verify.test 14 KB
Newer Older
Bernhard Link's avatar
Bernhard Link committed
1
set -u
2
. "$TESTSDIR"/test.inc
3 4 5 6

mkdir gpgtestdir
chmod go-rwx gpgtestdir
export GNUPGHOME="`pwd`/gpgtestdir"
Bernhard Link's avatar
Bernhard Link committed
7
gpg --import $TESTSDIR/good.key $TESTSDIR/evil.key $TESTSDIR/expired.key $TESTSDIR/revoked.key $TESTSDIR/expiredwithsubkey-working.key $TESTSDIR/withsubkeys-works.key
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

CURDATE="$(date +"%Y-%m-%d")"

mkdir conf lists
cat > conf/distributions <<CONFEND
Codename: Test
Architectures: source
Components: everything
Update: rule otherrule
CONFEND
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 111
Suite: test

Name: rule
From: commonbase

Name: otherrule
From: commonbase
CONFEND

testrun - -b . update Test 3<<EOF
return 255
stdout
34
$(odb)
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
stderr
*=Error: Too short key id '111' in VerifyRelease condition '111'!
-v0*=There have been errors!
EOF

cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 11111111 22222222
Suite: test

Name: rule
From: commonbase

Name: otherrule
From: commonbase
CONFEND

testrun - -b . update Test 3<<EOF
return 255
stdout
stderr
*=Error: Space separated key-ids in VerifyRelease condition '11111111 22222222'!
*=(Alternate keys can be separated with '|'. Do not put spaces in key-ids.)
-v0*=There have been errors!
EOF

cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 11111111
Suite: test

Name: rule
From: commonbase

Name: otherrule
From: commonbase
CONFEND

testrun - -b . update Test 3<<EOF
return 249
stdout
stderr
*=Error: unknown key '11111111'!
-v0*=There have been errors!
EOF

cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 11111111

Name: rule
From: commonbase
VerifyRelease: DC3C29B8|685AF714
Suite: test

Name: otherrule
From: commonbase
VerifyRelease: 685AF714|D04DD3D6
Suite: test
CONFEND

mkdir test
mkdir test/dists
mkdir test/dists/test
cat > test/dists/test/Release <<EOF
Codename: test
Components: everything
Architectures: coal
EOF

gpg --list-secret-keys
109 110 111
gpg --expert --sign --clearsign -u 60DDED5B -u D7A5D887 -u revoked@nowhere.tld --output test/dists/test/InRelease test/dists/test/Release
gpg --expert --sign --clearsign -u 60DDED5B -u D7A5D887 -u good@nowhere.tld --output test/dists/test/InRelease.good test/dists/test/Release
gpg --expert -a --sign --clearsign -u evil@nowhere.tld --output test/dists/test/InRelease.evil test/dists/test/Release
112 113 114 115

rm -r gpgtestdir
mkdir gpgtestdir
chmod go-rwx gpgtestdir
Bernhard Link's avatar
Bernhard Link committed
116
gpg --import $TESTSDIR/good.key $TESTSDIR/evil.key $TESTSDIR/expired.key $TESTSDIR/revoked.key $TESTSDIR/revoked.pkey $TESTSDIR/expiredwithsubkey.key $TESTSDIR/withsubkeys.key
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
gpg --list-keys

testrun - -b . update Test 3<<EOF
return 255
stderr
*=VerifyRelease condition 'DC3C29B8|685AF714' lists revoked key '72F1D61F685AF714'.
*=(To use it anyway, append it with a '!' to force usage).
-v0*=There have been errors!
stdout
EOF

sed -e 's/685AF714/&!/' -i conf/updates

testrun - -b . update Test 3<<EOF
return 255
stderr
*=VerifyRelease condition '685AF714!|D04DD3D6' lists expired key '894FA29DD04DD3D6'.
*=(To use it anyway, append it with a '!' to force usage).
-v0*=There have been errors!
stdout
EOF

sed -e 's/D04DD3D6/&!/' -i conf/updates

testrun - -b . update Test 3<<EOF
return 250
stderr
144 145 146
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Not accepting valid signature in './lists/commonbase_test_InRelease' with REVOKED '12D6C95C8C737389EAAF535972F1D61F685AF714'
147
*=(To ignore it append a ! to the key and run reprepro with --ignore=revokedkey)
148
*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
149
*=Signatures in './lists/commonbase_test_InRelease':
150
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
151 152 153 154 155 156 157 158 159 160
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12D6C95C8C737389EAAF535972F1D61F685AF714' (signed ${CURDATE}): key revoced
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

testrun - --ignore=revokedkey -b . update Test 3<<EOF
return 255
stderr
161 162 163 164
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=WARNING: valid signature in './lists/commonbase_test_InRelease' with revoked '12D6C95C8C737389EAAF535972F1D61F685AF714' is accepted as requested!
*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
165 166 167 168
-v0*=There have been errors!
stdout
EOF

169
cp test/dists/test/InRelease.good test/dists/test/InRelease
170 171 172 173

testrun - -b . update Test 3<<EOF
return 250
stderr
174 175
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
176
*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
177
*=Signatures in './lists/commonbase_test_InRelease':
178
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

# different order
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 11111111

Name: rule
From: commonbase
VerifyRelease: 685AF714!|D04DD3D6!
Suite: test

Name: otherrule
From: commonbase
VerifyRelease: DC3C29B8|685AF714!
Suite: test
CONFEND

testrun - -b . update Test 3<<EOF
return 250
stderr
206 207
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
208
*=ERROR: Condition '685AF714!|D04DD3D6!' not fulfilled for './lists/commonbase_test_InRelease'.
209
*=Signatures in './lists/commonbase_test_InRelease':
210
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

# now subkeys:
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: F62C6D3B

Name: rule
From: commonbase
VerifyRelease: D7A5D887
Suite: test

Name: otherrule
From: commonbase
Suite: test
CONFEND

testrun - -b . update Test 3<<EOF
return 250
stderr
237 238
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
239
*=ERROR: Condition 'F62C6D3B' not fulfilled for './lists/commonbase_test_InRelease'.
240
*=Signatures in './lists/commonbase_test_InRelease':
241
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
242 243 244 245 246 247 248 249 250 251 252 253
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

sed -e 's/F62C6D3B/F62C6D3B+/' -i conf/updates

testrun - -b . update Test 3<<EOF
return 255
stderr
254 255 256
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
-v0*=There have been errors!
stdout
EOF

# now subkey of an expired key
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: 60DDED5B!

Name: rule
From: commonbase
Suite: test

Name: otherrule
From: commonbase
Suite: test
CONFEND

276
# gpgme no longer seems to distinguish expired and parent-expired:
277 278 279
testrun - -b . update Test 3<<EOF
return 250
stderr
280 281 282
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Not accepting valid signature in './lists/commonbase_test_InRelease' with EXPIRED 'DCAD3A286F5178E2F4B09330A573FEB160DDED5B'
283
*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredkey)
284
*=ERROR: Condition '60DDED5B!' not fulfilled for './lists/commonbase_test_InRelease'.
285
*=Signatures in './lists/commonbase_test_InRelease':
286
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

# now listing the expired key, of which we use an non-expired subkey
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: A260449A!+

Name: rule
From: commonbase
Suite: test

Name: otherrule
From: commonbase
Suite: test
CONFEND

309
# gpgme no longer seems to distinguish expired and parent-expired:
310 311 312
testrun - -b . update Test 3<<EOF
return 250
stderr
313 314 315
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Not accepting valid signature in './lists/commonbase_test_InRelease' with EXPIRED 'DCAD3A286F5178E2F4B09330A573FEB160DDED5B'
316
*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredkey)
317
*=ERROR: Condition 'A260449A!+' not fulfilled for './lists/commonbase_test_InRelease'.
318
*=Signatures in './lists/commonbase_test_InRelease':
319
*='DCAD3A286F5178E2F4B09330A573FEB160DDED5B' (signed ${CURDATE}): expired key
320 321 322 323 324 325 326 327
*='236B4B98B5087AF4B621CB14D8A28B7FD7A5D887' (signed ${CURDATE}): valid
*='12E94E82B6D7A883AF6EC8E980F4C43EDC3C29B8' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

# Now testing what happens when only signed with a totally different key:
328
cp test/dists/test/InRelease.evil test/dists/test/InRelease
329 330 331 332

testrun - -b . update Test 3<<EOF
return 250
stderr
333 334
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
335
*=ERROR: Condition 'A260449A!+' not fulfilled for './lists/commonbase_test_InRelease'.
336
*=Signatures in './lists/commonbase_test_InRelease':
337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358
*='FDC7D039CCC83CC4921112A09FA943670C672A4A' (signed ${CURDATE}): valid
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

# Now testing an expired signature:
cat > conf/updates <<CONFEND
Name: commonbase
Method: file:$WORKDIR/test
VerifyRelease: F62C6D3B+

Name: rule
From: commonbase
VerifyRelease: F62C6D3B
Suite: test

Name: otherrule
From: commonbase
Suite: test
CONFEND

359 360 361 362 363 364 365 366
# expired signatures are not that easy to fake, so cat it:
cat > test/dists/test/InRelease <<'EOF'
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Codename: test
Components: everything
Architectures: coal
367
-----BEGIN PGP SIGNATURE-----
368
Version: GnuPG v1.4.12 (GNU/Linux)
369

370 371 372 373 374
iKIEAQECAAwFAk+6EiEFgwABUYAACgkQFU9je/YsbTv4LgP8DkaRBhBG7+JDD1N1
GANCsth4rzKDfpyMrttFjW6Ra9QegDdnHyLz09IL5Hyzmst4s8DQ69q2LyZaQt3+
0C2OG9iQ2GjQt8xvppDufvymFpqTbqnGn/LeG6KjP542Su8XZxptFPT2DyPNCe0W
Vz5f8yupwc67sAWj/qhmBEpZp9E=
=025V
375 376 377 378 379 380
-----END PGP SIGNATURE-----
EOF

testrun - -b . update Test 3<<EOF
return 250
stderr
381 382 383
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Not accepting valid but EXPIRED signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B'
384
*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredsignature)
385
*=ERROR: Condition 'F62C6D3B+' not fulfilled for './lists/commonbase_test_InRelease'.
386 387
*=Signatures in './lists/commonbase_test_InRelease':
*='2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' (signed 2012-05-21): expired signature (since 2012-05-22)
388 389 390 391 392 393 394 395
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

testrun - --ignore=expiredsignature -b . update Test 3<<EOF
return 250
stderr
396 397 398
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Not accepting valid but EXPIRED signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B'
399
*=(To ignore it append a ! to the key and run reprepro with --ignore=expiredsignature)
400
*=ERROR: Condition 'F62C6D3B+' not fulfilled for './lists/commonbase_test_InRelease'.
401 402
*=Signatures in './lists/commonbase_test_InRelease':
*='2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' (signed 2012-05-21): expired signature (since 2012-05-22)
403 404 405 406 407 408 409 410 411 412
*=Error: Not enough signatures found for remote repository commonbase (file:${WORKDIR}/test test)!
-v0*=There have been errors!
stdout
EOF

sed -e 's/F62C6D3B/&!/' -i conf/updates

testrun - --ignore=expiredsignature -b . update Test 3<<EOF
return 255
stderr
413 414 415 416
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=WARNING: valid but expired signature in './lists/commonbase_test_InRelease' with '2938A0D8CD4E20437CAE9CE4154F637BF62C6D3B' is accepted as requested!
*=Missing checksums in Release file './lists/commonbase_test_InRelease'!
417 418 419 420 421
-v0*=There have been errors!
stdout
EOF

#empty file:
422
cat > test/dists/test/InRelease <<EOF
423 424 425
EOF

testrun - -b . update Test 3<<EOF
426
return 250
427
stderr
428 429 430
-v1*=aptmethod got 'file:${WORKDIR}/test/dists/test/InRelease'
-v2*=Copy file '${WORKDIR}/test/dists/test/InRelease' to './lists/commonbase_test_InRelease'...
*=Error: Not enough signatures found for remote repository commonbase (file:$WORKDIR/test test)!
431 432 433 434 435 436
-v0*=There have been errors!
stdout
EOF

rm -rf db conf gpgtestdir gpgtestdir lists test

Bernhard Link's avatar
Bernhard Link committed
437
testsuccess