keep Release.gpg on untrusted to trusted IMS-Hit

A user relying on the deprecated behaviour of apt-get to accept a source with an unknown pubkey to install a package containing the key expects that the following 'apt-get update' causes the source to be considered as trusted, but in case the source hadn't changed in the meantime this wasn't happening: The source kept being untrusted until the Release file was changed. This only effects sources not using InRelease and only apt-get, the apt binary downright refuses this course of actions, but it is a common way of adding external sources. Closes: 838779 (cherry picked from commit 84eec20) LP: #1657440 (cherry picked from commit 5605c98)
Debian · Feb 22, 2017 · 2a6d2e9 · 2a6d2e9
1 parent 9bacab3
commit 2a6d2e9
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 3 deletions.
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
@@ -1666,10 +1666,16 @@ void pkgAcqMetaSig::Done(string const &Message, HashStringList const &Hashes,
    }
    else if(MetaIndex->CheckAuthDone(Message) == true)
    {
-      if (TransactionManager->IMSHit == false)
+      auto const Releasegpg = GetFinalFilename();
+      auto const Release = MetaIndex->GetFinalFilename();
+      // if this is an IMS-Hit on Release ensure we also have the the Release.gpg file stored
+      // (previously an unknown pubkey) – but only if the Release file exists locally (unlikely
+      // event of InRelease removed from the mirror causing fallback but still an IMS-Hit)
+      if (TransactionManager->IMSHit == false ||
+	    (FileExists(Releasegpg) == false && FileExists(Release) == true))
       {
-	 TransactionManager->TransactionStageCopy(this, DestFile, GetFinalFilename());
-	 TransactionManager->TransactionStageCopy(MetaIndex, MetaIndex->DestFile, MetaIndex->GetFinalFilename());
+	 TransactionManager->TransactionStageCopy(this, DestFile, Releasegpg);
+	 TransactionManager->TransactionStageCopy(MetaIndex, MetaIndex->DestFile, Release);
       }
    }
 }

diff --git a/test/integration/test-bug-838779-untrusted-to-trusted-Release-hit b/test/integration/test-bug-838779-untrusted-to-trusted-Release-hit
@@ -0,0 +1,46 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'amd64'
+
+buildsimplenativepackage 'foo' 'all' '1' 'stable'
+
+export APT_DONT_SIGN=''
+setupaptarchive --no-update
+
+changetowebserver
+
+testsuccess aptget update
+testdpkgnotinstalled 'foo'
+testsuccess apt install foo -y
+testdpkginstalled 'foo'
+testsuccess apt purge foo -y
+testdpkgnotinstalled 'foo'
+
+msgmsg 'Untrusted to trusted hit' 'InRelease'
+rm -rf rootdir/var/lib/apt/lists rootdir/var/cache/apt/archives
+mv rootdir/etc/apt/trusted.gpg.d rootdir/etc/apt/trusted.gpg.d-bak
+testwarning aptget update
+testfailure apt install foo -y
+testdpkgnotinstalled 'foo'
+mv rootdir/etc/apt/trusted.gpg.d-bak rootdir/etc/apt/trusted.gpg.d
+testsuccess aptget update
+testsuccess apt install foo -y
+testdpkginstalled 'foo'
+testsuccess apt purge foo -y
+testdpkgnotinstalled 'foo'
+
+msgmsg 'Untrusted to trusted hit' 'Release.gpg'
+find aptarchive -name 'InRelease' -delete
+rm -rf rootdir/var/lib/apt/lists rootdir/var/cache/apt/archives
+mv rootdir/etc/apt/trusted.gpg.d rootdir/etc/apt/trusted.gpg.d-bak
+testwarning aptget update
+testfailure apt install foo -y
+testdpkgnotinstalled 'foo'
+mv rootdir/etc/apt/trusted.gpg.d-bak rootdir/etc/apt/trusted.gpg.d
+testsuccess aptget update
+testsuccess apt install foo -y
+testdpkginstalled 'foo'