git-ubuntu

Merge ~nacc/git-ubuntu:apt-repo into git-ubuntu:master

Git
lp:~nacc/git-ubuntu
apt-repo
Merge into master

Proposed by Nish Aravamudan on 2018-02-28

Status:	Superseded
Proposed branch:	~nacc/git-ubuntu:apt-repo
Merge into:	git-ubuntu:master
Diff against target:	1380 lines (+1169/-0) 33 files modified MANIFEST.in (+1/-0) gitubuntu/apt_repo.py (+259/-0) gitubuntu/apt_repo_test.py (+210/-0) gitubuntu/apt_repo_test/README (+24/-0) gitubuntu/apt_repo_test/attacker-privkey.asc (+105/-0) gitubuntu/apt_repo_test/attacker-pubkey.asc (+52/-0) gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/InRelease (+38/-0) gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 (+1/-0) gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release (+2/-0) gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release.gpg (+16/-0) gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release (+2/-0) gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release.gpg (+16/-0) gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release (+18/-0) gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release.gpg (+16/-0) gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 (+1/-0) gitubuntu/apt_repo_test/inline.attackersig/dists/bionic/InRelease (+21/-0) gitubuntu/apt_repo_test/inline.badsig/dists/bionic/InRelease (+21/-0) gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/InRelease (+38/-0) gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 (+1/-0) gitubuntu/apt_repo_test/inline.injection/dists/bionic/InRelease (+37/-0) gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/InRelease (+37/-0) gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/main/source/Sources (+1/-0) gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release (+13/-0) gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release.gpg (+16/-0) gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/main/source/Sources (+1/-0) gitubuntu/apt_repo_test/nosig.bare/dists/bionic/Release (+1/-0) gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release (+1/-0) gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release.gpg (+0/-0) gitubuntu/apt_repo_test/nosig.inline/dists/bionic/InRelease (+1/-0) gitubuntu/apt_repo_test/nothing/README (+4/-0) gitubuntu/apt_repo_test/privkey.asc (+105/-0) gitubuntu/apt_repo_test/pubkey.asc (+51/-0) snap/snapcraft.yaml (+59/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Robie Basak		2018-02-28	Pending
Review via email: mp+340068@code.launchpad.net

Description of the change

Make jenkins happy

Unmerged commits

aa014cb... by Nish Aravamudan on 2018-02-28

snap: re-add gnupg2 for gpgv

The apt_repo code relies on gpgv being callable in the snap, but needs
the version in Bionic (which added the `gpgv --output` option). Do not
ship anything else from gnupg2.

Revert "Revert "snap: build gpg from source""

This reverts commit 3294bc6d6c93c8c76f953266f9665ede78c5937d.

a74564f... by Robie Basak on 2018-02-27

Add gitubuntu/apt_repo_test/ to the snap

This is needed for the in-snap self test.

a72b7b2... by Robie Basak on 2018-02-27

Add apt_repo module

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Nish Aravamudan

git-ubuntu developers

 diff --git a/MANIFEST.in b/MANIFEST.in
 index 35cac97..ac8ce4e 100644
 --- a/MANIFEST.in
 +++ b/MANIFEST.in
@@ -1,3 +1,4 @@
  include gitubuntu/*.txt
  include gitubuntu/hooks/*
++graft gitubuntu/apt_repo_test
  graft gitubuntu/changelog_tests
 diff --git a/gitubuntu/apt_repo.py b/gitubuntu/apt_repo.py
 new file mode 100644
 index 0000000..3eef4a4
 --- /dev/null
 +++ b/gitubuntu/apt_repo.py
@@ -0,0 +1,259 @@
++import errno
++import functools
++import hashlib
++import os
++import subprocess
++import tempfile
++import urllib.request
++
++import debian.deb822
++
++# This file is security sensitive since it deals with untrusted inputs. To keep
++# it easier to verify, please avoid dependencies on other parts of the project
++# and keep the code separate in this module (ie. don't tangle it with other
++# non-security-sensitive code).
++
++
++DEFAULT_TRUSTED_KEYRING_PATHS = [
++    '/usr/share/keyrings/debian-archive-keyring.gpg',
++    '/usr/share/keyrings/debian-archive-removed-keys.gpg',
++    '/usr/share/keyrings/ubuntu-archive-keyring.gpg',
++    '/usr/share/keyrings/ubuntu-archive-removed-keys.gpg',
++]
++HASH = 'SHA256'
++HASH_FUNC = lambda x: hashlib.sha256(x).hexdigest()
++
++# 16 MiB to prevent DoS; current InRelease is ~256 kiB. This is only used for
++# Release{.gpg} and InRelease files. Once we have the release file and have
++# validated it, the size of other files are known and authenticated.
++MAX_RELEASE_FETCH = 1024*1024*16
++
++
++class RepositoryNotFoundError(RuntimeError): pass
++class SignatureVerificationError(RuntimeError): pass
++class HashVerificationError(RuntimeError): pass
++
++
++def _maybe_fetch_release_url(url):
++    """Return bytes of a release file URL, or None if not found.
++
++    :param str url: Release file URL
++    :rtype: bytes
++
++    Any exceptions from the underlying urllib calls, apart from file not found
++    errors, are passed through without modification.
++
++    A urllib exception that represents a file not found error is returned as
++    None.
++    """
++    try:
++        # Do not read more than a reasonable amount to prevent a memory DoS
++        data = urllib.request.urlopen(url).read(MAX_RELEASE_FETCH)
++    except urllib.error.HTTPError as e:
++        if e.code == 404:
++            return None
++        raise
++    except urllib.error.URLError as e:
++        if isinstance(e.reason, FileNotFoundError):
++            return None
++        raise
++    else:
++        return data
++
++
++def _write_file_bytes(path, data):
++    """Write the given data to a file path.
++
++    :param str path: filesystem path to write to.
++    :param bytes data: data to write.
++    :rtype None
++    """
++    with open(path, 'wb') as f:
++        f.write(data)
++
++
++def _verify(
++    unverified_data,
++    detached_signature=None,
++    trusted_keyring_paths=None,
++):
++    """Verify a signature on some data.
++
++    :param bytes unverified_data: data to verify, which may include an inline
++        signature.
++    :param bytes detached_signature: detached signature data, or None if the
++        signature is expected inline.
++    :param list(str) trusted_keyring_paths: filesystem paths to gpg keyrings to
++        trust. If the data has been signed by a key in one of these keyrings
++        and the signature is valid, the data is immediately treated as
++        verified, regardless of key signatures or trust paths. Defaults to
++        DEFAULT_TRUSTED_KEYRING_PATHS defined elsewhere in this module.
++    :rtype: bytes
++    :returns: the verified data. This should be used by the caller in favour of
++        the input data as clearsigned data can include unverified parts.
++    :raises SignatureVerificationError: on signature validation failure or some
++        other problem with gpgv.
++    :raises RuntimeError: if gpgv does not produce the verified output from an
++        inline signature.
++    """
++    trusted_keyring_paths = (
++        trusted_keyring_paths or DEFAULT_TRUSTED_KEYRING_PATHS
++    )
++    with tempfile.TemporaryDirectory() as tmpdir:
++        unverified_data_path = os.path.join(tmpdir, 'unverified-data')
++        verified_data_path = os.path.join(tmpdir, 'verified-data')
++        _write_file_bytes(unverified_data_path, unverified_data)
++        if detached_signature is None:
++            args = [unverified_data_path]
++        else:
++            sig_path = os.path.join(tmpdir, 'sig')
++            _write_file_bytes(sig_path, detached_signature)
++            args = [sig_path, unverified_data_path]
++        cmd = [
++            'gpgv',
++            '-q',
++            '--output', verified_data_path,
++        ] + [
++            '--keyring=%s' % keyring
++            for keyring in trusted_keyring_paths
++        ] + args
++        try:
++            subprocess.check_call(cmd)
++        except subprocess.CalledProcessError:
++            raise SignatureVerificationError()
++
++        # The data has been verified at this point. Now we return the data that
++        # was actually verified.
++
++        if os.path.exists(verified_data_path):
++            # The verified data has been supplied by the gpgv command to the
++            # file given by the --output option.
++            with open(verified_data_path, 'rb') as f:
++                return f.read()
++        elif detached_signature is not None:
++            # gpgv 2.2.4-1ubuntu1 seems to have a bug (or difference from
++            # documentation) in that using --output returns nothing in the case
++            # of a detached signature. But if we have a detached signature, all
++            # of the unverified data has been guaranteed to be verified when
++            # gpgv returns an exit status of 0. We can therefore just return
++            # the unverified data that we just verified.
++            return unverified_data
++        else:
++            # gpg 2.1.15-1ubuntu8 seems to have a bug that --output does
++            # nothing, including for clearsigned signatures. gpgv in the same
++            # version has no defined --output option. In this case we have no
++            # way of determining which part of the input file was verified,
++            # since it may not all have been signed (before and after the text
++            # markers for example). So we cannot treat anything as verified.
++            # This bug is reported to have been fixed upstream in 2.1.16 and
++            # --output added to gpgv there. This exception should not be raised
++            # with a newer version of gpgv (at least 2.1.16 according to
++            # upstream NEWS, and verified working in 2.2.4-1ubuntu1).
++            raise RuntimeError(
++                "gpgv did not return verified data in --output and so the "
++                "verified part of the clearsigned data is not available"
++            )
++
++
++class Release:
++    def __init__(self, suite_url, verified_release_data):
++        """Not to be called directly. Use Release.from_base_url().
++
++        :param str suite_url: the URL of the top level of the suite.
++        :param bytes verified_release_data: the contents of the Release file,
++            which must already have had its signature validated.
++        """
++        self.suite_url = suite_url
++        self.deb822 = debian.deb822.Release(verified_release_data.splitlines())
++        assert HASH in self.deb822
++        self.files = {
++            entry['name']: (entry[HASH], int(entry['size']))
++            for entry in self.deb822[HASH]
++        }
++
++    @classmethod
++    def from_base_url(cls, base_url, suite, trusted_keyring_paths=None):
++        """Fetch Release file, validate it and instantiate a Release instance.
++
++        :param str base_url: the top level of the apt repository. For example:
++            'http://archive.ubuntu.com/ubuntu'
++        :param str suite: the name of the suite. Examples: 'bionic',
++            'trusty-proposed'.
++        :rtype Release
++        :raises SignatureValidationError: if a repository is found with a bad
++            signature.
++        :raises RepositoryNotFound: if a (signed) repository cannot be found.
++        """
++        suite_url = "%s/dists/%s" % (base_url, suite)
++        in_release_url = "%s/InRelease" % suite_url
++        release_url = "%s/Release" % suite_url
++        release_sig_url = "%s/Release.gpg" % suite_url
++
++        unverified_release_data = _maybe_fetch_release_url(in_release_url)
++        if unverified_release_data is None:
++            unverified_release_data = _maybe_fetch_release_url(release_url)
++            if unverified_release_data is None:
++                raise RepositoryNotFoundError(
++                    "Release file not found at %s" % release_url,
++                )
++            release_data_sig = _maybe_fetch_release_url(release_sig_url)
++            if release_data_sig is None:
++                raise RepositoryNotFoundError(
++                    "Release file sig not found at %s" % release_sig_url,
++                )
++            verified_release_data = _verify(
++                unverified_release_data,
++                release_data_sig,
++                trusted_keyring_paths=trusted_keyring_paths,
++            )
++        else:
++            verified_release_data = _verify(
++                unverified_release_data,
++                trusted_keyring_paths=trusted_keyring_paths,
++            )
++
++        return cls(suite_url, verified_release_data)
++
++    @property
++    def by_hash(self):
++        """Whether or not by-hash is available on this suite.
++
++        :rtype bool
++        """
++        return bool(self.deb822.get('Acquire-By-Hash', False))
++
++    def _get_file_url(self, name):
++        """Obtain full URL for a particular file
++
++        :param str name: file name
++        :rtype str
++        """
++        file_hash, file_size = self.files[name]
++        if self.by_hash:
++            # Contents files live at URLs like
++            # http://archive.ubuntu.com/ubuntu/dists/bionic/by-hash/SHA256/
++            # and are requested with name='Contents-amd64.gz'
++            # Sources files live at URLs like
++            # http://archive.ubuntu.com/ubuntu/dists/bionic/main/source/by-hash/SHA256/
++            # and are requested with name='main/source/Sources.gz'
++            # so we want to extract the dirname of name
++            name_head, name_tail = os.path.split(name)
++            url_parts = [self.suite_url, name_head, 'by-hash', HASH, file_hash]
++        else:
++            url_parts = [self.suite_url, name]
++        # skip empty parts, e.g. name_head above
++        url = '/'.join(x for x in url_parts if x)
++        return url
++
++    def get_file_bytes(self, name):
++        file_hash, file_size = self.files[name]
++        url = self._get_file_url(name)
++
++        # Do not read more than the expected file size to prevent a memory DoS
++        data = urllib.request.urlopen(url).read(file_size)
++        if HASH_FUNC(data) != file_hash:
++            raise HashVerificationError()
++        return data
++
++    def has_file(self, name):
++        return name in self.files
 diff --git a/gitubuntu/apt_repo_test.py b/gitubuntu/apt_repo_test.py
 new file mode 100644
 index 0000000..3488125
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test.py
@@ -0,0 +1,210 @@
++import itertools
++import os
++import subprocess
++import tempfile
++import unittest.mock
++import urllib.error
++
++import pkg_resources
++import pytest
++
++import gitubuntu.apt_repo as target
++
++
++@pytest.fixture(scope='session')
++def trustedkeys():
++    with tempfile.TemporaryDirectory() as tmp_path:
++        env = dict(os.environ)
++        env['GNUPGHOME'] = tmp_path
++        trustedkeys_path = os.path.join(tmp_path, 'trustedkeys.gpg')
++        subprocess.check_call(
++            [
++                'gpg',
++                '--no-default-keyring',
++                '--keyring', trustedkeys_path,
++                '--import',
++                    pkg_resources.resource_filename(
++                        'gitubuntu', 'apt_repo_test/pubkey.asc'
++                    ),
++            ],
++            env=env,
++        )
++        yield trustedkeys_path
++
++
++EXPECTED_REPOSITORY_NOT_FOUND_ERROR = [
++    'nosig.bare',
++    'nothing',
++]
++
++EXPECTED_SIGNATURE_VERIFICATION_ERROR = [
++    'nosig.detached-empty',
++    'nosig.inline',
++    'inline.attackersig',
++    'inline.badsig',
++    'detached.badsig',
++    'detached.attackersig',
++]
++
++EXPECTED_HASH_VERIFICATION_ERROR = [
++    'by-hash.badfile',
++    'no-hash.badfile',
++]
++
++EXPECTED_SUCCESS = [
++    'detached.by-hash',
++    'inline.by-hash',
++    'inline.no-hash',
++]
++
++SEPARATELY_TESTED = [
++    'inline.injection',  # test_no_injection
++]
++
++ALL_TEMPLATES_TESTED = frozenset(itertools.chain(
++    EXPECTED_SUCCESS,
++    EXPECTED_REPOSITORY_NOT_FOUND_ERROR,
++    EXPECTED_SIGNATURE_VERIFICATION_ERROR,
++    EXPECTED_HASH_VERIFICATION_ERROR,
++    SEPARATELY_TESTED,
++))
++
++
++def test_all_examples_covered():
++    # Check that we have a test for every example apt repository provided in
++    # gitubuntu/apt_repo_test/. All directories under there are assumed to be
++    # apt repository examples. If there's a directory not listed in
++    # ALL_TEMPLATES_TESTED, then we must accidentally not be testing it.
++    examples_path = pkg_resources.resource_filename(
++        'gitubuntu',
++        'apt_repo_test',
++    )
++    for basename in os.listdir(examples_path):
++        example_path = os.path.join(examples_path, basename)
++        assert (
++            not os.path.isdir(example_path) or basename in ALL_TEMPLATES_TESTED
++        )
++
++
++def get_example_url(example_name):
++    return ''.join([
++        'file://',
++        pkg_resources.resource_filename('gitubuntu', 'apt_repo_test'),
++        '/',
++        example_name,
++    ])
++
++
++def get_release_obj(trustedkeys, example_name):
++    return target.Release.from_base_url(
++        get_example_url(example_name),
++        suite='bionic',
++        trusted_keyring_paths=[trustedkeys],
++    )
++
++
++@pytest.mark.parametrize('example_name', EXPECTED_SUCCESS)
++def test_success(trustedkeys, example_name):
++    release = get_release_obj(trustedkeys, example_name)
++    contents = release.get_file_bytes('main/source/Sources').decode()
++    assert contents == "sources-content\n"
++
++
++@pytest.mark.parametrize('example_name', EXPECTED_REPOSITORY_NOT_FOUND_ERROR)
++def test_nosig(trustedkeys, example_name):
++    with pytest.raises(target.RepositoryNotFoundError):
++        release = get_release_obj(trustedkeys, example_name)
++
++
++@pytest.mark.parametrize('example_name', EXPECTED_SIGNATURE_VERIFICATION_ERROR)
++def test_badsig(trustedkeys, example_name):
++    with pytest.raises(target.SignatureVerificationError):
++        release = get_release_obj(trustedkeys, example_name)
++
++
++@pytest.mark.parametrize('example_name', EXPECTED_HASH_VERIFICATION_ERROR)
++def test_badfile(trustedkeys, example_name):
++    release = get_release_obj(trustedkeys, example_name)
++    with pytest.raises(target.HashVerificationError):
++        release.get_file_bytes('main/source/Sources')
++
++
++def test_no_injection(trustedkeys):
++    release = get_release_obj(trustedkeys, 'inline.injection')
++    assert 'Injected' not in release.deb822
++
++
++def test_has_file(trustedkeys):
++    release = get_release_obj(trustedkeys, 'inline.by-hash')
++    assert release.has_file('main/source/Sources')
++    assert not release.has_file('nonexistent')
++
++
++def test_max_release_fetch_size(tmpdir):
++    # Check that maybe_fetch_release_url really does limit the size of the data
++    # read. We do this by creating a local URL that has more data than the size
++    # limit. The test data size is deliberately hardcoded here to protect
++    # against accidental changes to the constant in the code under test. If the
++    # constant ever needs to be increased, then the value hardcoded in this
++    # test will also need to be changed.
++    #
++    # If the maybe_fetch_release_url is ever factored out, a new test should be
++    # written to replace this test to ensure that the refactored code is not
++    # vulnerable to a resource exhaustion DoS.
++    large_data = (17 * 1024 * 1024) * b'x'
++    bigfile_path = str(tmpdir.join('bigfile'))
++    with open(bigfile_path, 'wb') as fobj:
++        fobj.write(large_data)
++        fobj.close()
++    bigfile_url = "file://" + os.path.abspath(bigfile_path)
++    read_data = target._maybe_fetch_release_url(bigfile_url)
++    assert len(read_data) < len(large_data)
++
++
++# Cases where maybe_fetch_release_url should return None (404 in the case of an
++# http:// or https:// URL, and FileNotFoundError for a file:// URL)
++@pytest.mark.parametrize('exception', [
++    (urllib.error.HTTPError(
++        url=None,
++        code=404,
++        msg=None,
++        hdrs=None,
++        fp=None,
++    )),
++    (urllib.error.URLError(reason=FileNotFoundError())),
++])
++@unittest.mock.patch('urllib.request.urlopen')
++def test_maybe_fetch_release_url_not_found(mock_urlopen, exception):
++    mock_urlopen().read.side_effect = exception
++    assert target._maybe_fetch_release_url(None) is None
++
++
++# Cases where maybe_fetch_release_url should pass through the exception (an
++# HTTPError where the response is not a 404, a URLError where the reason isn't
++# FileNotFoundError, and for any other exception).
++@pytest.mark.parametrize('exception', [
++    (urllib.error.HTTPError(
++        url=None,
++        code=403,
++        msg=None,
++        hdrs=None,
++        fp=None,
++    )),
++    (urllib.error.URLError(reason=None)),
++    (Exception()),
++])
++@unittest.mock.patch('urllib.request.urlopen')
++def test_maybe_fetch_release_url_other_error(mock_urlopen, exception):
++    mock_urlopen().read.side_effect = exception
++    with pytest.raises(type(exception)):
++        target._maybe_fetch_release_url(None)
++
++
++# If subprocess.check_call does nothing, that is like running gpgv that returns
++# an exit status of 0 but doesn't write anything to the path specified by
++# --output. In the case of an inline signature, this should raise a
++# RuntimeError.
++@unittest.mock.patch('subprocess.check_call')
++def test_gpgv_no_output(trustedkeys):
++    with pytest.raises(RuntimeError):
++        target._verify(b'', trusted_keyring_paths=trustedkeys)
 diff --git a/gitubuntu/apt_repo_test/README b/gitubuntu/apt_repo_test/README
 new file mode 100644
 index 0000000..59f4763
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/README
@@ -0,0 +1,24 @@
++GnuPG demands a high quality entropy source to generate a keypair. This
++can block automated tests and is difficult to turn off. Therefore for
++test purposes it's easier to keep a generated keypair in the source
++tree. This also saves resigning test input files on every test
++invocation.
++
++privkey.asc and pubkey.asc and attacker-{priv,pub}key.asc are test
++keypairs checked in to this source tree that have been generated for
++this purpose. They should not be used for any production purpose as, by
++having checked it into the source tree and published it, the private key
++is now publicly known.
++
++To create replacement keys, set GNUPGHOME to a temporary directory and run gpg
++--full-gen-key. Then export using "gpg --export-secret-key --armor >
++privkey.asc" and "gpg --export --armor > pubkey.asc".
++
++Delete everything in the temporary directory and repeat for
++attacker-privkey.asc and attacker-pubkey.asc. This keypair is used to
++verify that repositories signed by somebody else are correctly rejected.
++
++You'll also need to re-sign the individual Release.gpg and InRelease
++files under this directory that are signed with this key. Use "gpg --yes
++-o Release.gpg -ab Release" and "gpg -o InRelease --clearsign Release" for
++that.
 diff --git a/gitubuntu/apt_repo_test/attacker-privkey.asc b/gitubuntu/apt_repo_test/attacker-privkey.asc
 new file mode 100644
 index 0000000..a47202c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/attacker-privkey.asc
@@ -0,0 +1,105 @@
++-----BEGIN PGP PRIVATE KEY BLOCK-----
++
++lQcXBFqOsp8BEADUmBAMxDfLmpCAUv2WU+ozJ0I9IHh/nPmSKlIVYk7OklognJvk
++OkABlEnZucXzmzHWYla45wOn3RvCgOMZOVApRIGcI3Do+4zesK83Zz2ijNwyS//P
++do1TTlDiedRvE7rNAIJ4DwebH7Lx5UP5avgymK7JGX9+WFpAJtONdL1rruMpi/5O
++UU1dUxWN8Z3etdgmcI3rMwUAdWPX3RHWwEN6OTNySc30Tiujt4+n9UNBwFHzzMij
++yJSRxyBT31nMFs/7qyxLQCIjUBg2g+o/EXyJv4a5bNz678qcvsAVYcP4EvUUMD1W
++Srl0hSBAuLrFJeyzSt9YkmDp4qJpYLUsnitgWX7XCZ/wmcevBHRAbqFMWo8BS/jy
++xHf3ZD02uwKukivwM74PmeNC9ZWb2dXM/BcTMKUn2SyJv5uoIyFTxJfGKE6gWvap
++CAaCpL6wQZVqNLKLapgVFbGevXhZSOBZ2EIhAWrrxwftoku4WZO1UD4A6Zb52dzi
++TA8P5OB/hCK2oa5DI4cM1gWgybYeUE+EysTrGFZMUmLyd2PmsprUQQ71AARZFQIi
++qM1s9Tm3oWQEynVdLehUYKTNhGV2XqKCRQZc51C+qR4N9lzdZQ76TuMI+PWjB5iC
++eFMOZSCRiDyuEOdHnoYDZoK8mB59l+FpgS32fnz9mjCq74mcyxibiDDY2QARAQAB
++AA/43bm7A5Wim7eY/j2QPjlHChLoAtja1D3kDY4WDjd5+fiqB1lPPbmDCCKg43Pe
++ATTbxbzKtg46wdjaGwJR2PztnhzVEQPlvxic06VzGVWT8vT2s36QTtBWlYwY0BxA
++c5kgOq9NY+pJBIELIT78piXqttqHcTYmwp9jgYT9H4uiA61jPvHDSeuBxNPipyhY
++fu8pgO3jFmsfzFqix4DKGjBsMA14mrpfE250FUxdh89FVk4/KwdqO2f3jBMipFdO
++UI16XgEpMVKySCJBHpp2tVCHkyMuYDYqQ43Uw6YusB5HRXSAJ44oateElQJDoT0J
++jpT/Sf/M8ZO5gDXfLgiu7NoKYYweDWE/hEOqg/lfnvDaB+n4yD53+cnnqMyCwryo
++nkI2zIWZhwhnRb+XCSCJbmB79VrvpCNUVv/2jVdVw6YwFbiw8QE61bPj70NjkSco
++0q8U7Esp3TzsRc5JgPkCk4Kb85UQepV2D+X91PHC2fbX7iZ+oZQKG0dJxdLIYIOq
++Y5GeBgsL8j9kskuRv4O63MqJ+SWrhQZM24WZvOpUqBbMWySB+ypQ0hYgLpVurpg2
++BBRAUhqCHaNBy5+8ydugojHhcTzB+kolORMZ+aWTEr3KcLGuf+IKGa+wa7e5IFFT
++XaJxkLj6ufsbvwx9YERiDYrrpBQ6I+leZvfSQZrE9RK2PQgA4nVuODRzO+nLQTtz
++kceArMs7ciiPLrJxYcimC+wpyjQ3s1WzrYR8qY39/EaB5MkYrtpgTWJ0Y+53nnJP
++miRPHqw42T3EV/7byDyZb8bkDNx7+dAmsPrqm5qEUSbq/9f9KhCcFGalEGVkFFen
++34BzbkB4fQiU+7D9/cVSgBvIuOuyQ95LhEHe3BYmfrnuvmKKXa1eClAE25okHDFD
++jrHWBIUP1o3VG11+JZYylWsQHDm99PKCSkYTqBXCRaTqlfmuFNYcq8zlsviGlepG
++1/51GdTf8dcw2Ij/ToK9UfoAWhFNZ9gdaeAfuPZ16VhVC6IUKsfO4JeYxVpVOTL7
++p4eFDwgA8FOe/jIPkmz2UyYDNoZoMCi9A8LBTQRf8QiklMxZtt68lwlj8jB1nLNy
++/ZwuaOJFco1rbhg/OslsoY5Q4pY8o0Hje84kCIDO+9agXg3T9/zKDAYaHQH1l0Mr
++Ary97VSajI0RtoXRVXGdM2haaGdclrxZBeTnYEni0IVpIqr6Jh4K94/WIX+8eVrk
++j+1vMln5esMjTvVRfpW8VxDOncr02hHdNn/ScLmA09f/v172Ue6I1HM2nx8Hozss
++VfR992zpMirYmIZb09wkO+txARc4UhE8T7mqGMzVK5J5Fi/OWgPO6H58jogHJeGh
++Uri2kWCP3txIesmrQAXWBeMrDgrTlwf/TeNutZUJLpNc+SncSyZgNtFK0nMXFWwG
++djied8/YYCRcNUrx0CWK2E9cim/EzaCK82WySdjOmluDWGmd2V3RgF4roxPo/XBI
++wJgDmfsfkSAg4OStnXPIyC5eiRlzRlW7d1/oHRi7lW+Wvprlddvq2Z68egov69J1
++tkIeN153Oj9p3CQTz87pf7WBti2UkxtuiXQjGFNTqlw3Mkx0QrMd7pWo/aREFS+2
++lIYjwuek4sBCosxqqCLaKsu01yK0x0mdugH9QDbuSvjEcp1TChGhs7Dn6nkKmv6S
++AgEEgQk01ryou+7k5Wlq2w4KulC1BOefNLi82r9X01n+IcuaZtXWkoXAtFZnaXQt
++dWJ1bnR1IHRlc3QgYXR0YWNrZXIga2V5IChwcml2YXRlIGtleSBwdWJsaWNseSBh
++dmFpbGFibGUpIDxnaXQtdWJ1bnR1QGV4YW1wbGUuY29tPokCNwQTAQgAIQUCWo6y
++nwIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCZQ2oehdgm+UKOEADQLlBm
++8T67zc6RokwEr6zYrC7WJZ1Ei//X2dx8vOTpIJZY+TPV05L34s20xUoX4P/2GIso
++CO17Gx0Igk2w8t65AlpIbp03dMOs52EhY9klqXfpxCyo+TDbafCNczIwyZdfVFRZ
++RoYGqhI+uwFpVjqC0Z6ltjYQ0gPR97R4jvjLSKxdqKsMp92Lr5Tnv0TgubptYy5i
++jOUguzFutth7khXRdF2c94F1wodevQ84DtRaxyvR26NPC2GTvf8mIXwpA5wazv0B
++j8+UICW2oriTE3SCC8e68RxDcSSOprdmQMdbx8LatIfQbXEWMkepCHQSP5Nh6zYD
++62ik8meiLIrCzQLRZVRLVtpQz2Udd+8e8RqncPDMNdTNqq/xmkAqFJ/iXMvF0Q1U
++/aB6fqiaae2iJFm93Eof0YYhEKvY45taY8nl5GOUQw9OUdURx26+lylkaVOq7QJj
++hIldGFX2AtmZaGdEZsjjVJ4PJOkee58+svmssVkgnM1uh0OI1TlxtmHb0qNLwbw/
++UukCO8NNU/pCMQZQOJycBlArvk0GNet6xO5PdEboLZY4t95zkdu90z6tTMzGjXzi
++Cxphyvfo22Zk4ajz05dBV2GXz3MYQysE3zXsckYoJzWk2DUXZOmJ18DzaIBnxxUy
++pY3PMnZ5LvUxWRmEkEvgswMeyvUV4elVZBplDZ0HGARajrKfARAAvAIA5NzHJ3Aj
++qhByiqT7mwsrsX7HWg1EuiCB+P5mnVyakY/QzQnpRRBT1BSr7Ipxip9manhEDgPM
++qN/SyzVpjGBHYypWMEFLkTUozg50WwpYPwKAX+LZkF+XqESCx7Zx2Q/cJpdCmgC3
++pjcBIT7NEXCiRZLEkvBwqMl74xgo0u+Z7zuFgUCPdd5NPGlzxyE0hFUStXIz6kZl
++BdzXGE3eGEKmo4CmtE9CoUlQ1dczTFUJ49jmBNzag/9v2P6q5flDdibrXTYZdUgz
+++5AhZK7Nmrsx4DA6bc2KJFetCQT1O2F4/p7eIxlHj9eJz2rY6/aTZ7M7RGLNltml
++UKdxD5tqzCNnVOFic5Ofh3K7Tddm+cHDnbj+gY5O1DNg4XOfKnPJoJQM34m6tR6D
++O+dr5/Z4TIcOMSKKwcZUvf8rk10MMssYgXpszVjoRuJS4zeQd71Mc8EXrahfocpP
++tE3tkCM0jOGSFelBGrfLcZFDVijZmiqizwN6HJqnKcxJGg/+hb4kgb9iVpjMGi21
++zKTOUXArfkZkW6l5/85iLZ0+pRfToPv4mtQx7Stu+dilDZ6cQ8d1y887Eb9BZeXp
++J14mRUA5mSYEe1jGXYYSlcevwzh7PwHX9OLsCajXZrlLQfLpQZdnRoIoS6uYXMl4
++KoS3ZOz24Js/KOkmtwlcCm+65jJdfRsAEQEAAQAP/jkgXLgt03/KxbNzmvJAzkje
++nJCqxpU4yeTKYuPPHUv8auUG73mV5OD85JPhEhpmOLjX1W1NjNQ7WFEJ7Ymcea1T
++Re2+XAD+niEJp5Pw9W8CVi0TLAG2ssf5G+JfquNXLwG3HXxGYtDbnfHt7bR12ibN
++9Ciyv3Mshvbqfe/Tk/gAIOR90AOlo9G7Ufmkyy67CrOZC/3BLUAm0qR05ZC3fGAf
++xHWS7lSEbukGF39ai/ZKMp6edcoNd4I7N/eV7kTBuDtq+QJSIWsvHMh4E4V9zfCR
++p8aIsQBTP4HqeCPw8zjvVa38hN/iWwm8gt3ZB/+u5TxRzBTr9q87A83diu+kmE7Y
++U9YKsCXzXdN8eSYadEtk5QKmfzdnDC9rh7cflAjZtH/JUlozcSbCsHiNnj7sp3E/
++iLSgooP0AbqpRElJkFQ3fR2SKmBMQMqHX91KCEKNGPN8Eh2lDpN/rFZQ9dntrL44
++Va7/2WOpFUXhmGAvDOvxMwsnPykz35fIR6HYwOTOFh+WCgRPuPOlHpjl6ZRRt8Ly
+++zfxBcr3Sz1h8oonOamD/Ga8s0h0dmLoHl/Oen8e9kUsZslb91x7D4SdeiBccrc8
++pkItZ0uAVl6DFnyjjTJxOikru2tj4voOagzsA8oATDgM8HzfiwZkC6LthlrLEunz
++DgSHmZi/N+0oddj+XWExCADLpz5mQdQDoFgQZ0UCOAEvIsR2b9YA168ndjrgoHpJ
++9fMUkBDUXc/iTH1hkS0J0vZtEobhoU8OLyN4QbYinq14D1FMWjhqp53YH4L1FUm5
++GKSq0H8lkjnQo2xQeKeyzcvO8co5/a1sYjCF8aLnxGhwPZlsbMv+6IjPh2EnzYpb
++Xs3PNu85fzOiUc7idjUYP6yAiCtjc4GOgddM/d87fv3gGnU59EvilOcI+leYQfNZ
++mtWqrWa2AbOiNT54qolAwpon8hf6pq8m5vMgeSeXj2/NdQPEQpQv3BaPjOjdx5/T
++2bIGRcWrFhv4qamBcXULVT05QVG13hHnVZ1GxLplCUPRCADsVUJrzRX4A6xwhOQn
++hmDPWlxfyUYPh+O5dykRT92hbKjTyU3uHAETeLJfiNH2gf9fGg9fEBjsNAtzXgUv
++dD2cmq5B9fwliXU8b3ETfkosCRHGcYgcvSmSLLVzoS8gEIUqJzRWo2ge3GVOHRDY
++DRoL6bN35hsfSSindFlnelxp6huT8tWrlQdTSsSxaeS57mUTXuyx6bj0GKllln/J
++rfRrKylzkiJiQAhuJAEskzSSUlY8dx9ZsJ071CfgRhIcNX6RFqo01PjXsYCuzFJC
++3YBN6phxdrW26k5QMXp5YGseuoMlZ50LldBXUiVJN4WV9ElcoZZ25WvK+kQ/nplu
++kMkrCAC72XYLvrVjFzbzrQ/G2r7LZVJtiqjo3zG+zSc0qYdu++1B5qDViMJHsTRz
++Vkm1WnEKiP75KHOfClFSrg73aiXmOQdNiwAHtAezhWUdj71YibuzC0wEYBlto1Jn
++wM+S5zwGKMzHG8eo/Mfej4QZ+7KAde4bH66CSPQo80j+vqtu8iJm4j8OBYWPYd4c
++CL8ty/ej9ec9MNtQWBdIUbxtl7mc0LrEun3yCeF3VSDJAgczFmfmiT8QuMrQWuKK
++O7oKkrS9KqqeUaK5HL4DrD6nh7eJpYqeVFUWbOPx3gh/tarOb/6AjGQ+EfcaiwcF
++YtbSMZQgyoPdl3/tbkIj0qfiX0QTfR2JAh8EGAEIAAkFAlqOsp8CGwwACgkQmUNq
++HoXYJvmLxBAAkJzrPDp2cTrmTVVkmzv2eUZ9czAeo2J5n2RJ5F51/b231t+JcObu
++NnvV+MNvhcODs+0Id7XhN17InnsTpzRJgpxiJf+HdteYqB2sKro2twyEWvCuyI6V
++xmP7j4RDUFeSdOCogfibg/80Sc0og+FW55r/JDb0ZOW9DGFS8gg8INmnWwb+qiOn
++9orILCl0RnTsioNADcXI/+D30axjD7l5lMKzRwtL3rdxo1ZWkkhoVFdGz1HHcNod
++ulV5N4SVT6NVpaj2PotvPiBpaqia3gutFkAwfbAgyO5f46ePmDqIJp0fsv/AhgTY
++8svXkbNwUEHR6yTvMpK7/yceqHRJjdc5ZtAA2zx41gm6u1Ht5kkQQNKkGsu6rpPl
++1MtW4o/v5JoJ2I9473VbpIYbIQ+oZwJ8E8sXzhg6szt1xRVXSU/tO0RM067xEoSy
++BOMTnsqNV1vU0tjAwVhkFjvtkPchXHZhGAp+lkJRQq+WUkkcNRPq7ppHzp/I6NUA
++zEuE+yyhQCp32G9Ge8/kbDmh+0IOgcsQTGsPQ7ZMHIggzWL8qiFg0IFgRkxYk+W+
++o6+OvDTt6A8+rs8BmBBbyARPmk/jz1HLD9337k5LIqcON9AOK72s+DWQsAedtSH9
++uyzOgv1fWA5LA4ZGNvYlyDmeDBZxhBOBVzBEZDB9+dqWUr5jB0ARzBI=
++=tGsK
++-----END PGP PRIVATE KEY BLOCK-----
 diff --git a/gitubuntu/apt_repo_test/attacker-pubkey.asc b/gitubuntu/apt_repo_test/attacker-pubkey.asc
 new file mode 100644
 index 0000000..aee77e1
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/attacker-pubkey.asc
@@ -0,0 +1,52 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBFqOsp8BEADUmBAMxDfLmpCAUv2WU+ozJ0I9IHh/nPmSKlIVYk7OklognJvk
++OkABlEnZucXzmzHWYla45wOn3RvCgOMZOVApRIGcI3Do+4zesK83Zz2ijNwyS//P
++do1TTlDiedRvE7rNAIJ4DwebH7Lx5UP5avgymK7JGX9+WFpAJtONdL1rruMpi/5O
++UU1dUxWN8Z3etdgmcI3rMwUAdWPX3RHWwEN6OTNySc30Tiujt4+n9UNBwFHzzMij
++yJSRxyBT31nMFs/7qyxLQCIjUBg2g+o/EXyJv4a5bNz678qcvsAVYcP4EvUUMD1W
++Srl0hSBAuLrFJeyzSt9YkmDp4qJpYLUsnitgWX7XCZ/wmcevBHRAbqFMWo8BS/jy
++xHf3ZD02uwKukivwM74PmeNC9ZWb2dXM/BcTMKUn2SyJv5uoIyFTxJfGKE6gWvap
++CAaCpL6wQZVqNLKLapgVFbGevXhZSOBZ2EIhAWrrxwftoku4WZO1UD4A6Zb52dzi
++TA8P5OB/hCK2oa5DI4cM1gWgybYeUE+EysTrGFZMUmLyd2PmsprUQQ71AARZFQIi
++qM1s9Tm3oWQEynVdLehUYKTNhGV2XqKCRQZc51C+qR4N9lzdZQ76TuMI+PWjB5iC
++eFMOZSCRiDyuEOdHnoYDZoK8mB59l+FpgS32fnz9mjCq74mcyxibiDDY2QARAQAB
++tFZnaXQtdWJ1bnR1IHRlc3QgYXR0YWNrZXIga2V5IChwcml2YXRlIGtleSBwdWJs
++aWNseSBhdmFpbGFibGUpIDxnaXQtdWJ1bnR1QGV4YW1wbGUuY29tPokCNwQTAQgA
++IQUCWo6ynwIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCZQ2oehdgm+UKO
++EADQLlBm8T67zc6RokwEr6zYrC7WJZ1Ei//X2dx8vOTpIJZY+TPV05L34s20xUoX
++4P/2GIsoCO17Gx0Igk2w8t65AlpIbp03dMOs52EhY9klqXfpxCyo+TDbafCNczIw
++yZdfVFRZRoYGqhI+uwFpVjqC0Z6ltjYQ0gPR97R4jvjLSKxdqKsMp92Lr5Tnv0Tg
++ubptYy5ijOUguzFutth7khXRdF2c94F1wodevQ84DtRaxyvR26NPC2GTvf8mIXwp
++A5wazv0Bj8+UICW2oriTE3SCC8e68RxDcSSOprdmQMdbx8LatIfQbXEWMkepCHQS
++P5Nh6zYD62ik8meiLIrCzQLRZVRLVtpQz2Udd+8e8RqncPDMNdTNqq/xmkAqFJ/i
++XMvF0Q1U/aB6fqiaae2iJFm93Eof0YYhEKvY45taY8nl5GOUQw9OUdURx26+lylk
++aVOq7QJjhIldGFX2AtmZaGdEZsjjVJ4PJOkee58+svmssVkgnM1uh0OI1TlxtmHb
++0qNLwbw/UukCO8NNU/pCMQZQOJycBlArvk0GNet6xO5PdEboLZY4t95zkdu90z6t
++TMzGjXziCxphyvfo22Zk4ajz05dBV2GXz3MYQysE3zXsckYoJzWk2DUXZOmJ18Dz
++aIBnxxUypY3PMnZ5LvUxWRmEkEvgswMeyvUV4elVZBplDbkCDQRajrKfARAAvAIA
++5NzHJ3AjqhByiqT7mwsrsX7HWg1EuiCB+P5mnVyakY/QzQnpRRBT1BSr7Ipxip9m
++anhEDgPMqN/SyzVpjGBHYypWMEFLkTUozg50WwpYPwKAX+LZkF+XqESCx7Zx2Q/c
++JpdCmgC3pjcBIT7NEXCiRZLEkvBwqMl74xgo0u+Z7zuFgUCPdd5NPGlzxyE0hFUS
++tXIz6kZlBdzXGE3eGEKmo4CmtE9CoUlQ1dczTFUJ49jmBNzag/9v2P6q5flDdibr
++XTYZdUgz+5AhZK7Nmrsx4DA6bc2KJFetCQT1O2F4/p7eIxlHj9eJz2rY6/aTZ7M7
++RGLNltmlUKdxD5tqzCNnVOFic5Ofh3K7Tddm+cHDnbj+gY5O1DNg4XOfKnPJoJQM
++34m6tR6DO+dr5/Z4TIcOMSKKwcZUvf8rk10MMssYgXpszVjoRuJS4zeQd71Mc8EX
++rahfocpPtE3tkCM0jOGSFelBGrfLcZFDVijZmiqizwN6HJqnKcxJGg/+hb4kgb9i
++VpjMGi21zKTOUXArfkZkW6l5/85iLZ0+pRfToPv4mtQx7Stu+dilDZ6cQ8d1y887
++Eb9BZeXpJ14mRUA5mSYEe1jGXYYSlcevwzh7PwHX9OLsCajXZrlLQfLpQZdnRoIo
++S6uYXMl4KoS3ZOz24Js/KOkmtwlcCm+65jJdfRsAEQEAAYkCHwQYAQgACQUCWo6y
++nwIbDAAKCRCZQ2oehdgm+YvEEACQnOs8OnZxOuZNVWSbO/Z5Rn1zMB6jYnmfZEnk
++XnX9vbfW34lw5u42e9X4w2+Fw4Oz7Qh3teE3XsieexOnNEmCnGIl/4d215ioHawq
++uja3DIRa8K7IjpXGY/uPhENQV5J04KiB+JuD/zRJzSiD4Vbnmv8kNvRk5b0MYVLy
++CDwg2adbBv6qI6f2isgsKXRGdOyKg0ANxcj/4PfRrGMPuXmUwrNHC0vet3GjVlaS
++SGhUV0bPUcdw2h26VXk3hJVPo1WlqPY+i28+IGlqqJreC60WQDB9sCDI7l/jp4+Y
++OogmnR+y/8CGBNjyy9eRs3BQQdHrJO8ykrv/Jx6odEmN1zlm0ADbPHjWCbq7Ue3m
++SRBA0qQay7quk+XUy1bij+/kmgnYj3jvdVukhhshD6hnAnwTyxfOGDqzO3XFFVdJ
++T+07REzTrvEShLIE4xOeyo1XW9TS2MDBWGQWO+2Q9yFcdmEYCn6WQlFCr5ZSSRw1
++E+rumkfOn8jo1QDMS4T7LKFAKnfYb0Z7z+RsOaH7Qg6ByxBMaw9DtkwciCDNYvyq
++IWDQgWBGTFiT5b6jr468NO3oDz6uzwGYEFvIBE+aT+PPUcsP3ffuTksipw430A4r
++vaz4NZCwB521If27LM6C/V9YDksDhkY29iXIOZ4MFnGEE4FXMERkMH352pZSvmMH
++QBHMEg==
++=uXoS
++-----END PGP PUBLIC KEY BLOCK-----
 diff --git a/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/InRelease b/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/InRelease
 new file mode 100644
 index 0000000..e6e4fd2
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/InRelease
@@ -0,0 +1,38 @@
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA1
++
++Date: Thu, 22 Feb 2018 12:54:31 UTC
++MD5Sum:
++ 4f48c54612fd07809b30057a9d276b03               36 Release
++ b953e2f94716ed61d0e20ce4199e882d               17 main/binary-amd64/Packages
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ 6129e87be122547e3c1d8c92790bc77cba262812               36 Release
++ 17e117e61288adacc2a68bd92cd53ee4ce6d0075               17 main/binary-amd64/Packages
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 43892aeed88dde99f15204d74a8379595a1548b919d2f5389cc9c840a9d93366               36 Release
++ 356d78da143459ff58ab3232348a9d318b728fd2a25d964a61f4af21f7012209               17 main/binary-amd64/Packages
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 04c3324cd464cab05b349c3d6b6ce08b7d7cf70e343b16cf03805220ca1e8ec3b2c084a906b06033bf917a611e1f309590d9c2f19c668cb06b87abdf641ec000               36 Release
++ d6b5e77247e78c60e2e277bfc5b32ac46090b28ac530c1a59e0fb1432025525b9643a2d3648fc6bc583a7ce62c8c3c0781a92d0ef9356bf71edbe887c7a922c8               17 main/binary-amd64/Packages
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
++Acquire-By-Hash: yes
++-----BEGIN PGP SIGNATURE-----
++Version: GnuPG v1
++
++iQIcBAEBAgAGBQJajsGJAAoJEN8hzJEp/3jmzIkP/1fEdqVSfO1TySL+O8S6JbRD
++L3XlnOheGCL/eZafYtLf9uWkDt+43iXVeUrSQVcTuE6R7rBYxFVP/J03/AAq3LYP
++rqL0v43Qj/8XbG75FrepOP2BJWeZcPHQv5xe4ykPb1GaGJHbV8x2z0lFlhhv8z9C
++//1W+SRch/UPOMhCO+CYIcQr1iatjxZa0qK6CS7OR566h8Fw3tN0/YNUZ36XvQwG
++EcWUc7bim/7NZ3fBDZpbnb91VZO2Sft0vZOyd9Qg8AmxjCizaj+UQJdKFtiVkdhK
++vPMWSnt2kdCbpL5RX3yqx9g6+BRtIUhjEGnym0s9W+NIn9LkSaxHK8ol40VfDXLe
++x79ts3chBymAjqDecpQdf3NAg3vNHVL2ZNkuXZJwGjEcFfAoiDsbkVNC6qyAwC3C
++FRTGgdMrduCdaHkRZcIR2VRNsLUHm36x7PS9zz+B0m0GsD+u2BF7LmHqXF6UQ6XZ
++X2U+ccvfUUUOaW+pXUPGX8B+FQYAZ7TsHDPNO/GqWUIsesF7wxmjnbBGLK4fluWA
++86UaNrehmTGIzeTSXIj/QYma9HgSJ0gYM4gu+1rB8Na0V9QG/n+KyD3Ummec3cI+
++fzdy0D2LoYn4yNoWjMpze1nDSfhAw87qur5ITryQfMHj1UsImcZy6db23cD5wdAX
++F/gb/uPFGzHkjLPpJEGn
++=pY/3
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 b/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
 new file mode 100644
 index 0000000..f46f8f6
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/by-hash.badfile/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
@@ -0,0 +1 @@
++sources-content-corrupted
 diff --git a/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release b/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release
 new file mode 100644
 index 0000000..c67ce17
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release
@@ -0,0 +1,2 @@
++This file is signed by an attacker and this should be detected before it is
++attempted to be parsed.
 diff --git a/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release.gpg b/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release.gpg
 new file mode 100644
 index 0000000..16eab00
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.attackersig/dists/bionic/Release.gpg
@@ -0,0 +1,16 @@
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAABCAAGBQJakCpRAAoJEJlDah6F2Cb5GxgP/0DAzx5bx/4ApuQZUB2nzRh+
++6pYm7y2ceFGPymtKXiNeuQQFmc2zfyR4cmSNovhk/w6wz1duwK7weQTINXiILPOA
++CVLKfYOjB5fHi6Fx6ZBBuS87H4dU/R3Y0o79AUtmiimoFv71PBqxYNTN+cwiLH3D
++Wm2QjTXWY7FA6+I/qTXP69H5WdniUDRF8hRVmNNEMws29Jk5tPz1zIGgpL/S2lZn
++8yanojtscaCvwp9TGLysIDwRoO0i46NxlUwHyj1VRhXPZystDXkXSDJnMEECY3ps
++ypaxsorzRoE0r1gLhbyYpu0ZVacNQ36XhKi+36YF4qvEQCVhL/+sJZ6UpFjTbUby
++5bC+2NlwgMepr8iE8Ov8flxeLQx/OD841jy6FbUrLu2K4nLn2JD0XlMMPYjFJeFy
++SZ3nCeaCD0GZdwRslv4DXL/aK9z2JX4daA9ChMIyXSJzZr7OWTqDo11qlIScgD2B
++QmEvUMZ0dCkVCrCuNEbTlybRn2GVgRfp/VaTmr+H5ro8AAFsJm6syKSlM2ITFliS
++RpkuWJa8YphJNUMpPujhzyCZ9K4mlqqZMCj2c4Nx4FP1+5RvjliZSqga93B+IXOP
++XB1T3sHs6AEvTtHnwemBoP/IaLcgH5lFsgL/aLCkWULvOnxDn5lhxb4FM/I085zP
++Kcxv/DKHKKn8Ztep7DZg
++=ADvg
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release b/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release
 new file mode 100644
 index 0000000..d880aa7
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release
@@ -0,0 +1,2 @@
++This file is signed legitimately but has a bad signature and so this should be
++detected before it is attempted to be parsed.
 diff --git a/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release.gpg b/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release.gpg
 new file mode 100644
 index 0000000..f49bc19
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.badsig/dists/bionic/Release.gpg
@@ -0,0 +1,16 @@
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAABCAAGBQJakCn3AAoJEN8hzJEp/3jmOO8P/1xfyqPmptW/vG5CUgKhsJNZ
++FEmueYsU4Za0NwfJmY5KeXBJqhfjkmgBtEbGfcV6XIBUoolmrg3qnTTLqnnhjH0/
++HrSLKAGVxDllGssIpYrPvth7jgn1A7NAiyE8RAuEi9nybFXb8o71k3HoMaqFWEIc
++NGyhvhVSL31J3CahrGKhXftNMfQr9FGYe7JaX5tpzUn4qWzH3xfkZER6Zya/BYRH
++Gzoi5VW3c7drGGaS5ffsbcF+5soTOko1FsanOgqGQHPsesta0b/tNNzW6wVv1NNf
++SmLYOvoM92niJcJSf0AWcFz1zroSuXTrOlMlpU+pdUDde740cTEKzgJkhSSB5eHm
++EA2fDvDEiO2io/jazhIWrWd8+fNC3WrCHJCPVbTQybwb89XHRstwROA18Z0fMq2o
++d2o4C+KKUHedSjf0pKwWVrr0I9mpMeDVlgsKqo8XSRNTpGzL3KUCjzGJX0cFgbUU
++1MXYjW0isPUDfdk0FeiYABIStYcGi6akCwWIKClVFBx6CseXAwJzQUAJF8JneNzy
++RfT0enAraY48gSQBpqjXyPIopbgAhgJmbBQ0jo/JLqmw7Py/SJBP9KZCGNMdjzOF
++aklhZoEf1xqKb/uqvCHta2RqlQzXLK6dDsjQcC/T3Z7IjUvm0/DsQA9SJsZAgqhP
++OdBZKAySj4SvvrpnA3xW
++=0OBM
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release
 new file mode 100644
 index 0000000..04d0f3c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release
@@ -0,0 +1,18 @@
++Date: Thu, 22 Feb 2018 12:54:31 UTC
++MD5Sum:
++ 4f48c54612fd07809b30057a9d276b03               36 Release
++ b953e2f94716ed61d0e20ce4199e882d               17 main/binary-amd64/Packages
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ 6129e87be122547e3c1d8c92790bc77cba262812               36 Release
++ 17e117e61288adacc2a68bd92cd53ee4ce6d0075               17 main/binary-amd64/Packages
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 43892aeed88dde99f15204d74a8379595a1548b919d2f5389cc9c840a9d93366               36 Release
++ 356d78da143459ff58ab3232348a9d318b728fd2a25d964a61f4af21f7012209               17 main/binary-amd64/Packages
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 04c3324cd464cab05b349c3d6b6ce08b7d7cf70e343b16cf03805220ca1e8ec3b2c084a906b06033bf917a611e1f309590d9c2f19c668cb06b87abdf641ec000               36 Release
++ d6b5e77247e78c60e2e277bfc5b32ac46090b28ac530c1a59e0fb1432025525b9643a2d3648fc6bc583a7ce62c8c3c0781a92d0ef9356bf71edbe887c7a922c8               17 main/binary-amd64/Packages
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
++Acquire-By-Hash: yes
 diff --git a/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release.gpg b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release.gpg
 new file mode 100644
 index 0000000..c5789c8
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/Release.gpg
@@ -0,0 +1,16 @@
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAABCAAGBQJakDbbAAoJEN8hzJEp/3jmZKIQAJvyvvUwcJEG6PIgU0lYrK42
++4cAfSuSnsJg//eq+VTMi2qMMWzyEkcpkRV7Yhy3EMAgSmTsvdqJth5ptPq4Mpwcq
++Hn9hP/y/IEfoAc3f/gFdZ/RjDxhjFikJ0F9QwKNoAiurWpr1xyIma7cWlI70YrQI
++kjTfzJ96N9l2Z5hfMQFmjXKlh80cXW6w/yyAcdQPu7veeidRN2GdK0u9NrcPjNrJ
++UvMtdXMsuoeQzVhbEja9npbTwNSf7Q9Ap/NZXv9rgc2Mn41rvuw+aDo1cBpt0QiZ
++z67pXWIVfLLy9qoygti2CoAEccU/IODzGCJIhzTPRIU0XkrXvw2k5Q8GtUgAwbWn
++FxV9WR4FKo2N8yHiH+4MEmq1zL4G8o9vK36URoKsE57gx/bX/3XEKN0Qp8+/gyri
++7SuC5flCgG9TVbTpByzl6I+ikDXYb2rVGMpaj255gsMGHzfb54uJeo7VXvr8jy4j
++DBnHySJ0l4uwMxahBxNkxKk/KBTQ7RFwK/cT908OutXSM6AgXnlwxEW6QPKZcwaV
++dAJZtJns076Eb+6UL9wrlP2Ciy0ODwlxnFsMnQlB0L0gJlHwIpOPcVRljALTNjdf
++fvcnpUsAiBLIuqbbZ6Z6y4O7OQiNb8kV1idOKYFO4RNrO9/FBxlC5qREZPWEMSqk
++BPOjpKz3A33+GO+x6c0Q
++=KfnX
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
 new file mode 100644
 index 0000000..04efb3f
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/detached.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
@@ -0,0 +1 @@
++sources-content
 diff --git a/gitubuntu/apt_repo_test/inline.attackersig/dists/bionic/InRelease b/gitubuntu/apt_repo_test/inline.attackersig/dists/bionic/InRelease
 new file mode 100644
 index 0000000..d2ab1b3
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.attackersig/dists/bionic/InRelease
@@ -0,0 +1,21 @@
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++This file is signed by an attacker and this should be detected before it is
++attempted to be parsed.
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAEBCAAGBQJakCMwAAoJEJlDah6F2Cb5Ge4P/RAIRPYmOhS9I1w3g4F53Y2y
++odmaXqjDG8Gam9h2ez6e3vkFUE0OUogE9Ng5o+RW7NP4cQ21Oei0KHExVCFCCHxY
++6tjw5eCvVzxiWKkvTqr1IidvafSKZpVCPxDPSUCpoSMHiPD2zes6rX2BENJr13pY
++7JCIlBfX+ZOqUgI7jGWEmPdBf3oQzRuJO2Nltty0eRv1eMbzoZu2eOsrbhy1N1I+
++kfrc+VSvaZmIGhtwWI3pkdW2XbXSzBryle+esofCde3dW6YReQcE8A48X+6PWt29
++U0kHSLYHntu4rJ4Jwk0r6EGKtjcTj9fpOO2K0/KnlnYzKk0lnFDxIstITmcnFz9j
++rf0ShXMfLeuoT9F9LCZKCl4178ZcBqjEFAzVjEKGN4QvQf9RM7cHHz+A2++Iu5al
++JiznirUkuR3Ifz+WSRHU9rZV9voV3PSQDJbRvqmZhMFmMSRp50dRpoDcQP9BS2V5
++m8ysVDxNIqn1u8Hkb2Mm8tJ4P3/ITM+slJpKPFQG7nOWmFtZ1AoKEemx3xRiAvRr
++PabXk7+1HrX2oOwlRSxq2cRpLfujfTqy7UFj7Qu2gRlqnAKMVhlo/EIQ7knFFMge
++Gqb13eDHit6f70g4+cTscRFM0XnqLpghiSFZ+cn/0ZttWipYpsNzjwbl+YvTndpb
++3x/kZz2pCtlgrYzzGtJF
++=PZMr
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/inline.badsig/dists/bionic/InRelease b/gitubuntu/apt_repo_test/inline.badsig/dists/bionic/InRelease
 new file mode 100644
 index 0000000..8040a1c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.badsig/dists/bionic/InRelease
@@ -0,0 +1,21 @@
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++This file is signed legitimately but has a bad signature and so this should be
++detected before it is attempted to be parsed.
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAEBCAAGBQJakCPHAAoJEN8hzJEp/3jmnpUP/35GamMSl7n50xDAvUtGjVEw
++RUaMWvaeAVdAxLiWHaAjY7PyknniI38GCjNDKTByCLaXB4wcWb+N7KvRDqWUmfZR
++on+mxwGlbHS9DULd+wPjDVFvATrG/oYE9Jr+eKf5TGZfxkfg4kMICEEitO9TGqxK
++esx8hN2ZA+9ktzraAe3Z2DBHFizym47tbXCSRhS2QEvmJxf/qhhGW546WjvwW6Vr
++C7wTG3BVa2NH7nA/QaIfERbRcUXCiMC1kqayOcypLQLqjttcERB31BnFhd12TMsM
++VLZucbk9kHoujhfrzc5hKA16znGK8qPIeKwYt572kKLn/VrqfaWhgVZebzN/FPhj
++CHyWsRL3Wxfp5BaRRe8w3gOEnjCCAKoEVjF58uwf4lVCqzfArX9n+tJhi843prqY
++6cKcxlDkVuZDOiv/567QAIAPubjIxjYlqZMWGdZecGzNKGEr3hZDmztjg2m4jGGZ
++m1HiDXJgYQVjxKg9SFlk2OFYpC+ivseWQeGmiNI/TPFtvTJMMP5d5MK+iltdWjnB
++YTXrg6JFEQGsbDSzecA6gpNuU5Taint5XsalmBFyBpXmCYihHWI/l5oipOhYSRGt
++qWdAHPloCMq9jpQFAYPxuYJNsWF5OrOXydJm68u/D8PL8SZ/cgGvszEBSJyHzbdJ
++wF4JCVMJB3Hdx4NI3yNh
++=sA9W
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/InRelease b/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/InRelease
 new file mode 100644
 index 0000000..e6e4fd2
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/InRelease
@@ -0,0 +1,38 @@
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA1
++
++Date: Thu, 22 Feb 2018 12:54:31 UTC
++MD5Sum:
++ 4f48c54612fd07809b30057a9d276b03               36 Release
++ b953e2f94716ed61d0e20ce4199e882d               17 main/binary-amd64/Packages
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ 6129e87be122547e3c1d8c92790bc77cba262812               36 Release
++ 17e117e61288adacc2a68bd92cd53ee4ce6d0075               17 main/binary-amd64/Packages
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 43892aeed88dde99f15204d74a8379595a1548b919d2f5389cc9c840a9d93366               36 Release
++ 356d78da143459ff58ab3232348a9d318b728fd2a25d964a61f4af21f7012209               17 main/binary-amd64/Packages
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 04c3324cd464cab05b349c3d6b6ce08b7d7cf70e343b16cf03805220ca1e8ec3b2c084a906b06033bf917a611e1f309590d9c2f19c668cb06b87abdf641ec000               36 Release
++ d6b5e77247e78c60e2e277bfc5b32ac46090b28ac530c1a59e0fb1432025525b9643a2d3648fc6bc583a7ce62c8c3c0781a92d0ef9356bf71edbe887c7a922c8               17 main/binary-amd64/Packages
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
++Acquire-By-Hash: yes
++-----BEGIN PGP SIGNATURE-----
++Version: GnuPG v1
++
++iQIcBAEBAgAGBQJajsGJAAoJEN8hzJEp/3jmzIkP/1fEdqVSfO1TySL+O8S6JbRD
++L3XlnOheGCL/eZafYtLf9uWkDt+43iXVeUrSQVcTuE6R7rBYxFVP/J03/AAq3LYP
++rqL0v43Qj/8XbG75FrepOP2BJWeZcPHQv5xe4ykPb1GaGJHbV8x2z0lFlhhv8z9C
++//1W+SRch/UPOMhCO+CYIcQr1iatjxZa0qK6CS7OR566h8Fw3tN0/YNUZ36XvQwG
++EcWUc7bim/7NZ3fBDZpbnb91VZO2Sft0vZOyd9Qg8AmxjCizaj+UQJdKFtiVkdhK
++vPMWSnt2kdCbpL5RX3yqx9g6+BRtIUhjEGnym0s9W+NIn9LkSaxHK8ol40VfDXLe
++x79ts3chBymAjqDecpQdf3NAg3vNHVL2ZNkuXZJwGjEcFfAoiDsbkVNC6qyAwC3C
++FRTGgdMrduCdaHkRZcIR2VRNsLUHm36x7PS9zz+B0m0GsD+u2BF7LmHqXF6UQ6XZ
++X2U+ccvfUUUOaW+pXUPGX8B+FQYAZ7TsHDPNO/GqWUIsesF7wxmjnbBGLK4fluWA
++86UaNrehmTGIzeTSXIj/QYma9HgSJ0gYM4gu+1rB8Na0V9QG/n+KyD3Ummec3cI+
++fzdy0D2LoYn4yNoWjMpze1nDSfhAw87qur5ITryQfMHj1UsImcZy6db23cD5wdAX
++F/gb/uPFGzHkjLPpJEGn
++=pY/3
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1 b/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
 new file mode 100644
 index 0000000..04efb3f
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.by-hash/dists/bionic/main/source/by-hash/SHA256/106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1
@@ -0,0 +1 @@
++sources-content
 diff --git a/gitubuntu/apt_repo_test/inline.injection/dists/bionic/InRelease b/gitubuntu/apt_repo_test/inline.injection/dists/bionic/InRelease
 new file mode 100644
 index 0000000..f15ae3e
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.injection/dists/bionic/InRelease
@@ -0,0 +1,37 @@
++Injected: yes
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA512
++
++Date: Thu, 22 Feb 2018 12:54:31 UTC
++MD5Sum:
++ 4f48c54612fd07809b30057a9d276b03               36 Release
++ b953e2f94716ed61d0e20ce4199e882d               17 main/binary-amd64/Packages
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ 6129e87be122547e3c1d8c92790bc77cba262812               36 Release
++ 17e117e61288adacc2a68bd92cd53ee4ce6d0075               17 main/binary-amd64/Packages
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 43892aeed88dde99f15204d74a8379595a1548b919d2f5389cc9c840a9d93366               36 Release
++ 356d78da143459ff58ab3232348a9d318b728fd2a25d964a61f4af21f7012209               17 main/binary-amd64/Packages
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 04c3324cd464cab05b349c3d6b6ce08b7d7cf70e343b16cf03805220ca1e8ec3b2c084a906b06033bf917a611e1f309590d9c2f19c668cb06b87abdf641ec000               36 Release
++ d6b5e77247e78c60e2e277bfc5b32ac46090b28ac530c1a59e0fb1432025525b9643a2d3648fc6bc583a7ce62c8c3c0781a92d0ef9356bf71edbe887c7a922c8               17 main/binary-amd64/Packages
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
++-----BEGIN PGP SIGNATURE-----
++
++iQIzBAEBCgAdFiEERWDUrwcfVETLrYJ63yHMkSn/eOYFAlqVQHkACgkQ3yHMkSn/
++eOb2ow//fx68CRU2GYMwMaBNZP/S8a/2jfr+zMA403hmmx63Mw/0t8w8dHBQrmxl
++MgmDtcyJvsqdF/zi1cWJzyPFK+0xrMPP6U+jNw07eOg5+IF+l3GlzPQuf0BMaxPZ
++DtjWL8Nwu9FeSfcFv9xrk8Bg7LbnFWLh1hmKmPQUnDju/vTVV1XI4cEK2mxVxhm1
++UiUsOyGXY7tJJyP3sJVCHSMpWzJfmBGHjwgcHRqTA1s341ticw1J3OCUnYaMya8O
++HZ+zgqsPRZGD+VD/3On/5OoJdzBblVlVd2YMfdQuFq6H4xvxWMntGkQ4f3zP2jt0
++3/GVLc2cUqbSKkkhbbKP82rj2xdLW+Y4p2u/9TxLL7YoM2qBq49L8Hw2WjbSaN62
++955pOQZ7UIKr9b1K7lppt4nQW3Irt4wC5zxl8ibPT/FGxxPmSbhLq4M5TQZEX3vi
++zLrtMl8ffgqO/qnT/ieQJW0g0KM9STHqdDFwYNiSY4EP3L0mI4EnmK4FxiwD4hKu
++Lge3L8vLFgokiXAswy0c79MaElLKJRQ9yn7hKTl9sdrTsaqtl6cetKufjhlcmOFz
++XF2397WNPisnOkzd/CIb7O/mVO38/HQD7xtj4ONeoYMrH/UAtCp4dwpFcFTP9Lb6
++w4PagHdUC7R9mYaHcrjMA75RoDo/MoULmqAoemiQEgbZQ6yY2zQ=
++=gQ3h
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/InRelease b/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/InRelease
 new file mode 100644
 index 0000000..5f4a268
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/InRelease
@@ -0,0 +1,37 @@
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA1
++
++Date: Thu, 22 Feb 2018 12:54:31 UTC
++MD5Sum:
++ 4f48c54612fd07809b30057a9d276b03               36 Release
++ b953e2f94716ed61d0e20ce4199e882d               17 main/binary-amd64/Packages
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ 6129e87be122547e3c1d8c92790bc77cba262812               36 Release
++ 17e117e61288adacc2a68bd92cd53ee4ce6d0075               17 main/binary-amd64/Packages
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 43892aeed88dde99f15204d74a8379595a1548b919d2f5389cc9c840a9d93366               36 Release
++ 356d78da143459ff58ab3232348a9d318b728fd2a25d964a61f4af21f7012209               17 main/binary-amd64/Packages
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 04c3324cd464cab05b349c3d6b6ce08b7d7cf70e343b16cf03805220ca1e8ec3b2c084a906b06033bf917a611e1f309590d9c2f19c668cb06b87abdf641ec000               36 Release
++ d6b5e77247e78c60e2e277bfc5b32ac46090b28ac530c1a59e0fb1432025525b9643a2d3648fc6bc583a7ce62c8c3c0781a92d0ef9356bf71edbe887c7a922c8               17 main/binary-amd64/Packages
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
++-----BEGIN PGP SIGNATURE-----
++Version: GnuPG v1
++
++iQIcBAEBAgAGBQJajtw6AAoJEN8hzJEp/3jmxO0P/26hJvKfSPuiCLcJw3sH4FxS
++N26duNo1/Afx/nFrQLkX27hIby9YlZcbqkFkoBYcvHzrCsWmRbdjYtOPXaP9B58Y
++XNq+jECTYfl6bVPiwwSMO3m365+1V5P6OxM+YuyU6W1IXDAI2rQUn7tyUK0DN1iW
++wSknkkAajZm+dAbTD20bkR+kWfK6ZM1U24zJF6WRKB/VGyykioy35ZUUpxwxOG5T
++Mx538CDS+cReGTBPfhN6863RSwIaDOS7DzsUXu2ac+9QQ3HvejCzgRK8Q10xDg4p
++21i2YiHStJYLz2/Ai4jbZa58rAHG1e8QNNv7gZN2fgTcD30FvZNbHzrPgiXjHCVv
++Q+rD8VxSjZwgWJOBPZ3zJMx5UqNKPay2Qs1Bd78pfkESDftoYCxayzJ1zWJaCNdC
++vjRlQxqMO5HRha1kE4fM1pEl4rHzt3Byfd0hnW1g/bgkiM08jooId+U9JTtt5aon
++zY0f/gKq6Gz5mCZ5RMmVq7cO4FY/gMlaoJ2LfnvtkFI6sBOKUavSue6JIh/G47p2
++UqXj1zvccsFyHwszP3fuzJyxyVOSxTMcdzA/bxldvmBWo6+/XSsFRb42UxtqZNdM
++GIYBZQQ+Y2g6AMhbaCqTJO5B6f35mWTsYuFZK4EzQtqb4KaNfGkiBt0Il+Blk6G5
++k0CY6q4RAiu2dClrQewc
++=IfTS
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/main/source/Sources b/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/main/source/Sources
 new file mode 100644
 index 0000000..04efb3f
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/inline.no-hash/dists/bionic/main/source/Sources
@@ -0,0 +1 @@
++sources-content
 diff --git a/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release
 new file mode 100644
 index 0000000..3ef3c01
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release
@@ -0,0 +1,13 @@
++Date: Fri, 23 Feb 2018 15:41:34 UTC
++MD5Sum:
++ 96cf5221942bbdd05baa3c1a7da738f2               36 Release
++ efcc6e6d5e421f11a17c47c61b5918a8               16 main/source/Sources
++SHA1:
++ b9c980e63fc0e02f0a48763e4498778d58e392f6               36 Release
++ 29ecd6b099df45721dbf0169d574fd7cf0b77fb1               16 main/source/Sources
++SHA256:
++ 1b4b9f56a80c231ea7e4d5a036903e4f9ccd690bf6845404ea3db21e22ddf647               36 Release
++ 106acf8f3542252ebbd46ea8ca10719d847208c2067c483a8f4568e70bde41b1               16 main/source/Sources
++SHA512:
++ 529a92dd8e2d35cfd50ffa2dd93023ebd4c26005ad4430772943225d8276aa828686b8744a5f4afcc7a2183441ffb61eb94056d1d63e1d5cdf66e242c2a11940               36 Release
++ f62f22397280f07185a0f12122b7c757596a8b9fc34b798aad877ea27a96919ed14ca64bbedeea8f21baf44472e7c1fad398866e5ef41b79d89508da0d3180d6               16 main/source/Sources
 diff --git a/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release.gpg b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release.gpg
 new file mode 100644
 index 0000000..b92cf3f
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/Release.gpg
@@ -0,0 +1,16 @@
++-----BEGIN PGP SIGNATURE-----
++
++iQIcBAABCAAGBQJakDZQAAoJEN8hzJEp/3jmC4oQAMFRCyWlJGXdoogJfaW8bs9F
++biYcRquy+3tRk0Q4DgxedDBF/A6z1mq2ZHsF5q1pWMMPwqHhM38gz7Q7esvLxOGi
++7ITNakOZxHdlJOmp8ALm8fPb9HQ9+3xSrymA6Et+M+5If7EC1i9M7tKGT+lC7Mqa
++s2Aqw3xuJodI+FBiPm+Q/n4/5/QWAqRziuStvPnFv9UE923gMXfYvosoPXH6QRlq
++vCmxmHIb3szb5yaRACyhYRJ5/grhmAq7XL5VUlMMBxIRrESWB9WY+CcH2E/4oxOp
++RJlpFaQhW/3LrCTDVGxDK/x1av1lJYmEmZySyAjm7+QVaTvi7Xiqe0KYFLcyObck
++dOShT2InaCQPU9v8vdetRg6J6Xj9lZAQoGIKv06/dHVcjnIeW/Y41wa2AroWoYI1
++Cwx0qBxATthX4BXsqsoNkDiRyBJz0KwAna9sIX96QpKBJZjZaKlOetYTGcy+6Xt5
++UlYfWHqCKwhmTlbvG2t8diS7HICsxr46Utp42N8oX8mL1fXVDLuSGTQLSu8Cy87t
++ZwRBTE1U5JEgii0zYMTb1P9UOD8SEd52vv17P02KdRnbso3agMVsUwE63VmshjI/
++QSoqVPmo7SL9h+rj3GYRzBfzKH/c7w9Wo2tlXqKEtmulmRdlH1p+2OYYmC+eLj7M
++XNs2b+cmAqgF/JS0sZ8n
++=/Hli
++-----END PGP SIGNATURE-----
 diff --git a/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/main/source/Sources b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/main/source/Sources
 new file mode 100644
 index 0000000..f46f8f6
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/no-hash.badfile/dists/bionic/main/source/Sources
@@ -0,0 +1 @@
++sources-content-corrupted
 diff --git a/gitubuntu/apt_repo_test/nosig.bare/dists/bionic/Release b/gitubuntu/apt_repo_test/nosig.bare/dists/bionic/Release
 new file mode 100644
 index 0000000..bdf6a0c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/nosig.bare/dists/bionic/Release
@@ -0,0 +1 @@
++This file is not signed, so should be rejected without any attempt to parse it.
 diff --git a/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release b/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release
 new file mode 100644
 index 0000000..bdf6a0c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release
@@ -0,0 +1 @@
++This file is not signed, so should be rejected without any attempt to parse it.
 diff --git a/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release.gpg b/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release.gpg
 new file mode 100644
 index 0000000..e69de29
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/nosig.detached-empty/dists/bionic/Release.gpg
 diff --git a/gitubuntu/apt_repo_test/nosig.inline/dists/bionic/InRelease b/gitubuntu/apt_repo_test/nosig.inline/dists/bionic/InRelease
 new file mode 100644
 index 0000000..bdf6a0c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/nosig.inline/dists/bionic/InRelease
@@ -0,0 +1 @@
++This file is not signed, so should be rejected without any attempt to parse it.
 diff --git a/gitubuntu/apt_repo_test/nothing/README b/gitubuntu/apt_repo_test/nothing/README
 new file mode 100644
 index 0000000..8469453
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/nothing/README
@@ -0,0 +1,4 @@
++This directory is intentionally blank, and this file doubles as a means to have
++git maintain the directory. An attempt to read Release, InRelease, Release.gpg
++etc will always fail, regardless of what subdirectory we try, and this should
++cause the appropriate error.
 diff --git a/gitubuntu/apt_repo_test/privkey.asc b/gitubuntu/apt_repo_test/privkey.asc
 new file mode 100644
 index 0000000..6f3a90c
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/privkey.asc
@@ -0,0 +1,105 @@
++-----BEGIN PGP PRIVATE KEY BLOCK-----
++
++lQcYBFqOpd8BEADEeiZbEKWe30H0dkn3ZmgZoCWGqL5wZ6Kti/f4OFYbeEFg+jmb
+++oOr4lyYWqqJyWQ9MBmV0vo6XtDihTa9kfvJdf0g5AgNVETZZoGCiUtf56DQj8Eo
++/Q3LbMx02k1fRLy4Fz3R0t9HuIev/4BXb2YlhMPakVQLNSaTyE/i8xKI79ItLrY9
++/EB7iut2HLQkdZbVfTzapJB9eU9tAvszHkgckWu7VCYpqFX6/G0JL8rzOpvuWoRR
++zSRmSrLQfl0niddr3BwwimLgxwDqsIv3rI7jM4UAmUiGly+H1/pAMxszebQE0bS8
++ljSpL1Ksde6+VK4OHCewf3n9iKFbD7Q+qkWlFTutN91B6ifHukTqaW3T+YJzOVin
++KFm23+VoyHyNxivi1zlRQDDOi7w3ZeeB5iWIHoBvrS+6BBE4Qnc8oepH8K5+Ox5D
++RT7ACl7BjvriH0dWQww/MWCfXVKjNF5hmXsUUpHdo0gAK4/ZQra+5VPV9/2YOFgF
++VBqkOA2wJSTgnu+sYL8XAS8iKAP1uvlcQKgtbcIHcyPpkkmklXlZq5HYDfq4nBlL
++3GZSJqNVHcDCIIH1RicFNrNRllWivNhcO0CV5Gu0Lc3+r6rPGtAQkMt0GtPVl/Nz
++2rYRpeIAbq/A6m6BXNJndIP1Y1jW/xkGsEnnolStnzfarpmPfabZGFUowwARAQAB
++AA//TDhWyN0cYxWZMIzzBNbla4uFA0hTGKgbo9e4ysKQJPfx5P0tfCUjD3sxEKmb
++nvhRuqr+QfEmwZ4myrmDEuefFfh/ylKsDP+z9eKeO1Wnt/zTlhUuigghYdlDN9G4
++Uk0IKSJbCRsVI22itdQYpdLBfayTjibyw6ZK4OnEk/ZYKmde0chdSo6hNUwfLCLW
++f45ehVOgV/GfXA3Dkjal3J7SusJvWKy8YUy8jjF+2yF/SfxioYTb8B/1DvnLhLaA
++zOXcfCtXhD0rPqf04xa6NcrrY5iI8EKGsC/WcIyIuH8a/k0oWPZBdyeOJlQFboIR
++rCSNoUuq2f2aBZELh5gABI9plIMjyaMkf7HPeVMZ1qohJIHpI0n/KRJ7WfQnTMxt
++gUPCX0QXMllmC87M1Jn2ORtczJxzim2QaBZNHjpuQkBqzn2mzD23ph5KS2JpllvE
++2SzK8vPMcQGCcTdNWeuuMrBf4XaMP+pCiXZglk1Y6MwwrAgZL+GYq8uhZ1tyba9v
++ZQ1FWOSxklnxz4DIf9MdYtQfOTBQUT5maLt39e+hNojSOUwMQD26dAMrnO2WFtCW
++HWMhjeFO02R5/qo18bNUqEVQSHgpUzK+sthK5lrnkVsJWiO4yD/xmvhdhSlpIrC+
++zcoz5nks3g7TDLtavP7e6B52ZhwWg6jHThCiJgtvSTM5UQEIANnv5rlatBf0fr9O
++D0wS0j50yIfuQNbEX4awIyMSutF6exfau+idgCDhmenk7DxjVPdf4v7tQ3aOirP4
++7fuHwkwevSDOauzflUdZWA2BKzg+TWHd01+Ft7h1ivUDhr5OsCRtpXkX2IFyktMY
++VQXEBnMJgLaqm9ZprO49pYER68pV4QUdnSXvB4D85ayVASS6xqpfSSrIMNcpIe/j
++pEeBEPmadxW1ixyQiF3lcLF99BsLNJtaggbKZd+CVgeEh2bnDkflw7Zwbo9P4tOR
++UQM/gZZTK6Z636VeM7ltq5NussIFYKWDLfDdmAyWOEf9mmItNbyjqvtqWHUv8mPA
++5yUXMCsIAObKwrgLTkf6doxAYj53DZ80mjp+WJul+J9G+/uAkD6a0do1mOFmJM2G
++pNO0aqGkzEXlrQ1deObfbipR3/t6sv1wj5jnP2TvGY5zMv9ZSDR8jSldGBB9wdjB
++NfYhWxy35FtvjXx9SbrEswsYeKTSv6R6YA64t0M8xvzdpM1Y1Pb5G6ZHgcu9/sE1
++IiT5pI8ZP/DiKepbAV8gqEUCZOWrQi7nI/EYqMSsD3N8RvQbCBaNTChVupMtrpyt
++9r6bkYwWXsQjOiHMWUeG60DSXEjOmAEro7u5Er0SSxW3Ebx3r387C1F0sJ289uP5
++9PjhWpwaZLOe+AONKGhK75zTNcBOhckH/izvlTWXyaOHj0JqSsw+Oo3dnP50Pos3
++JITsZ/A4UhSC+PoP0ZD/OhGlgsuu0q7GI45zxhDyuFRpj/U2i6J47nHI4JiIF3HC
++z/U1D1Bwh9CQXgWqziE3EJ1stDZieO1qIRJpMUpj0E+BWSOtPhbZml5bKA9kqm0X
++fzLb51u3qtEWId6l3Y6in0CBjNi1ZVOSsME6z3znzs2hJfj6YMbRQs8/ydT+XYMT
++vTvK4Jsgn3tMPpQDzjTLzdx9Y147EFQr83PmdF7r++KgsbwREPbgZwkMey5Zx6Yz
++rn2zPY8p93vCRWDU/d+000rzFPFi4tlG3yDekTY8ZR3I0ndaPVAl4gmIvLRNZ2l0
++LXVidW50dSB0ZXN0IGtleSAocHJpdmF0ZSBrZXkgcHVibGljbHkgYXZhaWxhYmxl
++KSA8Z2l0LXVidW50dUBleGFtcGxlLmNvbT6JAjcEEwEIACEFAlqOpd8CGwMFCwkI
++BwIGFQgJCgsCBBYCAwECHgECF4AACgkQ3yHMkSn/eOYzGxAAsgF1kYi+aT6oz00e
++6VQO9y6wLoQ0JTnFiZwmFJcFUzDSBNlmHe7FShkoWYSf7TWGmVhXV5fS/Qv/B6dW
++1XqOHAKLykU0OA3CPgcyWMdBZxBoqxqkC67OJong81VdCjrR3EtUPerToUj+W6W6
++StGsDgGkfiFvWtMrwZY79cHXpcl4Z5P59F5O07x/5QB8cz2SeT/bgWzS2W6vqe0t
++M6KF6Fv8U3GiWu4KZJYl3Udk9Ywdgt/nIYmwssSQxB44j8aLoYBbpvkjpIks+U7/
++5mrseE/HkFXr4dSt8bViGlAhwEw7dThtqjSBHG/1udqoXnUemMiZIaIAxd+hyc/W
++2hO6S0Q2TBAXVpFXUs+EdHYdrjkpLYhL7aBgoyJMA2AhWqEiIY+oYEfVwfu8lf67
++1H9Wl/+A2+Dq82wyudNhNJAPZFpThe9M9Me5uwWGg4siamCFUbusAM0WqoJ/01xV
++EXiDmwgr8LpMAksbqDrXXqJnsuIqlTSELzev2oiWqthYwSokvAQJc20p4OOD/q+z
++SFedlz6xge/Kk43ABls7rTskMGOJ3A1qsA88ewnkcpEIlKYH7hBBrJBC0/3Ito4y
++eOtJrUjEMdJqKhU2a6asllj2WQpxzfpXBzI37e9nzCXbtOasl/xYnvglYKxclTvf
++9MS37GO/Qlwp4scPSchKlTJ5pYKdBxgEWo6l3wEQALxZLWJrbJQuYm1So+PApLDQ
++PFut03pjy5dUUBdcc0K/nUPAsfV0a4qLiniSiQhysYK5CdwOcWnR92s5OhPL4bd7
++Lr8CJs+hX4yPIqNRupHgz5/AvAwFGyVlh5ayiFmCmnBMUjLmQU24DHWePRNT0fOi
++PX8j9MLYZrkCb65sU9YXXPEvX1+XZCs82NO3pavDV29PjfJeQ4ME9iEUPH+/WTtH
++oy4E9y+5jNBOvqg5o8ZnIBRvWmr3ejp47beTkAahhe1c56QLx/UfqJfEN6BwL63I
++zxwGLY0NiQtAY9RRE1Ad1fd1yGqA7qagVieBPVU7cHi9Z/Cr6iy21jVnKylGj3xP
++dfHlIZjqXykr6uaWAIHwmgqQfYuSAf1wItLNQeTfsI3sVF3bEjngh8xfj6qs0f4I
++PsDAWAwDzdz7mjWWy3WwZjEpBmnWUV3Yl61y1YIdBJP18Q40T3qQn3GoVD4vxXSL
++3i7USNSNywsMYDqBo0OhFLarwu7t/fvfbroXLwzQCUTcOeMYgXgvp+D1RrKG5L04
++uAxRDzwpxfuJzjmacmMbMCM6EuhuxlYuRiyUytTMeh2JnHqENoDyyeNZAssTKALG
++HiONVmKQ1poVbA96JzcdSs4afsoZz+NlXnOCJAGLKDLZYvuReR5bJuhITLDgVwnG
++rICfRynMBe3Mk3dexewfABEBAAEAD/4g7kyfmR2uWN/PsnPCNeP1oCr1cpJ3oywt
++BMpOE1V5tavm9TGIM3c8DYLD6wb3iaocq4KcTZApytLCFgrf/DU2UdzN+6/SfKoK
++ltodCQSgTdivW1DlnxzscHCA+i0ZzVp4SPfUO2rujj/rbqPKFc0vFk4/RQed650m
++OtVQ/1K3K3WOG9TGj18tqiFU/xaBzhEi/ptYZX/TUBJCnVmokkmlMjTHLooTd5M1
++tpbiLdXDMjOrLv71ldhykcMqZiv35NTYN/auOXsYEhV1l5KMRCEp9uKzSSc8ssGj
++zHnH3PcN+nF3J0pHyMwxKPZ3SMLy/IYBLkiWjVBPyhXw1112BYa/jdzVeRVgzNho
++w+nOoRG23XbPAEXRxVd3R2ksycQUfqFco66OLQVYp8n6pAR+tE+vFuin4xuW/kRx
++m4R3ZX/mhouUxzau6QLthBNkTgg5DsEgReTDIwUaJR/Kx1lhx+MwlzJpFfYK3gNz
++Oz+6rVEmR0Zxy2yvVzSR1K7dCBJmeeXTXDwEKp/hJT2yJn7BE/5VSYB1lB7bBsW1
++5dYQN8gaTmVCmqtPCcrmjGgjcKf7RGyaB71vW+p0W01WIr3cRW9zjWAPOxRw/GgQ
++ls5IXCn7gHVmZCEAMjS/OXMGnNlTJvzQD5pneTigqaCyijq+jPf8gZSnOxQtDz51
++tjSzzjyhIQgAzAOEK51oEMPIYzy1Fx6QiBShU6LyoT5DhL3S8vlhtyoQI1cnCUZ1
++WkJ2uuek4BD1EKsH4sxlv+aWWmk6I5mfB1Wpbmkc0RAaJHbktwmnbtRYrPQPlA+s
++VcXzyUqEVasuysMqZJTNBT7EicC/LbyoJM8ArLnACdn65l6H1QYMJplhXVjLkWeU
++pUcpCKy2zGho9ebujQtsjcPIn6gk3cEFXhQYDuG9F8XJoGrMGxEMk1WSvj1U1SqE
++swR7PG+JUd/9OXw1ZxMqIwF2xzTg8er4zyYaR94vCs4goEgkz/E7/aZjiSvEFcI+
++xt19RFm/ZrE179Ft594XMKXJ/BgE2VVNfwgA7FfBrLfQPYwEDF+g530sVHoYjLH6
++yA2Vo8Hvgt0qtCEfOUjGuCiak0gg+SM+ARGzgkGiA+2/q7QSbfuk0lRMualzUxiU
++FZ+q90cJEU7I11wTfpWv1/PRiAeYdFe0wIiPzsdMJOxjwgDQecbQy0lVERWB8Yfo
++zBSy9kFMUjyETW2U61PfoE0iWdguS94lRFWsDjsL8lGwrLyw0a+JLFk0ZVQNwwyU
++mXsKMiE4Q/C4uGce7ugWUO/8QSnEHLWYbvKtbVz1r8VHq1lG2o53XdtmhXDVnRag
++6FAMBfM3/R82MQwuRxnkTZaMPWGqfT7roMznQKZ8Rlp4LFOkDQS2lgHxYQf/YEwi
++vNVlUcAbKPRcv5srUoZB5nKJlyx2PYm76ZBCBfR/IppK+IyLYIjnxVHuFcq5vGb4
++ziz2dafm0QUbWQAIdTcVGa4IdzZANnj9laebnGlEm4LYTEsdWbHI17eyCik0D8QD
++7PTtfMSX3e2ARDeXJcs5slxyCImf7M0NActSEjdXrE+m7Ac7XFlMVLN3BML0qLzM
++fD2SHCTKHmNIQZPzmhj4Z/usERfNxylGavH2ORamlL+gbRbFpWCJKG2Cipr2AMpb
++gBwJ73WnljW4PoYSoQj9gzl+wsKmBolXY6P24SsKqiS9aDNktxB96LoEaCZk683k
++sx55/Fyxcdu9d4B9BnBCiQIfBBgBCAAJBQJajqXfAhsMAAoJEN8hzJEp/3jmhwoQ
++ALMECvpuci2d8ce1GDT/cyAGtvmablwFCTGD+1M76ejVsxKnXKUjC6Y7e6tj7MbD
++6fnXGnwEBIbLGgSPGDStzke3IjOxhCIEPotqcgDaMg9DZIuaa7BmzKFyjFcDBni1
++kZEGahF6+fvsCPTlxeK7VPwfbL9GLoIiFfnpVpa+LpRnwCo7tWXzsBXIKfqEPGgV
++X3APc9FXw+4kzeP/smZ0y3Cl2HFh/Ja6mBRSzj3d01fJDmfLz0R9dRZ87m0Urbma
++b5qBzy+0Pn/vn+2E3W+Wj3DoaIZI3hB3aTSb35HrhU+v4u8DzG2DrpFaBI9mtRJS
++irK5ZNku9JwrGBgfeA5xI+0ibrRj9Czf0Nasoa74OxINyzBmWoJ6a9Wjq5X9K5Sf
++/XTr+Hu61F6+4y0+JnX+v1GtVSutxz1PCam1RWjP8qJGas3dSUhbTNxn4kiVEh0U
++6XziY26Xwos4kZouBo26wBAoePDJn72fpCf6ijwnQ0S7dh0wue04Fl+mil/ZTXu/
++G928ki+xUIOH+zVjWpELsK1nf6ihRg7daXXvytpSbVkfq8+SFAWX3FHa6glJU9Ev
++rEvHf1ZXlFWqAcZWUNEsVDADE5+wlyeiH/Wzx4OO7H8yr9PmkiaUt7FQ9urm8ZZU
++obDwVHz9Uu6BJnVNAYPiaow3J8bONXXtfpRsbiHPgx1i
++=Hpvb
++-----END PGP PRIVATE KEY BLOCK-----
 diff --git a/gitubuntu/apt_repo_test/pubkey.asc b/gitubuntu/apt_repo_test/pubkey.asc
 new file mode 100644
 index 0000000..ae2e9f8
 --- /dev/null
 +++ b/gitubuntu/apt_repo_test/pubkey.asc
@@ -0,0 +1,51 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBFqOpd8BEADEeiZbEKWe30H0dkn3ZmgZoCWGqL5wZ6Kti/f4OFYbeEFg+jmb
+++oOr4lyYWqqJyWQ9MBmV0vo6XtDihTa9kfvJdf0g5AgNVETZZoGCiUtf56DQj8Eo
++/Q3LbMx02k1fRLy4Fz3R0t9HuIev/4BXb2YlhMPakVQLNSaTyE/i8xKI79ItLrY9
++/EB7iut2HLQkdZbVfTzapJB9eU9tAvszHkgckWu7VCYpqFX6/G0JL8rzOpvuWoRR
++zSRmSrLQfl0niddr3BwwimLgxwDqsIv3rI7jM4UAmUiGly+H1/pAMxszebQE0bS8
++ljSpL1Ksde6+VK4OHCewf3n9iKFbD7Q+qkWlFTutN91B6ifHukTqaW3T+YJzOVin
++KFm23+VoyHyNxivi1zlRQDDOi7w3ZeeB5iWIHoBvrS+6BBE4Qnc8oepH8K5+Ox5D
++RT7ACl7BjvriH0dWQww/MWCfXVKjNF5hmXsUUpHdo0gAK4/ZQra+5VPV9/2YOFgF
++VBqkOA2wJSTgnu+sYL8XAS8iKAP1uvlcQKgtbcIHcyPpkkmklXlZq5HYDfq4nBlL
++3GZSJqNVHcDCIIH1RicFNrNRllWivNhcO0CV5Gu0Lc3+r6rPGtAQkMt0GtPVl/Nz
++2rYRpeIAbq/A6m6BXNJndIP1Y1jW/xkGsEnnolStnzfarpmPfabZGFUowwARAQAB
++tE1naXQtdWJ1bnR1IHRlc3Qga2V5IChwcml2YXRlIGtleSBwdWJsaWNseSBhdmFp
++bGFibGUpIDxnaXQtdWJ1bnR1QGV4YW1wbGUuY29tPokCNwQTAQgAIQUCWo6l3wIb
++AwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDfIcyRKf945jMbEACyAXWRiL5p
++PqjPTR7pVA73LrAuhDQlOcWJnCYUlwVTMNIE2WYd7sVKGShZhJ/tNYaZWFdXl9L9
++C/8Hp1bVeo4cAovKRTQ4DcI+BzJYx0FnEGirGqQLrs4mieDzVV0KOtHcS1Q96tOh
++SP5bpbpK0awOAaR+IW9a0yvBljv1wdelyXhnk/n0Xk7TvH/lAHxzPZJ5P9uBbNLZ
++bq+p7S0zooXoW/xTcaJa7gpkliXdR2T1jB2C3+chibCyxJDEHjiPxouhgFum+SOk
++iSz5Tv/maux4T8eQVevh1K3xtWIaUCHATDt1OG2qNIEcb/W52qhedR6YyJkhogDF
++36HJz9baE7pLRDZMEBdWkVdSz4R0dh2uOSktiEvtoGCjIkwDYCFaoSIhj6hgR9XB
+++7yV/rvUf1aX/4Db4OrzbDK502E0kA9kWlOF70z0x7m7BYaDiyJqYIVRu6wAzRaq
++gn/TXFUReIObCCvwukwCSxuoOtdeomey4iqVNIQvN6/aiJaq2FjBKiS8BAlzbSng
++44P+r7NIV52XPrGB78qTjcAGWzutOyQwY4ncDWqwDzx7CeRykQiUpgfuEEGskELT
++/ci2jjJ460mtSMQx0moqFTZrpqyWWPZZCnHN+lcHMjft72fMJdu05qyX/Fie+CVg
++rFyVO9/0xLfsY79CXCnixw9JyEqVMnmlgrkCDQRajqXfARAAvFktYmtslC5ibVKj
++48CksNA8W63TemPLl1RQF1xzQr+dQ8Cx9XRriouKeJKJCHKxgrkJ3A5xadH3azk6
++E8vht3suvwImz6FfjI8io1G6keDPn8C8DAUbJWWHlrKIWYKacExSMuZBTbgMdZ49
++E1PR86I9fyP0wthmuQJvrmxT1hdc8S9fX5dkKzzY07elq8NXb0+N8l5DgwT2IRQ8
++f79ZO0ejLgT3L7mM0E6+qDmjxmcgFG9aavd6Onjtt5OQBqGF7VznpAvH9R+ol8Q3
++oHAvrcjPHAYtjQ2JC0Bj1FETUB3V93XIaoDupqBWJ4E9VTtweL1n8KvqLLbWNWcr
++KUaPfE918eUhmOpfKSvq5pYAgfCaCpB9i5IB/XAi0s1B5N+wjexUXdsSOeCHzF+P
++qqzR/gg+wMBYDAPN3PuaNZbLdbBmMSkGadZRXdiXrXLVgh0Ek/XxDjRPepCfcahU
++Pi/FdIveLtRI1I3LCwxgOoGjQ6EUtqvC7u39+99uuhcvDNAJRNw54xiBeC+n4PVG
++sobkvTi4DFEPPCnF+4nOOZpyYxswIzoS6G7GVi5GLJTK1Mx6HYmceoQ2gPLJ41kC
++yxMoAsYeI41WYpDWmhVsD3onNx1Kzhp+yhnP42Vec4IkAYsoMtli+5F5Hlsm6EhM
++sOBXCcasgJ9HKcwF7cyTd17F7B8AEQEAAYkCHwQYAQgACQUCWo6l3wIbDAAKCRDf
++IcyRKf945ocKEACzBAr6bnItnfHHtRg0/3MgBrb5mm5cBQkxg/tTO+no1bMSp1yl
++IwumO3urY+zGw+n51xp8BASGyxoEjxg0rc5HtyIzsYQiBD6LanIA2jIPQ2SLmmuw
++ZsyhcoxXAwZ4tZGRBmoRevn77Aj05cXiu1T8H2y/Ri6CIhX56VaWvi6UZ8AqO7Vl
++87AVyCn6hDxoFV9wD3PRV8PuJM3j/7JmdMtwpdhxYfyWupgUUs493dNXyQ5ny89E
++fXUWfO5tFK25mm+agc8vtD5/75/thN1vlo9w6GiGSN4Qd2k0m9+R64VPr+LvA8xt
++g66RWgSPZrUSUoqyuWTZLvScKxgYH3gOcSPtIm60Y/Qs39DWrKGu+DsSDcswZlqC
++emvVo6uV/SuUn/106/h7utRevuMtPiZ1/r9RrVUrrcc9TwmptUVoz/KiRmrN3UlI
++W0zcZ+JIlRIdFOl84mNul8KLOJGaLgaNusAQKHjwyZ+9n6Qn+oo8J0NEu3YdMLnt
++OBZfpopf2U17vxvdvJIvsVCDh/s1Y1qRC7CtZ3+ooUYO3Wl178raUm1ZH6vPkhQF
++l9xR2uoJSVPRL6xLx39WV5RVqgHGVlDRLFQwAxOfsJcnoh/1s8eDjux/Mq/T5pIm
++lLexUPbq5vGWVKGw8FR8/VLugSZ1TQGD4mqMNyfGzjV17X6UbG4hz4MdYg==
++=QWc2
++-----END PGP PUBLIC KEY BLOCK-----
 diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
 index 9bf85a3..38ec2d2 100644
 --- a/snap/snapcraft.yaml
 +++ b/snap/snapcraft.yaml
@@ -257,6 +257,57 @@ parts:
        stage-packages:
           - distro-info
        after: [python3]
++   libgpg-error:
++      plugin: autotools
++      source: https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.27.tar.bz2
++      source-type: tar
++      configflags: [--prefix=/usr]
++      stage:
++         - -usr/share/info
++   libgcrypt:
++      plugin: autotools
++      source: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.1.tar.bz2
++      source-type: tar
++      configflags: [--prefix=/usr]
++      stage:
++         - -usr/share/info
++   libassuan:
++      plugin: autotools
++      source: https://gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.1.tar.bz2
++      source-type: tar
++      configflags: [--prefix=/usr]
++      after: [libgpg-error]
++      stage:
++         - -usr/share/info
++   libksba:
++      plugin: autotools
++      source: https://gnupg.org/ftp/gcrypt/libksba/libksba-1.3.5.tar.bz2
++      source-type: tar
++      configflags: [--prefix=/usr]
++      stage:
++         - -usr/share/info
++   npth:
++      plugin:  autotools
++      source: https://gnupg.org/ftp/gcrypt/npth/npth-1.5.tar.bz2
++      source-type: tar
++      configflags: [--prefix=/usr]
++      stage:
++         - -usr/share/info
++   gnupg2:
++      plugin: autotools
++      source: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.4.tar.bz2
++      source-type: tar
++      configflags:
++         - --prefix=/usr
++         - --enable-gpg2-is-gpg
++      after:
++         - libgpg-error
++         - libgcrypt
++         - libassuan
++         - libksba
++         - npth
++      stage:
++         - -usr/share/info
     devscripts:
        plugin: nil
        stage-packages:
@@ -310,6 +361,14 @@ parts:
           - -lib/python3.6/site-packages/oauth*
           - -lib/python3.6/site-packages/launchpadlib*
           - -usr/lib/python3.6
++         - -usr/bin/gpg-error*
++         - -usr/share/aclocal/gpg-error.m4
++         - -usr/bin/dumpsexp
++         - -usr/bin/hmac256
++         - -usr/bin/libgcrypt-config
++         - -usr/bin/mpicalc
++         - -usr/include/gcrypt.h
++         - -usr/share/aclocal/libgcrypt.m4
        prime:
           - -usr/share/doc
        install: |