1
0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-16 11:50:10 +01:00
Commit Graph

111 Commits

Author SHA1 Message Date
Hans-Christoph Steiner
3011953d0e convert apkcache from pickle to JSON
pickle can serialize executable code, while JSON is only ever pure data.
The APK cache is only ever pure data, so no need for the security risks of
pickle.  For example, if some malicious thing gets write access on the
`fdroid update` machine, it can write out a custom tmp/apkcache which would
then be executed.  That is not possible with JSON.

This does just ignore any existing cache and rebuilds from scratch. That is
so we don't need to maintain pickle anywhere, and to ensure there are no
glitches from a conversion from pickle to JSON.

closes #163
2018-09-03 18:07:40 +02:00
Michael Pöhn
28ec93c587 fix: run all testcase in tests/run-tests 2018-08-06 23:53:49 +02:00
Hans-Christoph Steiner
669401640a tests: only run gpgsign tests if gpg is present and executable
This allows the full test suite to run in Debian/Ubuntu autopkgtest with
only the Depends: installed, and nothing from Recommends:.
2018-06-25 10:52:12 +02:00
Hans-Christoph Steiner
5ff1b5ef37 verify: exit with error code if any APK fails to verify 2018-05-25 11:56:13 +02:00
Hans-Christoph Steiner
0a15a9b65b tests: fix and test fdroid deploy 2018-05-25 10:32:09 +02:00
Hans-Christoph Steiner
1daa1063c5 tests: keep strerr totally clean on successful runs
Debian's autopkgtest defaults to considering any output on stderr as a sign
that the tests failed.  it is simple to make this achieve that standard, so
it seems worth it for now at least.
2018-05-25 10:32:01 +02:00
Marcus Hoffmann
a4b6549927
tests: adapt to spdx v4.0.0 2018-05-16 22:49:57 +02:00
Hans-Christoph Steiner
f0795cc092 tests: git repo mirror tests require git >= 2.3 2018-05-14 15:25:33 +02:00
Hans-Christoph Steiner
2d3e7ef950 tests: allow tests to run without any Android SDK installed 2018-05-14 15:25:33 +02:00
Hans-Christoph Steiner
77f7ca2f25 tests: allow the full suite to run without aapt, only androguard 2018-05-04 15:11:25 +02:00
Hans-Christoph Steiner
9cc8826a79 tests: allow running with only androguard, no Android SDK 2018-05-04 15:11:25 +02:00
Hans-Christoph Steiner
74c6555c71 index: ensure index.xml timestamp is in UTC, closes #481
use verbose but safe syntax so this works with all versions of sed, e.g. osx
2018-04-25 16:35:22 +02:00
Hans-Christoph Steiner
7d79780df0 tests: checkupdates now requires a clean git repo state 2018-03-06 20:50:23 +01:00
Hans-Christoph Steiner
089712c012 tests: do not automatically run install.TestCase, its troublesome
`fdroid install` is rarely used, if at all, and the test frequently fails
for no reason in gitlab-ci, because it can't start the adb server.
2018-02-22 15:08:54 +01:00
Hans-Christoph Steiner
173a35b190 tests: only generate keystores when that is actually being tested
Generating a keystore is quite slow since it means a new RSA key is created.
That only needs to happen in the tests that check that it actually happened,
otherwise the test can just reuse the stored test keystore.

closes #432
2017-12-20 23:46:37 +01:00
Hans-Christoph Steiner
bde0558d82 update: reject APKs with invalid file sig, probably Janus exploits
This just checks the first four bytes of the APK file, aka the "file
signature", to make sure it is the ZIP signature and not the DEX signature.
This was checked against the test APK, and I ran it against some known
malware and all of f-droid.org to make sure it works.

All valid ZIP files (therefore APK files) should start with the ZIP
Local File Header of four bytes.

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
2017-12-14 16:57:22 +01:00
Hans-Christoph Steiner
cd3e763953 tests: only test fdroid build if the right build-tools is installed 2017-11-09 14:07:40 +01:00
Hans-Christoph Steiner
a14124955a tests: fix fdroid build test with Debian gradle 2017-11-09 13:11:49 +01:00
Michael Pöhn
a2d361dec8 add test for index-v1.json 2017-09-26 14:12:59 +02:00
Hans-Christoph Steiner
2764c43fa2 tests: use ci-test-app with current Gradle Android Plugin
This works around the gradle 2.x bug where versions newer than 2.9 cannot
run things.  This also then specifies the version of Gradle Android Plugin
that is included in Debian/stretch.
2017-09-19 20:16:08 +02:00
Hans-Christoph Steiner
dc569b9c18 tests: support Java setups where MD5 is not disabled by default
For platforms using Java < 1.8.0_133, MD5 is still enabled for JAR
signatures.  Its just too painful to manage all this, so support this
in the tests.
2017-09-19 20:16:08 +02:00
Hans-Christoph Steiner
373b46ab3f tests: don't run gpgsign tests on Travis CI's OSX, gpg always fails 2017-09-19 20:16:08 +02:00
Hans-Christoph Steiner
bc192b6be0 tests: prefer GNU sed on BSD/OSX, BSD's sed has lame syntax
https://blog.remibergsma.com/2012/09/18/sed-inline-editing-different-on-mac-osx/
2017-09-19 20:13:36 +02:00
Hans-Christoph Steiner
176f539647 allow spaces in filenames
This fixes all the bugs I could find that prevented fdroid from
handling files with spaces in them.  This is more important now that
fdroid supports random media files, and Repomaker
2017-09-19 20:13:36 +02:00
Hans-Christoph Steiner
6adf309bef tests: move test APK with bad unicode filename to separate test
This filename has some messed up bytes related to bi-directional script
that is included (Left-to-Right and Right-to-Left).  GNU/Linux always
interprets filenames as pure byte sequences.  Windows and OSX store
filenames as Unicode strings.  So on OSX, the invalid filename gets
converted to a valid name.  That works fine, but the test fails because it
is compared to a file generated on Ubuntu, where it preserves the byte
sequence.

This includes an APK with a valid Unicode filename that includes
bi-directional script.
2017-09-19 20:13:36 +02:00
Hans-Christoph Steiner
5dcb48831f index: always use jarsigner for verifying JAR signatures
apksigner v0.7 (build-tools 26.0.1), Google made it require that the
AndroidManifest.xml was present in the archive before it verifies the
signature.  So this needs to stick with the jarsigner hack for JARs.
2017-09-19 20:13:36 +02:00
Marcus Hoffmann
34f79b876c tests: don't touch config.py, no config is fine now 2017-09-14 02:15:57 +02:00
Hans-Christoph Steiner
523b5f4777 server: smooth out btlog transfer for offline signing setups
It turns out it is error prone to `git push` to a non-bare git repo. For
the offline signing machine, the git remote needs to be a regular git repo
in a directory on a thumbdrive so that once the thumbdrive is plugged into
an online machine, that git repo can be transferred to the online machine.
2017-07-17 11:38:15 +02:00
Hans-Christoph Steiner
25f96e1911 ensure that mirror URLs always include the repodir
Since the mirror URLs are per repo section (repo/archive), the mirror URLs
must include the repodir at the end.  This was missing for servergitmirrors

found by @cde when working on fdroidclient#35
2017-07-07 15:50:11 +02:00
Hans-Christoph Steiner
5f0817d7bf tests: make sure apkcache gets created 2017-07-03 10:02:51 +02:00
Hans-Christoph Steiner
746d4bd4cf update: allow_disabled_algorithms option to keep MD5 sigs in repo
The new policy is to move APKs with invalid signatures to the archive,
and only add those APKs to the archive's index if they have valid MD5
signatures.

closes #323
closes #292
2017-07-03 10:02:51 +02:00
Hans-Christoph Steiner
e1492148fa fix "Archive Policy:" field, APKs can move in/out of archive
The original logic was checking keepversions against the len() of ALL the
APKs in the repo/archive.  The correct thing is to check against the
number of APKs available for the given packageName/appid.

closes #166
2017-06-28 23:53:42 +02:00
Hans-Christoph Steiner
be2926ffc8 tests: test moving files to and from the archive
#166
2017-06-28 23:53:42 +02:00
Hans-Christoph Steiner
ceac6d25cb index.xml cannot handle APKs with the same packageName/versionCode
Really, it is the fdroidclient parser of index.xml that fails, due to the
hardcoded expectation that there will only ever be a single APK for any
given versionCode.  We keep index.xml backwards compatible for old
clients, and use index-v1.json to support new things.  Having multiple
APKs that have the same packageName and versionCode will break the client
v0.103.* since that version uses index-v1.json, but still has the hard-
coded database parsing stuff.

#153
2017-06-01 16:01:05 +02:00
Hans-Christoph Steiner
4053f03d77 update: add --rename-apks to force APK filenames to fdroid standard
uses the standard package.name_123.apk.  If that exists, it appends the
shasum.  If that exists, then its a duplicate, so its deleted. This should
help @SergeWinters with his 12,000 APKs.
2017-06-01 16:01:05 +02:00
Hans-Christoph Steiner
0f4cbc7224 allow APKs with same packageName/versionCode but different signer
There are many APKs out in the wild that claim to be the same app and
version and each other, but they are signed by different keys.  fdroid
should be able to index these, and work with them.   This supports having
the developer's signature via reproducible builds, random collections of
APKs like repomaker, etc.
2017-06-01 10:30:41 +02:00
Hans-Christoph Steiner
afac1b2efd add basic test for fdroid scanner
There was no test coverage at all for this command, this is a very basic
test that should prevent things like 2626858450
2017-05-30 21:13:49 +02:00
Hans-Christoph Steiner
114d5dc8c6 make tests pass new lint rules 2017-05-26 21:03:38 +02:00
Hans-Christoph Steiner
31d92367ed git mirror test requires git >= 2.3 2017-04-13 00:49:36 +02:00
Hans-Christoph Steiner
17219d56f4 server: support git mirrors with the offline signing setup 2017-04-12 15:04:04 +02:00
Hans-Christoph Steiner
f75b547795 server: remove unused --sync-from-local-copy-dir
This option was not hooked up at all, and does not make sense as a command
line argument.  It should just be a config.py item.  In that case, the
presence of config.py marks the current dir as a repo, so there is no
longer a need to test for a dir called repo/ as a safety.  This makes the
setup easier, since sync_from_localcopy() now creates repo/ for the user.
2017-04-12 00:45:22 +02:00
Hans-Christoph Steiner
299ba86948 server: git push for binary transparency in fdroid server update
Since `fdroid server update` is the place where all uploads to servers
happens, it makes sense to also handle the git push for the binary
transparency log here instead of `fdroid btlog`
2017-04-10 23:02:12 +02:00
Hans-Christoph Steiner
136d58dbae btlog: test with fdroid update without requiring ssh access
Yay git!  Just use a filesystem git remote instead of ssh.
2017-04-03 23:17:03 +02:00
Hans-Christoph Steiner
866528de5b signindex: support signing index-v1.jar
This is a bit different than index.jar: instead of their being index.xml
and index_unsigned.jar, the presense of index-v1.json means that there is
unsigned data.  That file is then stuck into a jar and signed by the
signing process.  index-v1.json is never published to the repo.  It is
included in the binary transparency log, if that is enabled.
2017-03-17 14:12:03 +01:00
Hans-Christoph Steiner
713d9195c3 ensure that app.Categories is always a list of strings
This just makes it easier for people writing build recipes.  Rewriting will
output a list of strings as well.

The test index.xml and categories.txt are updated to include the new number
categories, and the changed CurrentVersionCode to 2147483647 (MAX_VALUE)
2017-03-17 13:55:40 +01:00
Hans-Christoph Steiner
c9aa26d89e add index V1 format, a direct translation of internal dict
Python encode/decode libs work directly with dicts, so the internal dict
can just be passed directly to any of these libs (pyyaml, pyjson, msgpack,
simplejson, etc).  This still generates the exact same index.xml as before.

This converts the internal format for the repo timestamp to a datetime
instance, which can be easily converted to UNIX time in seconds for XML
and UNIX time in milliseconds for the new index formats.  UNIX time in
milliseconds is directly serialized into a java.util.Date instance by
Jackson.
2017-03-17 13:55:40 +01:00
Hans-Christoph Steiner
a737255ce4 add a simple test of the binary transparency log
This makes sure it gets generated with two commits: README and first log.
2017-03-16 19:22:32 +01:00
Hans-Christoph Steiner
8decd3b504 remove TeX manual, it moved to https://gitlab.com/fdroid/fdroid-website
The whole TeX manual has been folded into the new Jekyll-based website, so
this is no longer needed at all.
2017-02-24 14:01:31 +01:00
Hans-Christoph Steiner
4e39621601 provide warning if config items will not preserve order
If a group of items are enclosed in {}, then that will be a Python set,
which does not preserve order.  To preserve order, the data must be either
a tuple () or list [].
2017-02-24 11:01:01 +01:00
Hans-Christoph Steiner
388c336e76 build: ensure test is running on git commit that this code works with
Since https://gitlab.com/fdroid/ci-test-app is a separate git repo, things
with incompatible changes could get out of sync.  Therefore, this test
should specify which git commit is runs against.

For example, the .fdroid.yml file is still a moving target.  Just now, the
keys had the spaces removed as part of this MR.
2017-02-24 11:01:01 +01:00