[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How (not) to detect if a keyring file is a keybox in apt-key

Hi,

(thanks Werner & Daniel for the comments!)

On Mon, Jul 31, 2017 at 05:58:17PM -0400, Daniel Kahn Gillmor wrote:
> Can we identify what code is dropping keybox files in that location?
> That seems like the origin of the problem, and we should make sure it
> gets fixed.

Sure. The issues range from buggy packaging (#846892) [perhaps
a detection can also be uplifted to a lintian error later] to buggy
advice on third-party repository websites through, so that doesn't only
take a while but also happens more often than hoped for – and apt-key
isn't the most helpful in this either as it "happily" supports keyboxes
in the list command due to how that is implemented…


> > | You can do this by inspecting the first octet of the ostensible binary
> > | keyring for one of these three values:
> > |
> > |  * 0x98 -- old-format OpenPGP public key packet, up to 255 octets
> > |  * 0x99 -- old-format OpenPGP public key packet, 256-65535 octets
> > |  * 0xc6 -- new-format OpenPGP public key packet, any length

Playing a bit with this I have to note that all keyring files I have on
disk or be able to produce are of the second category judged by the
first byte, but length is all over the place (but I assume there is more
than one packet in a file, so okay). Attached is hence a wip patch
implementing just looking at the first byte.


Best regards

David Kalnischkies

From 21e9e08fff168072dccda7828a27109e758f2267 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Tue, 1 Aug 2017 15:22:09 +0200
Subject: [PATCH] ignore unsupported files in apt-key

---
 cmdline/apt-key.in            |  32 ++++++++++++-
 test/integration/framework    |   6 ++-
 test/integration/test-apt-key | 101 +++++++++++++++++++++++++-----------------
 3 files changed, 96 insertions(+), 43 deletions(-)

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 723af06ff..5bc5462d2 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -249,6 +249,34 @@ accessible_file_exists() {
    return 1
 }
 
+is_supported_keyring() {
+    # empty files are always supported
+    if ! test -s "$1"; then
+	return 0
+    fi
+    local FILEEXT="${1##*.}"
+    if [ "$FILEEXT" = 'gpg' ]; then
+	# 0x98, 0x99 and 0xC6 via octal as hex isn't supported by dashs printf
+	if printf '\231' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\230' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\306' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	else
+	    apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filetype."
+	    return 1
+	fi
+    elif [ "$FILEEXT" = 'asc' ]; then
+	true #dearmor_filename will deal with them
+    else
+	# most callers ignore unsupported extensions silently
+	apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filename extension."
+	return 1
+    fi
+    return 0
+}
+
 foreach_keyring_do() {
    local ACTION="$1"
    shift
@@ -257,7 +285,7 @@ foreach_keyring_do() {
 	$ACTION "$TRUSTEDFILE" "$@"
    else
 	# otherwise all known keyrings are up for inspection
-	if accessible_file_exists "$TRUSTEDFILE"; then
+	if accessible_file_exists "$TRUSTEDFILE" && is_supported_keyring "$TRUSTEDFILE"; then
 	    $ACTION "$TRUSTEDFILE" "$@"
 	fi
 	local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
@@ -266,7 +294,7 @@ foreach_keyring_do() {
 	    TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")"
 	    local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 \( -name '*.gpg' -o -name '*.asc' \))"
 	    for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do
-		if accessible_file_exists "$trusted"; then
+		if accessible_file_exists "$trusted" && is_supported_keyring "$trusted"; then
 		    $ACTION "$trusted" "$@"
 		fi
 	    done
diff --git a/test/integration/framework b/test/integration/framework
index 58e56344e..330d4f508 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -1497,6 +1497,10 @@ testempty() {
 	aptautotest 'testempty' "$@"
 	msggroup
 }
+testwarningempty() {
+	testwarning "$@"
+	testfailure grep -v '^W:' "${ROOTDIR}/tmp/testwarning.output"
+}
 testnotempty() {
 	msggroup 'testnotempty'
 	msgtest "Test for some output of" "$*"
@@ -1967,7 +1971,7 @@ mapkeynametokeyid() {
 }
 testaptkeys() {
 	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylist.output"
-	if ! aptkey list --with-colon | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
+	if ! aptkey list --with-colon 2>/dev/null | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
 		echo -n > "$OUTPUT"
 	fi
 	testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")"
diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key
index 13afff995..1e2c8362b 100755
--- a/test/integration/test-apt-key
+++ b/test/integration/test-apt-key
@@ -33,14 +33,17 @@ testaptkeyskeyring() {
 	local KEYRING="$1"
 	shift
 	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylistkeyring.output"
-	if ! aptkey --keyring "$KEYRING" list --with-colon | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
+	if ! aptkey --keyring "$KEYRING" list --with-colon 2>/dev/null | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
 		echo -n > "$OUTPUT"
 	fi
 	testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")"
 }
-
+testsuccessempty() {
+	testempty "$@"
+}
 testrun() {
 	local EXT="${1:-gpg}"
+	local TESTSTATE="${2:-testsuccess}"
 	echo "APT::Key::ArchiveKeyring \"${KEYDIR}/joesixpack.pub.gpg\";
 APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub.gpg\";" > "${ROOTDIR}/etc/apt/apt.conf.d/aptkey.conf"
 
@@ -48,40 +51,46 @@ APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub.gpg\";" > "${ROOTDIR}/etc/apt/a
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testaptkeys 'Joe Sixpack'
 
-	testsuccess aptkey list
+	${TESTSTATE} aptkey list
 	msgtest 'Check that paths in list output are not' 'double-slashed'
-	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output"
+	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/${TESTSTATE}.output"
 
-	testsuccess aptkey finger
+	${TESTSTATE} aptkey finger
 	msgtest 'Check that paths in finger output are not' 'double-slashed'
-	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output"
+	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/${TESTSTATE}.output"
 
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
-	testequalor2 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
+	if [ "$TESTSTATE" = 'testwarning' ]; then
+		testwarning aptkey --fakeroot update
+		testsuccess grep '^gpg: key .*DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed$' "${ROOTDIR}/tmp/testwarning.output"
+		testsuccess grep '^W: .* are ignored as the file has an unsupported filetype' "${ROOTDIR}/tmp/testwarning.output"
+	else
+		testequalor2 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' 'gpg: key 5A90D141DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' aptkey --fakeroot update
+	fi
 	testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
 
 	testaptkeys 'Joe Sixpack'
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg"
 
-	testsuccess aptkey --fakeroot add "${KEYDIR}/rexexpired.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/rexexpired.pub.${EXT}"
 	testfilestats "${ROOTDIR}/etc/apt/trusted.gpg" '%a' '=' '644'
 
 	testaptkeys 'Rex Expired' 'Joe Sixpack'
 
 	msgtest 'Check that Sixpack key can be' 'exported'
-	aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export"
+	aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export" 2>/dev/null
 	aptkey --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 	testsuccess --nomsg cmp "${TMPWORKINGDIRECTORY}/aptkey.export" "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 	testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export"
 	testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 
 	msgtest 'Execute update again to trigger removal of' 'Rex Expired key'
-	testsuccess --nomsg aptkey --fakeroot update
+	${TESTSTATE} --nomsg aptkey --fakeroot update
 
 	testaptkeys 'Joe Sixpack'
 
@@ -90,27 +99,27 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 	testaptkeys 'Joe Sixpack'
 
-	testsuccess aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testaptkeys 'Joe Sixpack'
 	msgtest "Remove a key from" 'forced keyring in trusted.d.gpg'
 	testsuccess --nomsg aptkey --fakeroot --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" del DBAC8DAE
 	testsuccess cmp -s "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
-	testempty aptkey list
+	"${TESTSTATE}empty" aptkey list
 
 	cp -a "${KEYDIR}/marvinparanoid.pub.asc" "${ROOTDIR}/etc/foobar.pub"
 	testsuccess aptkey --fakeroot --keyring "${ROOTDIR}/etc/foobar.pub" add "${KEYDIR}/rexexpired.pub.asc" "${KEYDIR}/joesixpack.pub.gpg"
 	testfilestats "${ROOTDIR}/etc/foobar.pub" '%a' '=' '644'
 	testaptkeyskeyring "${ROOTDIR}/etc/foobar.pub" 'Marvin Paranoid' 'Rex Expired' 'Joe Sixpack'
-	testempty aptkey list
+	"${TESTSTATE}empty" aptkey list
 
 	msgtest 'Test key removal with' 'lowercase key ID' #keylength somewhere between 8byte and short
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del d141dbac8dae
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del d141dbac8dae
+	"${TESTSTATE}empty" aptkey list
 
 	if [ "$(id -u)" != '0' ]; then
 		msgtest 'Test key removal with' 'unreadable key'
@@ -129,8 +138,8 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	msgtest 'Test key removal with' 'single key in real file'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
@@ -138,8 +147,8 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	cp -a "${KEYDIR}/marvinparanoid.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
@@ -148,39 +157,39 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	msgtest 'Test key removal with' 'long key ID'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'fingerprint'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'spaced fingerprint'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del '34A8 E9D1 8DB3 20F3 67E8 EAA0 5A90 D141 DBAC 8DAE'
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del '34A8 E9D1 8DB3 20F3 67E8 EAA0 5A90 D141 DBAC 8DAE'
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'single key in softlink'
 	cleanplate
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	cleanplate
-	testsuccess aptkey --fakeroot add "${KEYDIR}/joesixpack.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/joesixpack.pub.${EXT}"
 	ln -sf "$(readlink -f "${KEYDIR}/marvinparanoid.pub.${EXT}")" "${KEYDIR}/marvin paránöid.pub.${EXT}"
-	testsuccess aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub.${EXT}"
 	testaptkeys 'Joe Sixpack' 'Marvin Paranoid'
 	cp -a "${ROOTDIR}/etc/apt/trusted.gpg" "${KEYDIR}/testcase-multikey.pub.gpg" # store for reuse
 	gpg --no-default-keyring --keyring "${KEYDIR}/testcase-multikey.pub.gpg" --armor --export > "${KEYDIR}/testcase-multikey.pub.asc"
@@ -188,14 +197,14 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	msgtest 'Test key removal with' 'multi key in real file'
 	cleanplate
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 
 	msgtest 'Test key removal with' 'multi key in softlink'
 	cleanplate
 	ln -s "$(readlink -f "${KEYDIR}/testcase-multikey.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 	testfailure test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
@@ -205,7 +214,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
@@ -216,15 +225,15 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
 	testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 	msgtest 'Test merge-back of' 'added keys'
-	testsuccess --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub.${EXT}"
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub.${EXT}"
 	testaptkeys 'Rex Expired' 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 
 	msgtest 'Test merge-back of' 'removed keys'
-	testsuccess --nomsg aptkey adv --batch --yes --delete-keys 27CE74F9
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --delete-keys 27CE74F9
 	testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 
 	msgtest 'Test merge-back of' 'removed duplicate keys'
-	testsuccess --nomsg aptkey adv --batch --yes --delete-keys DBAC8DAE
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --delete-keys DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 
 	cleanplate
@@ -246,7 +255,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 		if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi
 
 		msgtest 'Test verify a file' 'with all keys'
-		testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		if [ "$(id -u)" != '0' ]; then
 			msgtest 'Test verify a file' 'with unreadable key'
@@ -274,7 +283,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 		# note: this isn't how apts gpgv method implements keyid for verify
 		msgtest 'Test verify a file' 'with good keyid'
-		testsuccess --nomsg aptkey --quiet --readonly --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		msgtest 'Test fail verify a file' 'with bad keyid'
 		testfailure --nomsg aptkey --quiet --readonly --keyid 'Sixpack' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
@@ -287,7 +296,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 		# try to perform an entire update with this gpgv
 		rm -rf "${ROOTDIR}/var/lib/apt/lists"
-		testsuccess apt update -o Test::Dir="${ROOTDIR}"
+		${TESTSTATE} apt update -o Test::Dir="${ROOTDIR}"
 	done
 	rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd"
 
@@ -310,7 +319,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 		if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi
 
 		msgtest 'Test verify a doublesigned file' 'with all keys'
-		testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		msgtest 'Test verify a doublesigned file' 'with good keyring joe'
 		testmultigpg --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
@@ -389,3 +398,15 @@ testrun
 msgmsg 'Tests to be run with' 'asc files'
 rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgcmd"
 testrun 'asc'
+
+msgmsg 'Tests to be run with' 'bad files'
+# don't let the plate be so clean anymore
+cleanplate() {
+	rm -rf "${ROOTDIR}/etc/apt/trusted.gpg.d/" "${ROOTDIR}/etc/apt/trusted.gpg"
+	mkdir "${ROOTDIR}/etc/apt/trusted.gpg.d/"
+	touch "${ROOTDIR}/etc/apt/trusted.gpg.d/emptyfile.gpg"
+	touch "${ROOTDIR}/etc/apt/trusted.gpg.d/emptyfile.asc"
+	echo 'broken' > "${ROOTDIR}/etc/apt/trusted.gpg.d/brokenfile.gpg"
+	echo 'broken' > "${ROOTDIR}/etc/apt/trusted.gpg.d/brokenfile.asc"
+}
+testrun 'gpg' 'testwarning'
-- 
2.13.3

Attachment: signature.asc
Description: PGP signature

Reply to: