#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: Check release file signatures (check if apt-get update still works 5 years into the future)
## tags:
##  - basic
##  - apptest
## exposure: safe

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137

export LC_ALL=C

libfaketime="/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1"
valid_for='+5y'

test -f $libfaketime || fail_fast 1 "libfaketime ($libfaketime) not found"

# check only http to avoid
# ignore certificate issues like
#   Err:10 https://updates.software-univention.de ucs500 Release
#   Certificate verification failed: The certificate is NOT trusted.
#   The certificate chain uses expired certificate.
#   Could not handshake: Error in the certificate verification. [IP: 176.9.114.147 443]
# here we are only interested in the apt key expiry
apt_options="-o Acquire::https::Verify-Peer=false -o Acquire::https::Verify-Host=false"

eval "$(ucr shell repository/app_center/server)"

# test appcenter has no Release files
if [[ "$repository_app_center_server" =~ appcenter-test ]]; then
	exit 77
fi

# check if apt-get update in now+5y works
if LD_PRELOAD=$libfaketime FAKETIME="$valid_for" apt-get update $apt_options 2>&1 | grep '^[WE]:'; then
	apt-key list
	fail_fast 110 "warnings/error during apt-get update"
fi

# check if apt-get update in now+50y fails (just to test the test)
if ! LD_PRELOAD=$libfaketime FAKETIME="+50y" apt-get update $apt_options 2>&1 | grep -q '^[WE]:'; then
	fail_fast 110 "did not fail 50 years into the future, key should have expired by than"
fi

exit 0
