ignore unsupported key formats in apt-key

gpg2 generates keyboxes by default and users end up putting either those or armored files into the trusted.gpg.d directory which apt tools neither expect nor can really work with without fortifying backward compatibility (at least under the ".gpg" extension). A (short) discussion about how to deal with keyboxes happened in https://lists.debian.org/deity/2017/07/msg00083.html As the last message in that thread is this changeset lets go ahead with it and see how it turns out. The idea is here simply that we check the first octal of a gpg file to have one of three accepted values. Testing on my machines has always produced just one of these, but running into those values on invalid files is reasonabily unlikely to not worry too much. Closes: #876508
Debian · Oct 5, 2017 · 0129327 · 0129327
1 parent 19e525a
commit 0129327
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 43 deletions.
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
@@ -249,6 +249,34 @@ accessible_file_exists() {
    return 1
 }
 
+is_supported_keyring() {
+    # empty files are always supported
+    if ! test -s "$1"; then
+	return 0
+    fi
+    local FILEEXT="${1##*.}"
+    if [ "$FILEEXT" = 'gpg' ]; then
+	# 0x98, 0x99 and 0xC6 via octal as hex isn't supported by dashs printf
+	if printf '\231' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\230' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\306' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	else
+	    apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filetype."
+	    return 1
+	fi
+    elif [ "$FILEEXT" = 'asc' ]; then
+	true #dearmor_filename will deal with them
+    else
+	# most callers ignore unsupported extensions silently
+	apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filename extension."
+	return 1
+    fi
+    return 0
+}
+
 foreach_keyring_do() {
    local ACTION="$1"
    shift
@@ -257,7 +285,7 @@ foreach_keyring_do() {
 	$ACTION "$TRUSTEDFILE" "$@"
    else
 	# otherwise all known keyrings are up for inspection
-	if accessible_file_exists "$TRUSTEDFILE"; then
+	if accessible_file_exists "$TRUSTEDFILE" && is_supported_keyring "$TRUSTEDFILE"; then
 	    $ACTION "$TRUSTEDFILE" "$@"
 	fi
 	local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
@@ -266,7 +294,7 @@ foreach_keyring_do() {
 	    TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")"
 	    local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 \( -name '*.gpg' -o -name '*.asc' \))"
 	    for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do
-		if accessible_file_exists "$trusted"; then
+		if accessible_file_exists "$trusted" && is_supported_keyring "$trusted"; then
 		    $ACTION "$trusted" "$@"
 		fi
 	    done

diff --git a/test/integration/framework b/test/integration/framework
@@ -1497,6 +1497,10 @@ testempty() {
 	aptautotest 'testempty' "$@"
 	msggroup
 }
+testwarningempty() {
+	testwarning "$@"
+	testfailure grep -v '^W:' "${ROOTDIR}/tmp/testwarning.output"
+}
 testnotempty() {
 	msggroup 'testnotempty'
 	msgtest "Test for some output of" "$*"
@@ -1967,7 +1971,7 @@ mapkeynametokeyid() {
 }
 testaptkeys() {
 	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylist.output"
-	if ! aptkey list --with-colon | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
+	if ! aptkey list --with-colon 2>/dev/null | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
 		echo -n > "$OUTPUT"
 	fi
 	testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")"

diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key
@@ -33,55 +33,64 @@ testaptkeyskeyring() {
 	local KEYRING="$1"
 	shift
 	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylistkeyring.output"
-	if ! aptkey --keyring "$KEYRING" list --with-colon | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
+	if ! aptkey --keyring "$KEYRING" list --with-colon 2>/dev/null | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
 		echo -n > "$OUTPUT"
 	fi
 	testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")"
 }
-
+testsuccessempty() {
+	testempty "$@"
+}
 testrun() {
 	local EXT="${1:-gpg}"
+	local TESTSTATE="${2:-testsuccess}"
 	echo "APT::Key::ArchiveKeyring \"${KEYDIR}/joesixpack.pub.gpg\";
 APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub.gpg\";" > "${ROOTDIR}/etc/apt/apt.conf.d/aptkey.conf"
 
 	cleanplate
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testaptkeys 'Joe Sixpack'
 
-	testsuccess aptkey list
+	${TESTSTATE} aptkey list
 	msgtest 'Check that paths in list output are not' 'double-slashed'
-	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output"
+	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/${TESTSTATE}.output"
 
-	testsuccess aptkey finger
+	${TESTSTATE} aptkey finger
 	msgtest 'Check that paths in finger output are not' 'double-slashed'
-	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output"
+	testfailure --nomsg grep '//' "${ROOTDIR}/tmp/${TESTSTATE}.output"
 
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
-	testequalor2 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
+	if [ "$TESTSTATE" = 'testwarning' ]; then
+		testwarning aptkey --fakeroot update
+		testsuccess grep '^gpg: key .*DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed$' "${ROOTDIR}/tmp/testwarning.output"
+		testsuccess grep '^W: .* are ignored as the file has an unsupported filetype' "${ROOTDIR}/tmp/testwarning.output"
+	else
+		testequalor2 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' 'gpg: key 5A90D141DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' aptkey --fakeroot update
+	fi
 	testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
 
 	testaptkeys 'Joe Sixpack'
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg"
 
-	testsuccess aptkey --fakeroot add "${KEYDIR}/rexexpired.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/rexexpired.pub.${EXT}"
 	testfilestats "${ROOTDIR}/etc/apt/trusted.gpg" '%a' '=' '644'
 
 	testaptkeys 'Rex Expired' 'Joe Sixpack'
 
 	msgtest 'Check that Sixpack key can be' 'exported'
-	aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export"
+	aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export" 2>/dev/null
 	aptkey --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 	testsuccess --nomsg cmp "${TMPWORKINGDIRECTORY}/aptkey.export" "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 	testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export"
 	testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall"
 
 	msgtest 'Execute update again to trigger removal of' 'Rex Expired key'
-	testsuccess --nomsg aptkey --fakeroot update
+	${TESTSTATE} --nomsg aptkey --fakeroot update
 
 	testaptkeys 'Joe Sixpack'
 
@@ -90,27 +99,27 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 	testaptkeys 'Joe Sixpack'
 
-	testsuccess aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testaptkeys 'Joe Sixpack'
 	msgtest "Remove a key from" 'forced keyring in trusted.d.gpg'
 	testsuccess --nomsg aptkey --fakeroot --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" del DBAC8DAE
 	testsuccess cmp -s "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
-	testempty aptkey list
+	"${TESTSTATE}empty" aptkey list
 
 	cp -a "${KEYDIR}/marvinparanoid.pub.asc" "${ROOTDIR}/etc/foobar.pub"
 	testsuccess aptkey --fakeroot --keyring "${ROOTDIR}/etc/foobar.pub" add "${KEYDIR}/rexexpired.pub.asc" "${KEYDIR}/joesixpack.pub.gpg"
 	testfilestats "${ROOTDIR}/etc/foobar.pub" '%a' '=' '644'
 	testaptkeyskeyring "${ROOTDIR}/etc/foobar.pub" 'Marvin Paranoid' 'Rex Expired' 'Joe Sixpack'
-	testempty aptkey list
+	"${TESTSTATE}empty" aptkey list
 
 	msgtest 'Test key removal with' 'lowercase key ID' #keylength somewhere between 8byte and short
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del d141dbac8dae
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del d141dbac8dae
+	"${TESTSTATE}empty" aptkey list
 
 	if [ "$(id -u)" != '0' ]; then
 		msgtest 'Test key removal with' 'unreadable key'
@@ -129,17 +138,17 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	msgtest 'Test key removal with' 'single key in real file'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'different key specs'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	cp -a "${KEYDIR}/marvinparanoid.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
@@ -148,54 +157,54 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	msgtest 'Test key removal with' 'long key ID'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'fingerprint'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'spaced fingerprint'
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del '34A8 E9D1 8DB3 20F3 67E8 EAA0 5A90 D141 DBAC 8DAE'
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del '34A8 E9D1 8DB3 20F3 67E8 EAA0 5A90 D141 DBAC 8DAE'
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	msgtest 'Test key removal with' 'single key in softlink'
 	cleanplate
 	ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
-	testempty aptkey list
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
+	"${TESTSTATE}empty" aptkey list
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
 	cleanplate
-	testsuccess aptkey --fakeroot add "${KEYDIR}/joesixpack.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/joesixpack.pub.${EXT}"
 	ln -sf "$(readlink -f "${KEYDIR}/marvinparanoid.pub.${EXT}")" "${KEYDIR}/marvin paránöid.pub.${EXT}"
-	testsuccess aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub.${EXT}"
+	${TESTSTATE} aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub.${EXT}"
 	testaptkeys 'Joe Sixpack' 'Marvin Paranoid'
 	cp -a "${ROOTDIR}/etc/apt/trusted.gpg" "${KEYDIR}/testcase-multikey.pub.gpg" # store for reuse
 	gpg --no-default-keyring --keyring "${KEYDIR}/testcase-multikey.pub.gpg" --armor --export > "${KEYDIR}/testcase-multikey.pub.asc"
 
 	msgtest 'Test key removal with' 'multi key in real file'
 	cleanplate
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 
 	msgtest 'Test key removal with' 'multi key in softlink'
 	cleanplate
 	ln -s "$(readlink -f "${KEYDIR}/testcase-multikey.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 	testfailure test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
@@ -205,7 +214,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	cleanplate
 	cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
-	testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
+	${TESTSTATE} --nomsg aptkey --fakeroot del DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 	testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
 	testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
@@ -216,15 +225,15 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 	cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
 	testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 	msgtest 'Test merge-back of' 'added keys'
-	testsuccess --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub.${EXT}"
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub.${EXT}"
 	testaptkeys 'Rex Expired' 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 
 	msgtest 'Test merge-back of' 'removed keys'
-	testsuccess --nomsg aptkey adv --batch --yes --delete-keys 27CE74F9
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --delete-keys 27CE74F9
 	testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 
 	msgtest 'Test merge-back of' 'removed duplicate keys'
-	testsuccess --nomsg aptkey adv --batch --yes --delete-keys DBAC8DAE
+	${TESTSTATE} --nomsg aptkey adv --batch --yes --delete-keys DBAC8DAE
 	testaptkeys 'Marvin Paranoid'
 
 	cleanplate
@@ -246,7 +255,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 		if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi
 
 		msgtest 'Test verify a file' 'with all keys'
-		testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		if [ "$(id -u)" != '0' ]; then
 			msgtest 'Test verify a file' 'with unreadable key'
@@ -274,7 +283,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 		# note: this isn't how apts gpgv method implements keyid for verify
 		msgtest 'Test verify a file' 'with good keyid'
-		testsuccess --nomsg aptkey --quiet --readonly --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly --keyid 'Paranoid' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		msgtest 'Test fail verify a file' 'with bad keyid'
 		testfailure --nomsg aptkey --quiet --readonly --keyid 'Sixpack' verify "${SIGNATURE}.gpg" "${SIGNATURE}"
@@ -287,7 +296,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
 		# try to perform an entire update with this gpgv
 		rm -rf "${ROOTDIR}/var/lib/apt/lists"
-		testsuccess apt update -o Test::Dir="${ROOTDIR}"
+		${TESTSTATE} apt update -o Test::Dir="${ROOTDIR}"
 	done
 	rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd"
 
@@ -310,7 +319,7 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 		if [ -n "$GPGV" ] && ! command dpkg -l gnupg1 2>&1 | grep -q '^ii'; then continue; fi
 
 		msgtest 'Test verify a doublesigned file' 'with all keys'
-		testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+		${TESTSTATE} --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
 		msgtest 'Test verify a doublesigned file' 'with good keyring joe'
 		testmultigpg --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
@@ -389,3 +398,15 @@ testrun
 msgmsg 'Tests to be run with' 'asc files'
 rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgcmd"
 testrun 'asc'
+
+msgmsg 'Tests to be run with' 'bad files'
+# don't let the plate be so clean anymore
+cleanplate() {
+	rm -rf "${ROOTDIR}/etc/apt/trusted.gpg.d/" "${ROOTDIR}/etc/apt/trusted.gpg"
+	mkdir "${ROOTDIR}/etc/apt/trusted.gpg.d/"
+	touch "${ROOTDIR}/etc/apt/trusted.gpg.d/emptyfile.gpg"
+	touch "${ROOTDIR}/etc/apt/trusted.gpg.d/emptyfile.asc"
+	echo 'broken' > "${ROOTDIR}/etc/apt/trusted.gpg.d/brokenfile.gpg"
+	echo 'broken' > "${ROOTDIR}/etc/apt/trusted.gpg.d/brokenfile.asc"
+}
+testrun 'gpg' 'testwarning'