From 40d6f6b5eee9d7bb5e29663eddbf659ca0818a73 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 11 Jun 2020 18:31:33 +0000
Subject: [PATCH] tests: Add a pre-signed-pull.sh test

I'm thinking about adding an implementation of ed25519 signatures
with OpenSSL (so we can ship the feature with Fedora CoreOS
without requiring an additional library) and in preparation for
that it's essential that we validate that libsodium-generated
signatures and OpenSSL-generated signatures are compatible.

I don't know if they are yet actually, but the goal of this
new test is to add a pre-generated repository with a signed
commit generated by libsodium.

This will catch if e.g. there's ever a change in libsodium,
or if existing libsodium implementation versions (e.g. the
one in Debian) might differ from what we ship here.
---
 Makefile-tests.am                 |   2 ++
 tests/pre-signed-pull-data.tar.gz | Bin 0 -> 1633 bytes
 tests/test-pre-signed-pull.sh     |  52 ++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 tests/pre-signed-pull-data.tar.gz
 create mode 100755 tests/test-pre-signed-pull.sh

diff --git a/Makefile-tests.am b/Makefile-tests.am
index 411c5628..a4179377 100644
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@@ -140,6 +140,7 @@ _installed_or_uninstalled_test_scripts = \
 	tests/test-config.sh \
 	tests/test-signed-commit.sh \
 	tests/test-signed-pull.sh \
+	tests/test-pre-signed-pull.sh \
 	tests/test-signed-pull-summary.sh \
 	$(NULL)
 
@@ -201,6 +202,7 @@ dist_installed_test_data = tests/archive-test.sh \
 	tests/fah-deltadata-old.tar.xz \
 	tests/fah-deltadata-new.tar.xz \
 	tests/ostree-path-traverse.tar.gz \
+	tests/pre-signed-pull-data.tar.gz \
 	tests/libtest-core.sh \
 	$(NULL)
 
diff --git a/tests/pre-signed-pull-data.tar.gz b/tests/pre-signed-pull-data.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..53a6019abe143c497b27519406b328f0d8343505
GIT binary patch
literal 1633
zcmV-n2A=sJiwFP!000001MQo8XdFcx#}7r&>qDaj@dblmX@zWNW@jHKL~Wa#nx?6F
zTxwgb%<jzOHn)#+chfu&!GcgkQ2M8T_rLmw6e)rTRiq-QAlO<IZLOAqk6J4V>K{6n
zTr>~mNbGK+&WD5DyWN}L?tb_8o!`veY8{2lffCCw8cSpuaPD%J0@6(j5(^U@6(B;0
zm<3>De`tlmSd!8hfWkQSQywROyI-sA|5CJ$8lTi0lVlj9A+Slv-|8<#pVc245KH|r
zCRPE!43Fs#{^$Dl4#Ko|5N#W%u%01rYk#HY@9G~OC_mJlmUm5WgXy*!>gwz6+ghoV
z^?tv+XP`To91hvGe(0A6E6A^O5BE7!dq#^aV59w0?!>O)9=x+VePYjptj>paV;Apv
z*say;JgDxh)OxyEkWTJ^mF>;o<)K>tNTuA<Gh8cI1_rnG4h+}Q;`GM;sI$1zm*_u@
z))Di1lx-)l1ph}+Cyo4<J%IB6JZS3gMxpRVGK$g4|Do*cXZ_#O<$Z#59YN*)d9c@w
zV*XgMaT7egU!I>Ag`KDvM2vUR*sXf|dHWPr7W|*3ng3}}&#n(xhW}g2|MOvv{w{T^
zJd3+v3Hs0azh&x5|2$~w&nHqIHq1ZC;09Q_{zONX(mxNH`pb)uW|I32mXZIMK&5{k
zH1&_U$RhJ+Scd-4Q2Cz=bM>!s%2wF_oAn<-a-sCkfyMf#JW1u-D;T5I_#Z*EK!3x)
zx*GrIflG+VC^T8AL>T6!k}jwLZHE!aDMwr{VTZX=AqFvZb<5T{bcHO>b=x!@-BnWq
z|8C~yf8fP&6kqusU>WtlVJQF4g}M62Jcy+GuL}L;Lg}9aP5mQhl)Gt0Lx82%f4V`i
z(mxLt=ugP1sQ-1#QuDvLuvmYSLM{+;EZ0S*C3MGxIyY>?wYbDFEkjUB5M~B<EnS$n
zWZT?<j_Df2wl(I(0Z-}N7_I7m>G$*X$0o)^)&Kdj<=d4$0!98T$bTqSh5r*s)cjvA
zEY_bhj&1DNwjA}BASn^q85ky(!+mB-kubIq;l##5m?g#?3>iX%2!q+S;8+u$&!^_c
zSn~W2Hjt(KKQC^bvwp{)t4|-EUfi<golTWXcfU6X$q;<yWeksDJb3N8Cx#)0`0Q2r
z9;)I>vmpPC(yH)(S^q2l&xOVM+kzR)f{=5<buKV;O)h%?Oe`o&YDu4WT_#N1m6bmi
z7QxuCm?I1qb4%bx{h!91&yCTt{x=u;zbShF<^Oq*dI6VLAgF8UL|VB1+j9qAeeQ-A
z9@^P9yh)rg<4qgBJn)<M+0k`vT|b_F{@nVGTr^SS#)ABJS9<=((yi(G-&FH|xv*IO
zfA)Kz=0-u_rSoF6@_&rXh4ugR|NoT#XHV4lv7c)(7wwK0GB0dC1TgzAfNKjhx#_N*
zJ_Ct25^@IqLf?Jo;@fvWfAXWk#lCwluMOJ<9=LvV?DV^5swXyom)^PSlONx_aJg%A
z{r9&$`Nqf($F4sA%-a_)9vl1R@Qo+GNq*XV@ar}H(7|fS-nen&3S5ByIT_{uyeZ(8
z<A3S-^ZXy1X5;x!mH*k(%>PDmYn)-jK&9!=e?Ii_)TJ+8dgQ9&@wW~gKL6rtZ5M95
zrWb7i_XTkK+A~kRUOBp6|MmS3`#vpQcjAM+8;;zZJp0x7@l%g}-q~~Zx+ClEFHkzU
zVc!a$ouU=Z{MY=*tz{KsCja45#{W?L{*w<{$3XX%t{vT4z%q-`%KznPf5G$ra-p98
z%Y~t;mjL;qpy30Fmqzg<828eu{A6Cm2S#|vW17kj#u8a37Sk#RBJ%xcT)qR%X9tse
zibc>4%A7?p1v&;3w)wb8WE){hJ=p;80y@GQ`^@w_fF>Xk%^3Fpim=Tc*$Yuy2*)Y8
z&?+&*F|kdBQ-T&pL@;QhMgzX*BoXt*f_9`q4cYCwCR`nBGa-w`A$fo!5%ocp$GmZl
zX#^T&El8_01tA{?Q4E+TgxnmaAel^39wfk}A=poSkI8eDCn>)t*Qf?SS?<m!Xi)cM
zYvRxFz^&47gv<72z;QYW<i)DfIN>wjEP5f3O?sg`$2v_t$Di3t?j3^Z_NNbOJQ|Zl
fwxFJ`ssB_e6bgkxp-?CkiY)jYIFj*m08jt`h<jOB

literal 0
HcmV?d00001

diff --git a/tests/test-pre-signed-pull.sh b/tests/test-pre-signed-pull.sh
new file mode 100755
index 00000000..ae4e26f9
--- /dev/null
+++ b/tests/test-pre-signed-pull.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (C) 2020 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..1"
+
+if ! has_sign_ed25519; then
+    echo "ok pre-signed pull # SKIP due ed25519 unavailability"
+    exit 0
+fi
+
+mkdir upstream
+cd upstream
+tar xzf $(dirname $0)/pre-signed-pull-data.tar.gz
+cd ..
+
+pubkey='45yzbkuEok0lLabxzdAHWUDSMZgYfxU40sN+LMfYHVA='
+
+ostree --repo=repo init --mode=archive
+ostree --repo=repo remote add upstream --set=gpg-verify=false --sign-verify=ed25519=inline:${pubkey} file://$(pwd)/upstream/repo
+ostree --repo=repo pull upstream:testref
+
+wrongkey=$(gen_ed25519_random_public)
+rm repo -rf
+ostree --repo=repo init --mode=archive
+ostree --repo=repo remote add badupstream --set=gpg-verify=false --sign-verify=ed25519=inline:${wrongkey} file://$(pwd)/upstream/repo
+if ostree --repo=repo pull badupstream:testref 2>err.txt; then
+    fatal "pulled with wrong key"
+fi
+assert_file_has_content err.txt 'error:.* no valid ed25519 signatures found'
+echo "ok pre-signed pull"