1
0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-20 13:50:12 +01:00
fdroidserver/tests/run-tests
Hans-Christoph Steiner bde0558d82 update: reject APKs with invalid file sig, probably Janus exploits
This just checks the first four bytes of the APK file, aka the "file
signature", to make sure it is the ZIP signature and not the DEX signature.
This was checked against the test APK, and I ran it against some known
malware and all of f-droid.org to make sure it works.

All valid ZIP files (therefore APK files) should start with the ZIP
Local File Header of four bytes.

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
2017-12-14 16:57:22 +01:00

1090 lines
38 KiB
Bash
Executable File

#!/bin/bash
set -e # quit script on error
echo_header() {
{ echo -e "==============================================================================\n$1"; } 2>/dev/null
}
copy_apks_into_repo() {
set +x
find $APKDIR -type f -name '*.apk' -print0 | while IFS= read -r -d '' f; do
echo $f | grep -F -v -e unaligned -e unsigned -e badsig -e badcert -e bad-unicode -e janus.apk || continue
apk=`$aapt dump badging "$f" | sed -n "s,^package: name='\(.*\)' versionCode='\([0-9][0-9]*\)' .*,\1_\2.apk,p"`
test "$f" -nt repo/$apk && rm -f repo/$apk # delete existing if $f is newer
if [ ! -e repo/$apk ] && [ ! -e archive/$apk ]; then
echo "$f --> repo/$apk"
ln "$f" $1/repo/$apk || \
rsync -axv "$f" $1/repo/$apk # rsync if hard link is not possible
fi
done
set -x
}
# keep this as an old version to test the automatic parsing of build-tools
# verion numbers in `fdroid init`
create_fake_android_home() {
mkdir $1/tools
mkdir $1/platform-tools
mkdir $1/build-tools
mkdir $1/build-tools/19.0.2
touch $1/build-tools/19.0.2/aapt
}
create_test_dir() {
test -e $WORKSPACE/.testfiles || mkdir $WORKSPACE/.testfiles
mktemp -d $WORKSPACE/.testfiles/run-tests.XXXX
}
create_test_file() {
test -e $WORKSPACE/.testfiles || mkdir $WORKSPACE/.testfiles
TMPDIR=$WORKSPACE/.testfiles mktemp
}
# the < is reverse since 0 means success in exit codes
have_git_2_3() {
python3 -c "import sys; from distutils.version import LooseVersion as V; sys.exit(V(sys.argv[3]) < V('2.3'))" `git --version`
}
is_MD5_disabled() {
javac $WORKSPACE/tests/IsMD5Disabled.java && java -cp $WORKSPACE/tests IsMD5Disabled
return $?
}
#------------------------------------------------------------------------------#
# "main"
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
set +x
echo "Usage: $0 '/path/to/folder/with/apks'"
exit 1
fi
if [ -z "$ANDROID_HOME" ]; then
echo "ANDROID_HOME must be set with the path to the Android SDK, i.e.: "
echo " export ANDROID_HOME=/opt/android-sdk"
exit 1
fi
if [ -d tests ]; then
cd tests
fi
if [ -z "$1" ]; then
APKDIR=`pwd`
else
APKDIR=$1
fi
if [ -z $WORKSPACE ]; then
WORKSPACE=`dirname $(pwd)`
echo "Setting Workspace to $WORKSPACE"
fi
# allow the location of the script to be overridden
if [ -z $fdroid ]; then
fdroid="$WORKSPACE/fdroid"
fi
# allow the location of aapt to be overridden
if [ -z $aapt ]; then
aapt=`ls -1 $ANDROID_HOME/build-tools/*/aapt | sort | tail -1`
fi
# allow the location of python to be overridden
if [ -z $python ]; then
python=python3
fi
# try to use GNU sed on OSX/BSD cuz BSD sed sucks
if which gsed; then
sed=gsed
else
sed=sed
fi
set -x # show each command as it is executed
#------------------------------------------------------------------------------#
echo_header "run commit hooks"
cd $WORKSPACE
./hooks/pre-commit
#------------------------------------------------------------------------------#
echo_header "test python getsig replacement"
cd $WORKSPACE/tests/getsig
./make.sh
cd $WORKSPACE/tests
for testcase in $WORKSPACE/tests/*.TestCase; do
$testcase
done
#------------------------------------------------------------------------------#
echo_header "print fdroid version"
$fdroid --version
#------------------------------------------------------------------------------#
echo_header 'run process when building and signing are on separate machines'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt', 'yml']" >> config.py
echo 'keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"' >> config.py
test -d archive || mkdir archive
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/info.guardianproject.urzip.yml metadata/
test -d repo || mkdir repo
test -d unsigned || mkdir unsigned
cp $WORKSPACE/tests/urzip-release-unsigned.apk unsigned/info.guardianproject.urzip_100.apk
$fdroid publish --verbose
$fdroid update --verbose --nosign
$fdroid signindex --verbose
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
test -L urzip.apk
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------#
echo_header "test UTF-8 metadata"
REPOROOT=`create_test_dir`
cd $REPOROOT
$fdroid init
$sed -i.tmp 's,^ *repo_description.*,repo_description = """获取已安装在您的设备上的应用的,' config.py
echo "mirrors = ('https://foo.bar/fdroid', 'http://secret.onion/fdroid')" >> config.py
mkdir metadata
cp $WORKSPACE/tests/urzip.apk $WORKSPACE/tests/bad-unicode*.apk repo/
cp $WORKSPACE/tests/metadata/info.guardianproject.urzip.yml metadata/
$fdroid readmeta
$fdroid update
#------------------------------------------------------------------------------#
echo_header 'run "fdroid build" in fresh git checkout from import.TestCase'
cd $WORKSPACE/tests/tmp/importer
git remote update -p
git clean -fdx
# stick with known working commit, in case future commits break things for this code
git reset --hard fea54e1161d5eb9eb1a54e26253ef84d3ab63705
if [ -d $ANDROID_HOME/platforms/android-23 && -d $ANDROID_HOME/build-tools/23.0.3 ]; then
echo "build_tools = '`ls -1 $ANDROID_HOME/build-tools/ | sort -n | tail -1`'" > config.py
echo "force_build_tools = True" >> config.py
$fdroid build --verbose org.fdroid.ci.test.app:300
else
echo 'WARNING: Skipping "fdroid build" test since android-23 is missing!'
fi
#------------------------------------------------------------------------------#
echo_header 'copy git import and run "fdroid scanner" on it'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/examples/fdroid-icon.png $REPOROOT/
mkdir metadata
echo "Auto Name:Just A Test" > metadata/org.fdroid.ci.test.app.txt
echo "Web Site:" >> metadata/org.fdroid.ci.test.app.txt
echo "Build:0.3,300" >> metadata/org.fdroid.ci.test.app.txt
echo " commit=0.3" >> metadata/org.fdroid.ci.test.app.txt
echo " subdir=app" >> metadata/org.fdroid.ci.test.app.txt
echo " gradle=yes" >> metadata/org.fdroid.ci.test.app.txt
echo "" >> metadata/org.fdroid.ci.test.app.txt
echo "Repo:https://gitlab.com/fdroid/ci-test-app.git" >> metadata/org.fdroid.ci.test.app.txt
echo "Repo Type:git" >> metadata/org.fdroid.ci.test.app.txt
mkdir build
cp -a $WORKSPACE/tests/tmp/importer build/org.fdroid.ci.test.app
ls -l build/org.fdroid.ci.test.app
$fdroid scanner org.fdroid.ci.test.app --verbose
#------------------------------------------------------------------------------#
echo_header "copy tests/repo, generate java/gpg keys, update, and gpgsign"
REPOROOT=`create_test_dir`
GNUPGHOME=$REPOROOT/gnupghome
KEYSTORE=$WORKSPACE/tests/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $WORKSPACE/tests/stats $REPOROOT/
cp -a $WORKSPACE/tests/gnupghome $GNUPGHOME
chmod 0700 $GNUPGHOME
echo "accepted_formats = ['json', 'txt', 'yml']" >> config.py
echo "install_list = 'org.adaway'" >> config.py
echo "uninstall_list = ('com.android.vending', 'com.facebook.orca',)" >> config.py
echo "gpghome = '$GNUPGHOME'" >> config.py
echo "gpgkey = 'CE71F7FB'" >> config.py
echo "mirrors = ('http://foobarfoobarfoobar.onion/fdroid','https://foo.bar/fdroid',)" >> config.py
$fdroid update --verbose --pretty
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
grep -F '<application id=' repo/index.xml > /dev/null
grep -F '<install packageName=' repo/index.xml > /dev/null
grep -F '<uninstall packageName=' repo/index.xml > /dev/null
# OSX tests are run on Travis-CI, and gpg fails to launch gpg-agent there
if [ "$TRAVIS_OS_NAME" != "osx" ]; then
$fdroid gpgsign --verbose
$fdroid gpgsign --verbose
test -e repo/obb.mainpatch.current_1619.apk.asc
test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc
! test -e repo/obb.mainpatch.current_1619.apk.asc.asc
! test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc.asc
! test -e repo/index.xml.asc
fi
# we can't easily reproduce the timestamps for things, so just hardcode them
$sed -i.tmp -e 's,timestamp="[0-9]*",timestamp="1480431575",' repo/index.xml
diff -uw $WORKSPACE/tests/repo/index.xml repo/index.xml
sed -i --expression='s,"timestamp": [0-9]*,"timestamp": 1502845383782,' repo/index-v1.json
diff -uw $WORKSPACE/tests/repo/index-v1.json repo/index-v1.json
#------------------------------------------------------------------------------#
echo_header 'test moving lots of APKs to the archive'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt']" >> config.py
$sed -i.tmp '/allow_disabled_algorithms/d' config.py
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/*.txt metadata/
echo 'Summary:good test version of urzip' > metadata/info.guardianproject.urzip.txt
echo 'Summary:good MD5 sig, which is disabled algorithm' > metadata/org.bitbucket.tickytacky.mirrormirror.txt
$sed -i.tmp '/Archive Policy:/d' metadata/*.txt
test -d repo || mkdir repo
cp $WORKSPACE/tests/urzip.apk \
$WORKSPACE/tests/org.bitbucket.tickytacky.mirrormirror_[0-9].apk \
$WORKSPACE/tests/repo/com.politedroid_[0-9].apk \
$WORKSPACE/tests/repo/obb.main.twoversions_110161[357].apk \
repo/
$sed -i.tmp 's,archive_older = [0-9],archive_older = 3,' config.py
$fdroid update --pretty --nosign
echo "This will fail when jarsigner allows MD5 for APK signatures"
test `grep '<package>' archive/index.xml | wc -l` -eq 5
test `grep '<package>' repo/index.xml | wc -l` -eq 7
#------------------------------------------------------------------------------#
echo_header 'test per-app "Archive Policy"'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt']" >> config.py
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/com.politedroid.txt metadata/
test -d repo || mkdir repo
cp $WORKSPACE/tests/repo/com.politedroid_[0-9].apk repo/
$sed -i.tmp 's,archive_older = [0-9],archive_older = 3,' config.py
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 0
test `grep '<package>' repo/index.xml | wc -l` -eq 4
grep -F com.politedroid_3.apk repo/index.xml
grep -F com.politedroid_4.apk repo/index.xml
grep -F com.politedroid_5.apk repo/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e repo/com.politedroid_3.apk
test -e repo/com.politedroid_4.apk
test -e repo/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
echo "enable one app in the repo"
$sed -i.tmp 's,^Archive Policy:4,Archive Policy:1,' metadata/com.politedroid.txt
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 3
test `grep '<package>' repo/index.xml | wc -l` -eq 1
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk archive/index.xml
grep -F com.politedroid_5.apk archive/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
test -e archive/com.politedroid_4.apk
test -e archive/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
echo "remove all apps from the repo"
$sed -i.tmp 's,^Archive Policy:1,Archive Policy:0,' metadata/com.politedroid.txt
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 4
test `grep '<package>' repo/index.xml | wc -l` -eq 0
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk archive/index.xml
grep -F com.politedroid_5.apk archive/index.xml
grep -F com.politedroid_6.apk archive/index.xml
test -e archive/com.politedroid_3.apk
test -e archive/com.politedroid_4.apk
test -e archive/com.politedroid_5.apk
test -e archive/com.politedroid_6.apk
! test -e repo/com.politedroid_6.apk
echo "move back one from archive to the repo"
$sed -i.tmp 's,^Archive Policy:0,Archive Policy:1,' metadata/com.politedroid.txt
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 3
test `grep '<package>' repo/index.xml | wc -l` -eq 1
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk archive/index.xml
grep -F com.politedroid_5.apk archive/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
test -e archive/com.politedroid_4.apk
test -e archive/com.politedroid_5.apk
! test -e archive/com.politedroid_6.apk
test -e repo/com.politedroid_6.apk
#------------------------------------------------------------------------------#
echo_header 'test moving old APKs to and from the archive'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt']" >> config.py
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/com.politedroid.txt metadata/
$sed -i.tmp '/Archive Policy:/d' metadata/com.politedroid.txt
test -d repo || mkdir repo
cp $WORKSPACE/tests/repo/com.politedroid_[0-9].apk repo/
$sed -i.tmp 's,archive_older = [0-9],archive_older = 3,' config.py
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 1
test `grep '<package>' repo/index.xml | wc -l` -eq 3
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk repo/index.xml
grep -F com.politedroid_5.apk repo/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
test -e repo/com.politedroid_4.apk
test -e repo/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
$sed -i.tmp 's,archive_older = 3,archive_older = 1,' config.py
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 3
test `grep '<package>' repo/index.xml | wc -l` -eq 1
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk archive/index.xml
grep -F com.politedroid_5.apk archive/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
test -e archive/com.politedroid_4.apk
test -e archive/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
# disabling deletes from the archive
$sed -i.tmp 's/Build:1.3,4/Build:1.3,4\n disable=testing deletion/' metadata/com.politedroid.txt
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 2
test `grep '<package>' repo/index.xml | wc -l` -eq 1
grep -F com.politedroid_3.apk archive/index.xml
! grep -F com.politedroid_4.apk archive/index.xml
grep -F com.politedroid_5.apk archive/index.xml
grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
! test -e archive/com.politedroid_4.apk
test -e archive/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
# disabling deletes from the repo, and promotes one from the archive
$sed -i.tmp 's/Build:1.5,6/Build:1.5,6\n disable=testing deletion/' metadata/com.politedroid.txt
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 1
test `grep '<package>' repo/index.xml | wc -l` -eq 1
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_5.apk repo/index.xml
! grep -F com.politedroid_6.apk repo/index.xml
test -e archive/com.politedroid_3.apk
test -e repo/com.politedroid_5.apk
! test -e repo/com.politedroid_6.apk
#------------------------------------------------------------------------------#
echo_header 'test allowing disabled signatures in repo and archive'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt']" >> config.py
echo 'allow_disabled_algorithms = True' >> config.py
$sed -i.tmp 's,archive_older = [0-9],archive_older = 3,' config.py
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/com.politedroid.txt metadata/
echo 'Summary:good test version of urzip' > metadata/info.guardianproject.urzip.txt
echo 'Summary:good MD5 sig, disabled algorithm' > metadata/org.bitbucket.tickytacky.mirrormirror.txt
$sed -i.tmp '/Archive Policy:/d' metadata/*.txt
test -d repo || mkdir repo
cp $WORKSPACE/tests/repo/com.politedroid_[0-9].apk \
$WORKSPACE/tests/org.bitbucket.tickytacky.mirrormirror_[0-9].apk \
$WORKSPACE/tests/urzip-badsig.apk \
repo/
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 2
test `grep '<package>' repo/index.xml | wc -l` -eq 6
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk repo/index.xml
grep -F com.politedroid_5.apk repo/index.xml
grep -F com.politedroid_6.apk repo/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_1.apk archive/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_2.apk repo/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_3.apk repo/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_4.apk repo/index.xml
! grep -F urzip-badsig.apk repo/index.xml
! grep -F urzip-badsig.apk archive/index.xml
test -e archive/com.politedroid_3.apk
test -e repo/com.politedroid_4.apk
test -e repo/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
test -e archive/org.bitbucket.tickytacky.mirrormirror_1.apk
test -e repo/org.bitbucket.tickytacky.mirrormirror_2.apk
test -e repo/org.bitbucket.tickytacky.mirrormirror_3.apk
test -e repo/org.bitbucket.tickytacky.mirrormirror_4.apk
test -e archive/urzip-badsig.apk
$sed -i.tmp '/allow_disabled_algorithms/d' config.py
$fdroid update --pretty --nosign
test `grep '<package>' archive/index.xml | wc -l` -eq 5
test `grep '<package>' repo/index.xml | wc -l` -eq 3
grep -F org.bitbucket.tickytacky.mirrormirror_1.apk archive/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_2.apk archive/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_3.apk archive/index.xml
grep -F org.bitbucket.tickytacky.mirrormirror_4.apk archive/index.xml
grep -F com.politedroid_3.apk archive/index.xml
grep -F com.politedroid_4.apk repo/index.xml
grep -F com.politedroid_5.apk repo/index.xml
grep -F com.politedroid_6.apk repo/index.xml
! grep -F urzip-badsig.apk repo/index.xml
! grep -F urzip-badsig.apk archive/index.xml
test -e archive/org.bitbucket.tickytacky.mirrormirror_1.apk
test -e archive/org.bitbucket.tickytacky.mirrormirror_2.apk
test -e archive/org.bitbucket.tickytacky.mirrormirror_3.apk
test -e archive/org.bitbucket.tickytacky.mirrormirror_4.apk
test -e archive/com.politedroid_3.apk
test -e archive/urzip-badsig.apk
test -e repo/com.politedroid_4.apk
test -e repo/com.politedroid_5.apk
test -e repo/com.politedroid_6.apk
#------------------------------------------------------------------------------#
echo_header 'rename apks with `fdroid update --rename-apks`, --nosign for speed'
REPOROOT=`create_test_dir`
cd $REPOROOT
cp $WORKSPACE/tests/keystore.jks $REPOROOT/
$fdroid init --keystore keystore.jks --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "accepted_formats = ['txt', 'yml']" >> config.py
echo 'keydname = "CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US"' >> config.py
test -d metadata || mkdir metadata
cp $WORKSPACE/tests/metadata/info.guardianproject.urzip.yml metadata/
test -d repo || mkdir repo
cp $WORKSPACE/tests/urzip.apk "repo/asdfiuhk urzip-πÇÇπÇÇ现代汉语通用字-български-عربي1234 ö.apk"
$fdroid update --rename-apks --pretty --nosign
test -e repo/info.guardianproject.urzip_100.apk
grep -F 'info.guardianproject.urzip_100.apk' repo/index-v1.json repo/index.xml
cp $WORKSPACE/tests/urzip-release.apk repo/
$fdroid update --rename-apks --pretty --nosign
test -e repo/info.guardianproject.urzip_100.apk
test -e repo/info.guardianproject.urzip_100_b4964fd.apk
grep -F 'info.guardianproject.urzip_100.apk' repo/index-v1.json repo/index.xml
grep -F 'info.guardianproject.urzip_100_b4964fd.apk' repo/index-v1.json
! grep -F 'info.guardianproject.urzip_100_b4964fd.apk' repo/index.xml
cp $WORKSPACE/tests/urzip-release.apk repo/
$fdroid update --rename-apks --pretty --nosign
test -e repo/info.guardianproject.urzip_100.apk
test -e repo/info.guardianproject.urzip_100_b4964fd.apk
test -e duplicates/repo/info.guardianproject.urzip_100_b4964fd.apk
grep -F 'info.guardianproject.urzip_100.apk' repo/index-v1.json repo/index.xml
grep -F 'info.guardianproject.urzip_100_b4964fd.apk' repo/index-v1.json
! grep -F 'info.guardianproject.urzip_100_b4964fd.apk' repo/index.xml
#------------------------------------------------------------------------------#
echo_header "test metadata checks"
REPOROOT=`create_test_dir`
cd $REPOROOT
mkdir repo
cp $WORKSPACE/tests/urzip.apk $REPOROOT/repo/
set +e
$fdroid build
if [ $? -eq 0 ]; then
echo "This should have failed because there is no metadata!"
exit 1
else
echo "testing metadata checks passed"
fi
set -e
mkdir $REPOROOT/metadata/
cp $WORKSPACE/tests/metadata/org.smssecure.smssecure.txt $REPOROOT/metadata/
$fdroid readmeta
# now make a fake duplicate
touch $REPOROOT/metadata/org.smssecure.smssecure.yml
set +e
$fdroid readmeta
if [ $? -eq 0 ]; then
echo "This should have failed because there is a duplicate metadata file!"
exit 1
else
echo "testing duplicate metadata checks passed"
fi
set -e
#------------------------------------------------------------------------------#
echo_header "ensure commands that don't need the JDK work without a JDK configed"
REPOROOT=`create_test_dir`
cd $REPOROOT
mkdir repo
mkdir metadata
echo "License:GPL-2.0" >> metadata/fake.txt
echo "Summary:Yup still fake" >> metadata/fake.txt
echo "Categories:Internet" >> metadata/fake.txt
echo "Description:" >> metadata/fake.txt
echo "this is fake" >> metadata/fake.txt
echo "." >> metadata/fake.txt
# fake that no JDKs are available
echo 'java_paths = {}' > config.py
LOCAL_COPY_DIR=`create_test_dir`/fdroid
mkdir -p $LOCAL_COPY_DIR/repo
echo "local_copy_dir = '$LOCAL_COPY_DIR'" >> config.py
$fdroid checkupdates
$fdroid gpgsign
$fdroid lint
$fdroid readmeta
$fdroid rewritemeta fake
$fdroid server update
$fdroid scanner
# run these to get their output, but the are not setup, so don't fail
$fdroid build || true
$fdroid import || true
$fdroid install || true
#------------------------------------------------------------------------------#
echo_header "create a source tarball and use that to build a repo"
cd $WORKSPACE
$python setup.py sdist
REPOROOT=`create_test_dir`
cd $REPOROOT
tar xzf `ls -1 $WORKSPACE/dist/fdroidserver-*.tar.gz | sort -n | tail -1`
cd $REPOROOT
./fdroidserver-*/fdroid init
copy_apks_into_repo $REPOROOT
./fdroidserver-*/fdroid update --create-metadata --verbose
#------------------------------------------------------------------------------#
echo_header "test config checks of local_copy_dir"
REPOROOT=`create_test_dir`
cd $REPOROOT
$fdroid init
$fdroid update --create-metadata --verbose
$fdroid readmeta
$fdroid server update --local-copy-dir=/tmp/fdroid
# now test the errors work
set +e
$fdroid server update --local-copy-dir=thisisnotanabsolutepath
if [ $? -eq 0 ]; then
echo "This should have failed because thisisnotanabsolutepath is not an absolute path!"
exit 1
else
echo "testing absolute path checker passed"
fi
$fdroid server update --local-copy-dir=/tmp/IReallyDoubtThisPathExistsasdfasdf
if [ $? -eq 0 ]; then
echo "This should have failed because the path does not end with 'fdroid'!"
exit 1
else
echo "testing dirname exists checker passed"
fi
$fdroid server update --local-copy-dir=/tmp/IReallyDoubtThisPathExistsasdfasdf/fdroid
if [ $? -eq 0 ]; then
echo "This should have failed because the dirname path does not exist!"
exit 1
else
echo "testing dirname exists checker passed"
fi
set -e
#------------------------------------------------------------------------------#
echo_header "setup a new repo from scratch using ANDROID_HOME and do a local sync"
REPOROOT=`create_test_dir`
cd $REPOROOT
$fdroid init
copy_apks_into_repo $REPOROOT
$fdroid update --create-metadata --verbose
$fdroid readmeta
grep -F '<application id=' repo/index.xml > /dev/null
LOCALCOPYDIR=`create_test_dir`/fdroid
$fdroid server update --local-copy-dir=$LOCALCOPYDIR
NEWREPOROOT=`create_test_dir`
cd $NEWREPOROOT
$fdroid init
echo "sync_from_local_copy_dir = True" >> config.py
$fdroid server update --local-copy-dir=$LOCALCOPYDIR
#------------------------------------------------------------------------------#
# check that --android-home fails when dir does not exist or is not a dir
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
set +e
$fdroid init --keystore $KEYSTORE --android-home /opt/fakeandroidhome
if [ $? -eq 0 ]; then
echo "This should have failed because /opt/fakeandroidhome does not exist!"
exit 1
else
echo "testing android-home path checker passed"
fi
TESTFILE=`create_test_file`
$fdroid init --keystore $KEYSTORE --android-home $TESTFILE
if [ $? -eq 0 ]; then
echo "This should have failed because $TESTFILE is a file not a dir!"
exit 1
else
echo "testing android-home not-dir checker passed"
fi
set -e
#------------------------------------------------------------------------------#
echo_header "check that fake android home passes 'fdroid init'"
REPOROOT=`create_test_dir`
FAKE_ANDROID_HOME=`create_test_dir`
create_fake_android_home $FAKE_ANDROID_HOME
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --android-home $FAKE_ANDROID_HOME
#------------------------------------------------------------------------------#
echo_header "check that 'fdroid init' fails when build-tools cannot be found"
if [ -e /usr/bin/aapt ]; then
echo "/usr/bin/aapt exists, not running test"
else
REPOROOT=`create_test_dir`
FAKE_ANDROID_HOME=`create_test_dir`
create_fake_android_home $FAKE_ANDROID_HOME
rm -f $FAKE_ANDROID_HOME/build-tools/*/aapt
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
set +e
$fdroid init --keystore $KEYSTORE --android-home $FAKE_ANDROID_HOME
[ $? -eq 0 ] && exit 1
set -e
fi
#------------------------------------------------------------------------------#
echo_header "check that --android-home overrides ANDROID_HOME"
REPOROOT=`create_test_dir`
FAKE_ANDROID_HOME=`create_test_dir`
create_fake_android_home $FAKE_ANDROID_HOME
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --android-home $FAKE_ANDROID_HOME
set +e
grep $FAKE_ANDROID_HOME $REPOROOT/config.py
if [ $? -ne 0 ]; then
echo "the value set in --android-home '$FAKE_ANDROID_HOME' should override ANDROID_HOME '$ANDROID_HOME'"
exit 1
fi
set -e
#------------------------------------------------------------------------------#
# In this case, ANDROID_HOME is set to a fake, non-working version that will
# be detected by fdroid as an Android SDK install. It should use the path set
# by --android-home over the one in ANDROID_HOME, therefore if it uses the one
# in ANDROID_HOME, it won't work because it is a fake one. Only
# --android-home provides a working one.
echo_header "setup a new repo from scratch with keystore and android-home set on cmd line"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
FAKE_ANDROID_HOME=`create_test_dir`
create_fake_android_home $FAKE_ANDROID_HOME
STORED_ANDROID_HOME=$ANDROID_HOME
unset ANDROID_HOME
echo "ANDROID_HOME: $ANDROID_HOME"
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --android-home $STORED_ANDROID_HOME --no-prompt
test -e $KEYSTORE
copy_apks_into_repo $REPOROOT
$fdroid update --create-metadata --verbose
$fdroid readmeta
grep -F '<application id=' repo/index.xml > /dev/null
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
export ANDROID_HOME=$STORED_ANDROID_HOME
#------------------------------------------------------------------------------#
echo_header "check duplicate files are properly handled by fdroid update"
REPOROOT=`create_test_dir`
KEYSTORE=$WORKSPACE/tests/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --repo-keyalias=sova
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
mkdir $REPOROOT/metadata
cp -a $WORKSPACE/tests/metadata/obb.mainpatch.current.txt $REPOROOT/metadata
echo "accepted_formats = ['txt']" >> config.py
cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619.apk $REPOROOT/repo/
cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619_another-release-key.apk $REPOROOT/repo/
$fdroid update --pretty
grep -F 'obb.mainpatch.current_1619.apk' repo/index.xml repo/index-v1.json
grep -F 'obb.mainpatch.current_1619_another-release-key.apk' repo/index-v1.json
! grep -F 'obb.mainpatch.current_1619_another-release-key.apk' repo/index.xml
# die if there are exact duplicates
cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619.apk $REPOROOT/repo/duplicate.apk
! $fdroid update
#------------------------------------------------------------------------------#
echo_header "setup new repo from scratch using ANDROID_HOME, putting APKs in repo first"
REPOROOT=`create_test_dir`
cd $REPOROOT
mkdir repo
copy_apks_into_repo $REPOROOT
$fdroid init
$fdroid update --create-metadata --verbose
$fdroid readmeta
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------#
echo_header "setup a new repo from scratch and generate a keystore"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE
test -e $KEYSTORE
copy_apks_into_repo $REPOROOT
$fdroid update --create-metadata --verbose
$fdroid readmeta
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------#
echo_header "setup a new repo manually and generate a keystore"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
cp $WORKSPACE/examples/fdroid-icon.png $REPOROOT/
! test -e $KEYSTORE
set +e
$fdroid update
if [ $? -eq 0 ]; then
echo "This should have failed because this repo has no keystore!"
exit 1
else
echo '`fdroid update` prompted to add keystore'
fi
set -e
$fdroid update --create-key
test -e $KEYSTORE
copy_apks_into_repo $REPOROOT
$fdroid update --create-metadata --verbose
$fdroid readmeta
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------#
echo_header "setup a new repo from scratch, generate a keystore, then add APK and update"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE
test -e $KEYSTORE
copy_apks_into_repo $REPOROOT
$fdroid update --create-metadata --verbose
$fdroid readmeta
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
grep -F '<application id=' repo/index.xml > /dev/null
test -e $REPOROOT/repo/info.guardianproject.urzip_100.apk || \
cp $WORKSPACE/tests/urzip.apk $REPOROOT/repo/
$fdroid update --create-metadata --verbose
$fdroid readmeta
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
grep -F '<application id=' repo/index.xml > /dev/null
#------------------------------------------------------------------------------#
echo_header "setup a new repo from scratch with a HSM/smartcard"
REPOROOT=`create_test_dir`
cd $REPOROOT
$fdroid init --keystore NONE
test -e opensc-fdroid.cfg
test ! -e NONE
#------------------------------------------------------------------------------#
echo_header "setup a new repo with no keystore, add APK, and update"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
touch fdroid-icon.png
mkdir repo
cp $WORKSPACE/tests/urzip.apk $REPOROOT/repo/
set +e
$fdroid update --create-metadata --verbose
if [ $? -eq 0 ]; then
echo "This should have failed because this repo has no keystore!"
exit 1
else
echo '`fdroid update` prompted to add keystore'
fi
set -e
# now set up fake, non-working keystore setup
touch $KEYSTORE
echo "keystore = \"$KEYSTORE\"" >> config.py
echo 'repo_keyalias = "foo"' >> config.py
echo 'keystorepass = "foo"' >> config.py
echo 'keypass = "foo"' >> config.py
set +e
$fdroid update --create-metadata --verbose
if [ $? -eq 0 ]; then
echo "This should have failed because this repo has a bad/fake keystore!"
exit 1
else
echo '`fdroid update` prompted to add keystore'
fi
set -e
#------------------------------------------------------------------------------#
echo_header "copy tests/repo, update with binary transparency log"
REPOROOT=`create_test_dir`
GIT_REMOTE=`create_test_dir`
GNUPGHOME=$REPOROOT/gnupghome
KEYSTORE=$WORKSPACE/tests/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE --repo-keyalias=sova
cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $WORKSPACE/tests/stats $REPOROOT/
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "binary_transparency_remote = '$GIT_REMOTE'" >> config.py
echo "accepted_formats = ['json', 'txt', 'yml']" >> config.py
$fdroid update --verbose
if have_git_2_3; then
$fdroid server update --verbose
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
grep -F '<application id=' repo/index.xml > /dev/null
cd binary_transparency
[ `git rev-list --count HEAD` == "2" ]
cd $GIT_REMOTE
[ `git rev-list --count HEAD` == "2" ]
else
echo "Skipping test, `git --version` older than 2.3"
fi
#------------------------------------------------------------------------------#
echo_header "setup a new repo with keystore with APK, update, then without key"
REPOROOT=`create_test_dir`
KEYSTORE=$REPOROOT/keystore.jks
cd $REPOROOT
$fdroid init --keystore $KEYSTORE
test -e $KEYSTORE
cp $WORKSPACE/tests/urzip.apk $REPOROOT/repo/
$fdroid update --create-metadata --verbose
$fdroid readmeta
test -e repo/index.xml
test -e repo/index.jar
test -e repo/index-v1.jar
test -e tmp/apkcache
! test -z tmp/apkcache
grep -F '<application id=' repo/index.xml > /dev/null
# now set fake repo_keyalias
$sed -i.tmp 's,^ *repo_keyalias.*,repo_keyalias = "fake",' $REPOROOT/config.py
set +e
$fdroid update
if [ $? -eq 0 ]; then
echo "This should have failed because this repo has a bad repo_keyalias!"
exit 1
else
echo '`fdroid update` prompted to add keystore'
fi
set -e
# try creating a new keystore, but fail because the old one is there
test -e $KEYSTORE
set +e
$fdroid update --create-key
if [ $? -eq 0 ]; then
echo "This should have failed because a keystore is already there!"
exit 1
else
echo '`fdroid update` complained about existing keystore'
fi
set -e
# now actually create the key with the existing settings
rm -f $KEYSTORE
! test -e $KEYSTORE
$fdroid update --create-key
test -e $KEYSTORE
#------------------------------------------------------------------------------#
echo_header "sign binary repo in offline box, then publishing from online box"
OFFLINE_ROOT=`create_test_dir`
KEYSTORE=$WORKSPACE/tests/keystore.jks
LOCAL_COPY_DIR=`create_test_dir`/fdroid
mkdir $LOCAL_COPY_DIR
ONLINE_ROOT=`create_test_dir`
SERVERWEBROOT=`create_test_dir`
# create offline binary transparency log
cd $OFFLINE_ROOT
mkdir binary_transparency
cd binary_transparency
git init
# fake git remote server for binary transparency log
BINARY_TRANSPARENCY_REMOTE=`create_test_dir`
# fake git remote server for repo mirror
SERVER_GIT_MIRROR=`create_test_dir`
cd $SERVER_GIT_MIRROR
git init
if have_git_2_3; then
git config receive.denyCurrentBranch updateInstead
fi
cd $OFFLINE_ROOT
$fdroid init --keystore $KEYSTORE --repo-keyalias=sova
cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $WORKSPACE/tests/stats $OFFLINE_ROOT/
echo 'keystorepass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py
echo "mirrors = ['http://foo.bar/fdroid', 'http://asdflkdsfjafdsdfhkjh.onion/fdroid']" >> config.py
echo "servergitmirrors = '$SERVER_GIT_MIRROR'" >> config.py
echo "local_copy_dir = '$LOCAL_COPY_DIR'" >> config.py
echo "accepted_formats = ['json', 'txt', 'yml']" >> config.py
$fdroid update --pretty
grep -F '<application id=' repo/index.xml > /dev/null
grep -F '/fdroid/repo</mirror>' repo/index.xml
grep -F '/fdroid/archive</mirror>' archive/index.xml
test `grep '<mirror>' repo/index.xml | wc -l` -eq 2
test `grep '<mirror>' archive/index.xml | wc -l` -eq 2
cd binary_transparency
[ `git rev-list --count HEAD` == "1" ]
cd ..
$fdroid server update --verbose
grep -F '<application id=' $LOCAL_COPY_DIR/repo/index.xml > /dev/null
cd $ONLINE_ROOT
echo "local_copy_dir = '$LOCAL_COPY_DIR'" >> config.py
echo "sync_from_local_copy_dir = True" >> config.py
echo "serverwebroots = '$SERVERWEBROOT'" >> config.py
echo "servergitmirrors = '$SERVER_GIT_MIRROR'" >> config.py
echo "local_copy_dir = '$LOCAL_COPY_DIR'" >> config.py
echo "binary_transparency_remote = '$BINARY_TRANSPARENCY_REMOTE'" >> config.py
$fdroid server update --verbose
cd $BINARY_TRANSPARENCY_REMOTE
[ `git rev-list --count HEAD` == "1" ]
cd $SERVER_GIT_MIRROR
[ `git rev-list --count HEAD` == "1" ]
#------------------------------------------------------------------------------#
# remove this to prevent git conflicts and complaining
rm -rf $WORKSPACE/fdroidserver.egg-info/
echo SUCCESS