diff --git a/Makefile-tests.am b/Makefile-tests.am index 8e233466..505245cd 100644 --- a/Makefile-tests.am +++ b/Makefile-tests.am @@ -140,6 +140,12 @@ _installed_or_uninstalled_test_scripts = \ tests/test-signed-commit.sh \ $(NULL) +if USE_LIBSODIUM +_installed_or_uninstalled_test_scripts += \ + tests/test-signed-pull.sh \ + $(NULL) +endif + if USE_GPGME _installed_or_uninstalled_test_scripts += \ tests/test-remote-gpg-import.sh \ diff --git a/tests/test-signed-pull.sh b/tests/test-signed-pull.sh new file mode 100755 index 00000000..2f4d4527 --- /dev/null +++ b/tests/test-signed-pull.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# +# Copyright (C) 2019 Collabora Ltd. +# +# SPDX-License-Identifier: LGPL-2.0+ +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +set -euo pipefail + +. $(dirname $0)/libtest.sh + +echo "1..4" + +setup_fake_remote_repo1 "archive" + +repo_mode="archive" + +function repo_init() { + cd ${test_tmpdir} + rm repo -rf + mkdir repo + ostree_repo_init repo --mode=${repo_mode} + ${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo "$@" +} + +function test_signed_pull() { + local sign_type="$1" + cd ${test_tmpdir} + ${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo commit ${COMMIT_ARGS} \ + -b main -s "A signed commit" --tree=ref=main + + ${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo summary -u + # make sure gpg verification is correctly on + csum=$(${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo rev-parse main) + objpath=objects/${csum::2}/${csum:2}.commitmeta + remotesig=ostree-srv/gnomerepo/$objpath + localsig=repo/$objpath + mv $remotesig $remotesig.bak + if ${CMD_PREFIX} ostree --repo=repo --depth=0 pull origin main; then + assert_not_reached "pull with sign-verify unexpectedly succeeded?" + fi + # ok now check that we can pull correctly + mv $remotesig.bak $remotesig + ${CMD_PREFIX} ostree --repo=repo pull origin main + echo "ok pull ${sign_type} signed commit" + rm $localsig + ${CMD_PREFIX} ostree --repo=repo pull origin main + test -f $localsig + echo "ok re-pull ${sign_type} signature for stored commit" +} + +DUMMYSIGN="dummysign" +COMMIT_ARGS="--sign=${DUMMYSIGN} --sign-type=dummy" +repo_init --set=sign-verify=true +test_signed_pull "dummy" + + +# Test ostree sign with 'ed25519' module +# Generate private key in PEM format +PEMFILE="$(mktemp -p ${test_tmpdir} ed25519_XXXXXX.pem)" +openssl genpkey -algorithm ed25519 -outform PEM -out "${PEMFILE}" + +# Based on: http://openssl.6102.n7.nabble.com/ed25519-key-generation-td73907.html +# Extract the private and public parts from generated key. +PUBLIC="$(openssl pkey -outform DER -pubout -in ${PEMFILE} | tail -c 32 | base64)" +SEED="$(openssl pkey -outform DER -in ${PEMFILE} | tail -c 32 | base64)" +# Secret key is concantination of SEED and PUBLIC +SECRET="$(echo ${SEED}${PUBLIC} | base64 -d | base64 -w 0)" + +echo "SEED = $SEED" +echo "PUBLIC = $PUBLIC" + +COMMIT_ARGS="--sign=${SECRET} --sign-type=ed25519" + +repo_init --set=sign-verify=true +${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}" +test_signed_pull "ed25519" +