From d243cbd030f5112bfcfee65daed38c444aeb3da9 Mon Sep 17 00:00:00 2001 From: linsui Date: Fri, 3 May 2024 20:00:14 +0800 Subject: [PATCH] lint: blocklist known AOSP debug keys in AASK --- fdroidserver/lint.py | 8 +++++++- tests/lint.TestCase | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py index fd3d99d8..351667ba 100644 --- a/fdroidserver/lint.py +++ b/fdroidserver/lint.py @@ -722,7 +722,13 @@ def check_updates_ucm_http_aum_pattern(app): # noqa: D403 def check_certificate_pinned_binaries(app): - if len(app.get('AllowedAPKSigningKeys')) > 0: + keys = app.get('AllowedAPKSigningKeys') + known_keys = common.config.get('apk_signing_key_block_list', []) + if keys: + if known_keys: + for key in keys: + if key in known_keys: + yield _('Known debug key is used in AllowedAPKSigningKeys: ') + key return if app.get('Binaries') is not None: yield _( diff --git a/tests/lint.TestCase b/tests/lint.TestCase index 55c314b0..e8e1efba 100755 --- a/tests/lint.TestCase +++ b/tests/lint.TestCase @@ -438,6 +438,25 @@ class LintTest(unittest.TestCase): with self.assertRaises(TypeError): fdroidserver.lint.lint_config('mirrors.yml') + def test_lint_known_debug_keys(self): + config = dict() + fdroidserver.common.fill_config_defaults(config) + config['apk_signing_key_block_list'] = [ + 'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc' + ] + fdroidserver.common.config = config + fdroidserver.lint.config = config + + app = fdroidserver.metadata.App() + app.AllowedAPKSigningKeys = [ + 'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc' + ] + + for warn in fdroidserver.lint.check_certificate_pinned_binaries(app): + anywarns = True + logging.debug(warn) + self.assertTrue(anywarns) + class LintAntiFeaturesTest(unittest.TestCase): def setUp(self):