List-Cleanup=0 testrun -o Acquire::PDiffs::Merge=1 -o APT::Get::List-Cleanup=0 + +sha256sum() { + echo '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b -' +} +testrun -o Acquire::PDiffs::Merge=0 -o Acquire::ForceHash=SHA1 +testrun -o Acquire::PDiffs::Merge=1 -o Acquire::ForceHash=SHA1 + +unset -f sha256sum +sha1sum() { + echo 'adc83b19e793491b1c6ea0fd8b46cd9f32e592fc -' +} +testrun -o Acquire::PDiffs::Merge=0 -o Acquire::ForceHash=SHA256 +testrun -o Acquire::PDiffs::Merge=1 -o Acquire::ForceHash=SHA256 -- cgit v1.2.3-70-g09d2 From 8b32e72c6f7143de4ec02f44e362b0df9e21e024 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 1 Oct 2014 23:58:05 +0200 Subject: ensure world-readability for trusted.gpg in postinst apt-key creates trusted.gpg if it needs it with 644 nowadays, but before it ensured this, it was gpg creating it, which gives it by default 600. Not a problem as long as our gpgv is run as root, but now that we drop privileges we have to ensure that we can also read trusted.gpg files created by earlier apt-key versions. Closes: 647001 --- debian/apt.postinst | 4 ++++ test/integration/test-apt-key | 7 +++++++ 2 files changed, 11 insertions(+) (limited to 'test') diff --git a/debian/apt.postinst b/debian/apt.postinst index deb422aa5..5820db587 100755 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -22,6 +22,10 @@ case "$1" in rm -f "$keyring" fi done + # apt-key before 0.9.8.2 could create 0600 trusted.gpg file + if test -e /etc/apt/trusted.gpg ; then + chmod -f 0644 /etc/apt/trusted.gpg || true + fi fi if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index d5adec5bd..e6ac530a6 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -41,7 +41,14 @@ gpg: unchanged: 1' aptkey --fakeroot update testaptkeys 'pub 2048R/DBAC8DAE 2010-08-18' + testsuccess test ! -e rootdir/etc/apt/trusted.gpg testsuccess aptkey --fakeroot add ./keys/rexexpired.pub + msgtest 'Check if trusted.gpg is created with permissions set to' '0644' + if [ "$(stat -c '%a' rootdir/etc/apt/trusted.gpg )" = '644' ]; then + msgpass + else + msgfail + fi testaptkeys 'pub 2048R/27CE74F9 2013-07-12 [expired: 2013-07-13] pub 2048R/DBAC8DAE 2010-08-18' -- cgit v1.2.3-70-g09d2