From d243cbd030f5112bfcfee65daed38c444aeb3da9 Mon Sep 17 00:00:00 2001
From: linsui <linsui555@gmail.com>
Date: Fri, 3 May 2024 20:00:14 +0800
Subject: [PATCH 1/3] lint: blocklist known AOSP debug keys in AASK

---
 fdroidserver/lint.py |  8 +++++++-
 tests/lint.TestCase  | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py
index fd3d99d8..351667ba 100644
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@@ -722,7 +722,13 @@ def check_updates_ucm_http_aum_pattern(app):  # noqa: D403
 
 
 def check_certificate_pinned_binaries(app):
-    if len(app.get('AllowedAPKSigningKeys')) > 0:
+    keys = app.get('AllowedAPKSigningKeys')
+    known_keys = common.config.get('apk_signing_key_block_list', [])
+    if keys:
+        if known_keys:
+            for key in keys:
+                if key in known_keys:
+                    yield _('Known debug key is used in AllowedAPKSigningKeys: ') + key
         return
     if app.get('Binaries') is not None:
         yield _(
diff --git a/tests/lint.TestCase b/tests/lint.TestCase
index 55c314b0..e8e1efba 100755
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@@ -438,6 +438,25 @@ class LintTest(unittest.TestCase):
         with self.assertRaises(TypeError):
             fdroidserver.lint.lint_config('mirrors.yml')
 
+    def test_lint_known_debug_keys(self):
+        config = dict()
+        fdroidserver.common.fill_config_defaults(config)
+        config['apk_signing_key_block_list'] = [
+            'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
+        ]
+        fdroidserver.common.config = config
+        fdroidserver.lint.config = config
+
+        app = fdroidserver.metadata.App()
+        app.AllowedAPKSigningKeys = [
+            'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
+        ]
+
+        for warn in fdroidserver.lint.check_certificate_pinned_binaries(app):
+            anywarns = True
+            logging.debug(warn)
+        self.assertTrue(anywarns)
+
 
 class LintAntiFeaturesTest(unittest.TestCase):
     def setUp(self):

From 14c86479099a4510d650f7392f569f70baab7a91 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Tue, 7 May 2024 10:57:55 +0200
Subject: [PATCH 2/3] add additional tests

---
 tests/lint.TestCase | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/tests/lint.TestCase b/tests/lint.TestCase
index e8e1efba..e5a0bd75 100755
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@@ -438,6 +438,32 @@ class LintTest(unittest.TestCase):
         with self.assertRaises(TypeError):
             fdroidserver.lint.lint_config('mirrors.yml')
 
+    def test_check_certificate_pinned_binaries_empty(self):
+        fdroidserver.common.config = {}
+        app = fdroidserver.metadata.App()
+        app.AllowedAPKSigningKeys = [
+            'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
+        ]
+        self.assertEqual(
+            [],
+            list(fdroidserver.lint.check_certificate_pinned_binaries(app)),
+            "when the config is empty, any signing key should be allowed",
+        )
+
+    def test_lint_known_debug_keys_no_match(self):
+        fdroidserver.common.config = {
+            "apk_signing_key_block_list": "a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc"
+        }
+        app = fdroidserver.metadata.App()
+        app.AllowedAPKSigningKeys = [
+            '2fd4fd5f54babba4bcb21237809bb653361d0d2583c80964ec89b28a26e9539e'
+        ]
+        self.assertEqual(
+            [],
+            list(fdroidserver.lint.check_certificate_pinned_binaries(app)),
+            "A signing key that does not match one in the config should be allowed",
+        )
+
     def test_lint_known_debug_keys(self):
         config = dict()
         fdroidserver.common.fill_config_defaults(config)

From 9a9b5beeaa35335192acad446c895f85b7d7e3a6 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Tue, 7 May 2024 13:19:57 +0200
Subject: [PATCH 3/3] simplify test setup

I'm in the midst of working towards getting rid of the "config" instances
that are in the subcommand module, e.g. `fdroidserver.lint.config`
---
 tests/lint.TestCase | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/tests/lint.TestCase b/tests/lint.TestCase
index e5a0bd75..5dd94d4b 100755
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@@ -465,19 +465,13 @@ class LintTest(unittest.TestCase):
         )
 
     def test_lint_known_debug_keys(self):
-        config = dict()
-        fdroidserver.common.fill_config_defaults(config)
-        config['apk_signing_key_block_list'] = [
-            'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
-        ]
-        fdroidserver.common.config = config
-        fdroidserver.lint.config = config
-
+        fdroidserver.common.config = {
+            'apk_signing_key_block_list': 'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
+        }
         app = fdroidserver.metadata.App()
         app.AllowedAPKSigningKeys = [
             'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
         ]
-
         for warn in fdroidserver.lint.check_certificate_pinned_binaries(app):
             anywarns = True
             logging.debug(warn)