From 1af227c2eaad386f0917fc4f36c84fd5999b884e Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 28 Apr 2016 22:02:50 +0200 Subject: gpgv: handle expired sig as worthless MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signatures on data can have an expiration date, too, which we hadn't handled previously explicitly (no problem – gpg still has a non-zero exit code so apt notices the invalid signature) so the error message wasn't as helpful as it could be (aka mentioning the key signing it). --- test/integration/framework | 6 ++++-- test/integration/test-releasefile-verification | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/integration/framework b/test/integration/framework index a68209326..a5cc842ba 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -1084,6 +1084,8 @@ setupaptarchive() { signreleasefiles() { local SIGNER="${1:-Joe Sixpack}" local REPODIR="${2:-aptarchive}" + if [ -n "$1" ]; then shift; fi + if [ -n "$1" ]; then shift; fi local KEY="keys/$(echo "$SIGNER" | tr 'A-Z' 'a-z' | sed 's# ##g')" local GPG="aptkey --quiet --keyring ${KEY}.pub --secret-keyring ${KEY}.sec --readonly adv --batch --yes --digest-algo ${APT_TESTS_DIGEST_ALGO:-SHA512}" msgninfo "\tSign archive with $SIGNER key $KEY… " @@ -1111,9 +1113,9 @@ signreleasefiles() { fi fi for RELEASE in $(find "${REPODIR}/" -name Release); do - testsuccess $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" + testsuccess $GPG "$@" --default-key "$SIGNER" --armor --detach-sign --sign --output "${RELEASE}.gpg" "${RELEASE}" local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')" - testsuccess $GPG --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE" + testsuccess $GPG "$@" --default-key "$SIGNER" --clearsign --output "$INRELEASE" "$RELEASE" # we might have set a specific date for the Release file, so copy it touch -d "$(stat --format "%y" ${RELEASE})" "${RELEASE}.gpg" "${INRELEASE}" done diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 10b830449..a061832b6 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -129,6 +129,29 @@ runtest() { failaptold rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg + msgmsg 'Cold archive expired signed by' 'Joe Sixpack' + if dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then + touch rootdir/etc/apt/apt.conf.d/99gnupg2 + elif gpg2 --version >/dev/null 2>&1; then + echo 'Apt::Key::gpgcommand "gpg2";' > rootdir/etc/apt/apt.conf.d/99gnupg2 + if ! dpkg --compare-versions "$(aptkey adv --version | head -n 2 | tail -n 1 | cut -d' ' -f 3)" '>=' '2.1' >/dev/null 2>&1; then + rm rootdir/etc/apt/apt.conf.d/99gnupg2 + fi + fi + if [ -e rootdir/etc/apt/apt.conf.d/99gnupg2 ]; then + prepare "${PKGFILE}" + rm -rf rootdir/var/lib/apt/lists + signreleasefiles 'Joe Sixpack' 'aptarchive' --faked-system-time "20070924T154812" --default-sig-expire 2016-04-01 + find aptarchive/ -name "$DELETEFILE" -delete + updatewithwarnings '^W: .* EXPSIG' + testsuccessequal "$(cat "${PKGFILE}") +" aptcache show apt + failaptold + rm -f rootdir/etc/apt/apt.conf.d/99gnupg2 + else + msgskip 'Not a new enough gpg available providing --fake-system-time' + fi + msgmsg 'Cold archive signed by' 'Marvin Paranoid' prepare "${PKGFILE}" rm -rf rootdir/var/lib/apt/lists -- cgit v1.2.3