tests/test_auth.py: update for gnupg 1.4.18

The test 'test_add_key_from_server_mitm' needs updating for gnupg 1.4.18
which fail differently/earlier when 'fingerprints do not match' since
commit
 'Screen keyserver responses' (5230304349490f31aa64ee2b69a8a2bc06bf7816)

With that change gnupg actually checks itself(!) if the key that the
server send matches the key that the user asked for.

Closes: #755342

2 files changed, 10 insertions, 1 deletions

diff --git a/apt/auth.py b/apt/auth.py
index 6fe7c01a..b8089d0c 100644
--- a/apt/auth.py
+++ b/apt/auth.py
@@ -154,6 +154,12 @@ def _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir):
     if res != 0:
         raise AptKeyError("recv from '%s' failed for '%s'" % (
             keyserver, keyid))
+    # FIXME:
+    # - with gnupg 1.4.18 the downloaded key is actually checked(!),
+    #   i.e. gnupg will not import anything that the server sends
+    #   into the keyring, so the below checks are now redundant *if*
+    #   gnupg 1.4.18 is used
+
     # now export again using the long key id (to ensure that there is
     # really only this one key in our keyring) and not someone MITM us
     tmp_export_keyring = os.path.join(tmp_keyring_dir, "export-keyring.gpg")
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 790ed380..67377363 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -212,7 +212,10 @@ class TestAuthKeys(unittest.TestCase):
                     "0101010178F7FE5C3E65D8AF8B48AD6246925553",
                     "hkp://localhost:%d" % self.keyserver_port)
         self.assertTrue(
-            str(cm.exception).startswith("Fingerprints do not match"),
+            str(cm.exception).startswith(
+                "recv from 'hkp://localhost:%d' failed for '%s'" % (
+                    self.keyserver_port,
+                    "0101010178F7FE5C3E65D8AF8B48AD6246925553")),
             cm.exception)
 
     def testAddKeyFromServer(self):