mirror of
https://github.com/f-droid/fdroidserver.git
synced 2025-11-05 06:50:29 +03:00
Merge branch 'debugkey' into 'master'
lint: blocklist known AOSP debug keys in AASK See merge request fdroid/fdroidserver!1478
This commit is contained in:
Hans-Christoph Steiner
commit
1cb1394de3
2 changed files with 46 additions and 1 deletions
|
|
@ -722,7 +722,13 @@ def check_updates_ucm_http_aum_pattern(app): # noqa: D403
|
||||||
|
|
||||||
|
|
||||||
def check_certificate_pinned_binaries(app):
|
def check_certificate_pinned_binaries(app):
|
||||||
if len(app.get('AllowedAPKSigningKeys')) > 0:
|
keys = app.get('AllowedAPKSigningKeys')
|
||||||
|
known_keys = common.config.get('apk_signing_key_block_list', [])
|
||||||
|
if keys:
|
||||||
|
if known_keys:
|
||||||
|
for key in keys:
|
||||||
|
if key in known_keys:
|
||||||
|
yield _('Known debug key is used in AllowedAPKSigningKeys: ') + key
|
||||||
return
|
return
|
||||||
if app.get('Binaries') is not None:
|
if app.get('Binaries') is not None:
|
||||||
yield _(
|
yield _(
|
||||||
|
|
|
||||||
|
|
@ -438,6 +438,45 @@ class LintTest(unittest.TestCase):
|
||||||
with self.assertRaises(TypeError):
|
with self.assertRaises(TypeError):
|
||||||
fdroidserver.lint.lint_config('mirrors.yml')
|
fdroidserver.lint.lint_config('mirrors.yml')
|
||||||
|
|
||||||
|
def test_check_certificate_pinned_binaries_empty(self):
|
||||||
|
fdroidserver.common.config = {}
|
||||||
|
app = fdroidserver.metadata.App()
|
||||||
|
app.AllowedAPKSigningKeys = [
|
||||||
|
'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
|
||||||
|
]
|
||||||
|
self.assertEqual(
|
||||||
|
[],
|
||||||
|
list(fdroidserver.lint.check_certificate_pinned_binaries(app)),
|
||||||
|
"when the config is empty, any signing key should be allowed",
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_lint_known_debug_keys_no_match(self):
|
||||||
|
fdroidserver.common.config = {
|
||||||
|
"apk_signing_key_block_list": "a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc"
|
||||||
|
}
|
||||||
|
app = fdroidserver.metadata.App()
|
||||||
|
app.AllowedAPKSigningKeys = [
|
||||||
|
'2fd4fd5f54babba4bcb21237809bb653361d0d2583c80964ec89b28a26e9539e'
|
||||||
|
]
|
||||||
|
self.assertEqual(
|
||||||
|
[],
|
||||||
|
list(fdroidserver.lint.check_certificate_pinned_binaries(app)),
|
||||||
|
"A signing key that does not match one in the config should be allowed",
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_lint_known_debug_keys(self):
|
||||||
|
fdroidserver.common.config = {
|
||||||
|
'apk_signing_key_block_list': 'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
|
||||||
|
}
|
||||||
|
app = fdroidserver.metadata.App()
|
||||||
|
app.AllowedAPKSigningKeys = [
|
||||||
|
'a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc'
|
||||||
|
]
|
||||||
|
for warn in fdroidserver.lint.check_certificate_pinned_binaries(app):
|
||||||
|
anywarns = True
|
||||||
|
logging.debug(warn)
|
||||||
|
self.assertTrue(anywarns)
|
||||||
|
|
||||||
|
|
||||||
class LintAntiFeaturesTest(unittest.TestCase):
|
class LintAntiFeaturesTest(unittest.TestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue