From 9b8bad3c2ee183a409d14d56a45a501e68a5ef44 Mon Sep 17 00:00:00 2001 From: Matthew Barnes Date: Tue, 17 Mar 2015 11:22:27 -0400 Subject: [PATCH] tests: Update test-gpg-signed-commit.sh Utilize and test new CLI capabilities: - Signature count in 'ostree show' result - Duplicate signatures now rejected - Ability to delete signatures --- tests/gpghome/secring.gpg | Bin 2491 -> 7480 bytes tests/gpghome/trustdb.gpg | Bin 1280 -> 1440 bytes tests/gpghome/trusted/pubring.gpg | Bin 1189 -> 3574 bytes tests/libtest.sh | 4 ++- tests/test-gpg-signed-commit.sh | 48 ++++++++++++++++++++++-------- 5 files changed, 39 insertions(+), 13 deletions(-) diff --git a/tests/gpghome/secring.gpg b/tests/gpghome/secring.gpg index 635e20c5521a37acadd284f721cf85428bb5a690..ad88437ec50b7bfeed4a9d5484414d446905deb1 100644 GIT binary patch delta 5036 zcmajiRaDgdy1?-n7#X^U4kT*0^W|qcnozgDRsx|aOBd7|4t+rT%=WzPBsE?=Mb^P~Ru*;4J@%x_UBYn47 zzV7Z0Sg@f!iK)HW&u3$QCu)7_aTorw@bOgP_c1l9g^!D?mZ}Zq?%a&Pa}m0FmdAcxJS#nwSs*Gf2n>SWX!qoW zxwmtN?erIgq4V9Jp3pccv?}?lKwB;(!)T$qO_z;hMFj;_|(Q$UX8?IZ$hS$y1Vb5s-=Rv;2?9;I6Fsri=F z12iqdL)rgX9HkAzRn2tH?ygQ}L5e9PLtTi)$M3`xG(xRk@KGBEAU-^~3pWRw z@=1qD(1T>l35Id)8+He(zi<%HZS*Lu9j<7+0QUr z*546X!ez1FwL0@J1B(Oz`9T_Xy;MF4pg%!UYZy4UR#Y|u>_oA-Bm$fq}Q82I`7Iy&AqarE%1sD>;yNrm+Jy6rs-Tp+#0O8eF{S%mxz-<{-}DSt2J7CCa)b9QADMq`lZZAc z<8S%d9t0x3_XH$l9rZm-6QABzSQWD#C~bhy^~8F+M&?FQvg2% zLqh{>@2K|3%C>PHiNBD?a~qyKHMk8DO;(~Q#mfbL{`C3soA)h=zm@z2v{Sfsoyfqm zp#WJxgfIU+I`KmFDD_+~%5z>Se`1b%zWz{ncUGhV+8*rQx=Fj!#h@N_3%z5oSJ2## zm9K_8xAK?LwTG9Mv(*d+OLlBqqyR#G4SHA$Pr?z`H7Px)xT!&l|ioMeE-8AbENk0MZZ4Ig+pPmuQhSPi0o8Et4_pVxeuIikECq6-AYQD2z zs@S{HJ$0K7jn5t`QXo!fde)o>+eFa&woMf&h~Msvf4u8XX4hVew-oH}f$=pi6a8AU<^_*=psfcfxKx_Il&g%z; zuWz?oZS9Sb-7utO;)=@x-OH0G0TlF_qXko&FjB-JLqt23Tuw*6cN(qlUz51IJq#B8 zT=uA~twH;`1`s}f)F`5KJ)v@NY9-!h#{HrJ^iBKoB=I z8CdJC=($OcZZX(js{g2P3}nK-?NpF0;Ij~j_C0@301#-bDEIie33`6DE*I<2T<~ju zC9_OuW-jrK13euM0gW%`RAtjYVT`=~DV3Qd6%U(~9lpx`m8er0K9PF8j35Ls$9a8F3ze$a_CWtQVGAfitn{IrC?Qc~5mtmT9D(L;h~# zr%Q#qVn+foJJF z3+d6wnWV}xa6u~RolaHLpansj&B2N>bKmAIU{6{8pgsBKhMU_cZ@y27MTfjtHFG}C zYTcP7B|p#4yw%0D2Lk$#-W8l!fdOjD#vQ6fuNt5kv-mH|jPlr`5vW-Vf+xQO^{Iwn2X7~Y+=DEa=nTW}p&7N)q zP(3sPGRM(SgA02zUT~Sknd(=46^LKMNRFH3fP=1HTHSaqVp~^7D;CTSVffQHqJKAz z^uJT)R|CDKbY8zSL3cl$;tUB|CgC`?L3@979TrY-V~yYv_inXj%U?$)mOMdQBq|lq z8-o98Nu#0!zC8~JAs~rkd=-|k`plAAiq8s*?37t8_REv~=@H)1T_X7b7#`Ut_>T0m z<+dA%58k;Ifv8;?@|oKnkaiAp#oOuWg1n1Q7+OQJV_NPYrx~%nmbD!_UgSQG+2<2C zM8UJ-+<%wsAJ7&40bS*0BP~irsP}??K{sKl$zxt2(~&w(bugpvmn!|&m8l-TZNN!X zP4UIfZkCg)GI`&4fY06g7eVAz1xr201UW9UwO(Qr)F%TKi-AT ztwEl=$vHp%l{2Q;w@P7J5&(Z0&SFV`bbs}X;>A!;_DPNwWl4$fA!V0j%|=ZU+<4<> zTmN7Ct;qAhe$rq~>VTY9-xT1Bs1>lpRF>75^Bl@{Rp$COq=!q=9?#go7Qs^8@0eDv zi`=_na?*o#cSXVFFR3aDuNUq1OXZ(?D<=ly3pusgr$IuF2^^?szb|c)6($uftDb z@$iSq5W;Gg9lz9@!FG;I#G8FBECF8kgr>p$bCKXTCh?uwDx8{8`%Z22#Vfi@mW(v= ztMu@fH;$W8Y8m9YfD)qM;gma5l=d!oB%>DhfM?%W{9SUmm!5$8H=)^2ktlS>{ORpL za>d+ud&pB0!x;fvLl6*q`IqCnH0sF&g;HIy=B;6?j)-7OJKuwqN0y-Ba5@3R zYYPi+0hef1etd!Ufq(`*uMbwDu8)n6beLVGIu})wv~DoKcRJCmT3yPxfSImOp*#pi zuEVr&sBZwh_cvX^eWqa3^V{L8^6(Yv*Zak>{U>_5;_44$J4E4>Xlv7O$K-&3kYHGg z`P#%~oC%-TjB41-J+YBc@1{iiWU`qplo~OlVgnSf_-j}*`j7t+@60ux}>>m4sL=Etp>kz$C30}8TPgDIk zJJWV7tDO!jTlwUMAn3gR$i+m%16D97cK!3s?x+dKSk!T?WWjZR_DIqvd0Ya-YaJO) z&ZIu;_Cy2I{39rlhZX-fN5&d4l~ZDqab=;2K57EkOyVH^G~(3kt<1~#{3+3nsi9a` zVrypSM$^o@?reMsi2fnRasiTCkdLF&@RcpW>z1M%7?rTq3Z$zi{#SJW zkWT#nB3;atDpG^-lVulgvF>gE(4hF=5bQe>Qc`3&^MYnk_=;4b1u%DT~|`9Dn+_V&1UYnA8l_W z-+WfsI&%~)Td1onZVhYlYeiLj;rfR0wY^ZVMn)?jcdtn%QbT*ME9@8H^9Cs?b-b{2^%W{mu!=JzrPsu;GSmcY-6}t_qj{l^$XpWjkXsRRNp4kKBih? zsTA)?9}~|}yYiIav3jXI{5q@uU!wcFgMArpm3KGbPImyDIT=N2Hcu;T4XCxF!=>&5 zRnl138y;G)Lb-1D91q>l7!zul(^ z-4k-XUwwpdE>%X}N+a2Go2ANI+)5mPYh3lz=hrrvOc@v0Lkqv()kt4e!6SMeNWrM@VR>Wb&`L zK7#up!1aNidcs53;tI~NFw!HU6qfHJ5YQMQ<^rUM^;%DIiDL!I*Q7Ou0re#$MbR0U;T#C1brOH9H5uP~LTWGiYAou|?2N9T;+3pB@hJ@y{^vjKbM2|9Fbx5n z4&TP^v%ZZ^W(AD;hWwr1lRCH6*R7qzGs4>iZ9UgbjFgVDFamrxTrmp#CmSu z)DKtu9v3bw*f>x@Y0=F_4AhrINN94ILqNm#Olp%DnSqjYCkh>Hi~@wv*KpAObd{tR zU^}gLn7wt-NAAMl^1zRy{%TZgN8482OwK&yuP{v}R2hS)JKqw?+(?NG^Es9gy^tyU z9rxT$jN_+2PygiGc--s#)+j)_sKlfnN*P3Kz~Z;Ur+dVgMNN$otAm$s<+-}NS?p_ zVs(|ar`E3!)uvilXLu?^9++~k0c{*=1dG|QPnRSV7ohvXFe<(xot^%CCNXAek7nNb z+YMTYbHW(PYK`mye172GK4sW$N7(RI>{EMvq4Y@89pGqusV8V;2!FhWp&%|c6XlYt zpl70Gv*;jW{G}g0l`*2HE6bbN^SSP|yevtdYX-5o2imNza^m~+19ZZtgZu`bX{ZY& zaYN@aOcKg@eXr}y(w9VXIj?99+H2`cF|U35_QqhQdFw0Y{q9?L=1jX5}`!Nk|ji8ti>SI zToEl36J{(!gk~&RvZij`=k}a?p7Y#)zUTAz_q@-mgl~0sbqNoU1s3FSf}>->aL^zx zcUf9sVTyEU2m)zq!>^C-#;|8rkt0Zxx-M9pXkmo=jEn}8ZL>pcg<(;nYTiH}#oM9H z16^Ks?v%;FU0t#|N^GtvuHZ=*U5~60$c7uTyHASm@$bpRYxC%U?`*VAZq_(E{) zAJy4oxMZ?UT$R*T{kWRB#Ume|EsmE^K85Zx6=@j`GScbR+1+gPPDWff2TYu&Tq6l@ zDOA}KRm*bJQB_N9Z2_C@T_M_bc^${6pz1JQ`{g*LnXidkmLb#5&6;<<9GK}g!Nsn@ zv6mzRYMsoV0yQlZG_!JDSm}DQ8H3eYz$gl;_fO|YkfE~CngwXM)7q01@o78B5Gv!o zKKgrC>04;|nB=bQD3&AH-fTv4aKEge#b-8|>Ot(XFJ=MS$BQ zR=39g=DdMEUVM9?cXHE_+#bu2kGeRDkX!L22Tc%OX(XTD6Q_UCo?8WzQiNRql8lRSReP3*`%cRH?BXS|4%hy6-G-}DC7E~+bkwk*b!W7d80ATP6@ zoW^^x$HGzZ0-P+k#^&m|REJ#mBx?1Q(P#UPv#+}(B-~z3&P$AM3<1KWwehrEPwx4EldWh_#=V!KhqzTYbBRL1`0VxG?|c!1XvLrD z{0&y&53tIo>ychZ)n9B#4p}8L9tW`W@8ZRhjJq>CzZy$Uj4@~=j*pg!K^k{9%ZFej z)cGzfc)$6^MWM=q5!#B-LxtS9YCxfZE%qw&&RWIi38hk=RcDme=ay*Z2cF1>IqNH5 zbKV+sjte^#hgsaZB;&@5^S^yrIIV}4{Uygzq_|jPQKU_~YN{&L!eMHO+V$IfBW^vs zOCaKySXfSD$W35C%Y8)pK~`(dRTygP0pU>;O+nim;$VBmPKMHj&!{!TivvD;i+8ub z;(4IRG6HJcZ1kVE*9JYxH9i}dJ=#s?sufXFIjs@GoQuif>M{O|5-z-H8{a$hXV&mq4~A-h@}kC=$D~HDvH^vU6(MIf^gVD1`ncI`L~nZZ zi)}slJxe93x)b=dVBY8zgr%u)4L#gCedCS$4Y`DJci?)cX?M^hS4CC2u;$!pFYBRz zkEFS+!XrA8EGR*Hc-lW*y!XC|+aal9CbthnL25O|@% zu+06MBQpz01E6czcDyy&lpjYPRN3rc;pxx~nPZEb~Bxl8M) zxu@riMRXD}`CS6Y&Nbz|pWdG$C;zdKU#IjQ<|o2m*E%Y$4U^wK(Dra-AVo-*m|%w7 z#%vxU&U-i2M@X|gvdp5`Q=73T-cMG!BG2I&Yxom BR&D?Q delta 7 Ocmew+y_9pqQWgLX9s?Nw diff --git a/tests/libtest.sh b/tests/libtest.sh index 5879ac85..5ee5ae46 100644 --- a/tests/libtest.sh +++ b/tests/libtest.sh @@ -22,7 +22,9 @@ test_tmpdir=$(pwd) export G_DEBUG=fatal-warnings -export TEST_GPG_KEYID="472CDAFA" +export TEST_GPG_KEYID_1="472CDAFA" +export TEST_GPG_KEYID_2="CA950D41" +export TEST_GPG_KEYID_3="DF444D67" # GPG when creating signatures demands a writable # homedir in order to create lockfiles. Work around diff --git a/tests/test-gpg-signed-commit.sh b/tests/test-gpg-signed-commit.sh index dc39d092..49fb4903 100644 --- a/tests/test-gpg-signed-commit.sh +++ b/tests/test-gpg-signed-commit.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (C) 2013 Jeremy Whiting +# Copyright (C) 2015 Red Hat, Inc. # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -27,23 +28,46 @@ fi setup_test_repository "archive-z2" +export OSTREE_GPG_SIGN="${OSTREE} gpg-sign --gpg-homedir=${TEST_GPG_KEYHOME}" + cd ${test_tmpdir} -${OSTREE} commit -b test2 -s "A GPG signed commit" -m "Signed commit body" --gpg-sign=${TEST_GPG_KEYID} --gpg-homedir=${TEST_GPG_KEYHOME} --tree=dir=files -$OSTREE show --print-detached-metadata-key=ostree.gpgsigs test2 > test2-gpgsigs +${OSTREE} commit -b test2 -s "A GPG signed commit" -m "Signed commit body" --gpg-sign=${TEST_GPG_KEYID_1} --gpg-homedir=${TEST_GPG_KEYHOME} --tree=dir=files +${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature' > test2-show # We at least got some content here and ran through the code; later # tests will actually do verification -assert_file_has_content test2-gpgsigs 'byte ' +assert_file_has_content test2-show 'Found 1 signature' -# Now sign a commit 3 times (with the same key) +# Now sign a commit with 3 different keys cd ${test_tmpdir} -${OSTREE} commit -b test2 -s "A GPG signed commit" -m "Signed commit body" --gpg-sign=${TEST_GPG_KEYID} --gpg-sign=${TEST_GPG_KEYID} --gpg-sign=${TEST_GPG_KEYID} --gpg-homedir=${TEST_GPG_KEYHOME} --tree=dir=files -$OSTREE show --print-detached-metadata-key=ostree.gpgsigs test2 > test2-gpgsigs -assert_file_has_content test2-gpgsigs 'byte ' +${OSTREE} commit -b test2 -s "A GPG signed commit" -m "Signed commit body" --gpg-sign=${TEST_GPG_KEYID_1} --gpg-sign=${TEST_GPG_KEYID_2} --gpg-sign=${TEST_GPG_KEYID_3} --gpg-homedir=${TEST_GPG_KEYHOME} --tree=dir=files +${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature' > test2-show +assert_file_has_content test2-show 'Found 3 signature' -# Commit and sign separately +# Commit and sign separately, then monkey around with signatures cd ${test_tmpdir} ${OSTREE} commit -b test2 -s "A GPG signed commit" -m "Signed commit body" --tree=dir=files -$OSTREE show --print-detached-metadata-key=ostree.gpgsigs test2 2> /dev/null && (echo 1>&2 "unsigned commit unexpectedly had detached metadata"; exit 1) -$OSTREE gpg-sign test2 ${TEST_GPG_KEYID} --gpg-homedir=${TEST_GPG_KEYHOME} -$OSTREE show --print-detached-metadata-key=ostree.gpgsigs test2 > test2-gpgsigs -assert_file_has_content test2-gpgsigs 'byte ' +if ${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature'; then + assert_not_reached +fi +${OSTREE_GPG_SIGN} test2 ${TEST_GPG_KEYID_1} +${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature' > test2-show +assert_file_has_content test2-show 'Found 1 signature' +# Signing with a previously used key should be caught +if ${OSTREE_GPG_SIGN} test2 ${TEST_GPG_KEYID_1} 2>/dev/null; then + assert_not_reached +fi +# Add a few more signatures and then delete them +${OSTREE_GPG_SIGN} test2 ${TEST_GPG_KEYID_2} ${TEST_GPG_KEYID_3} +${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature' > test2-show +assert_file_has_content test2-show 'Found 3 signature' +${OSTREE_GPG_SIGN} --delete test2 ${TEST_GPG_KEYID_2} | grep -o 'Signatures deleted: [[:digit:]]' > test2-delete +assert_file_has_content test2-delete 'Signatures deleted: 1' +${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature' > test2-show +assert_file_has_content test2-show 'Found 2 signature' +# Already deleted TEST_GPG_KEYID_2; should be ignored +${OSTREE_GPG_SIGN} --delete test2 ${TEST_GPG_KEYID_1} ${TEST_GPG_KEYID_2} ${TEST_GPG_KEYID_3} | grep -o 'Signatures deleted: [[:digit:]]' > test2-delete +assert_file_has_content test2-delete 'Signatures deleted: 2' +# Verify all signatures are gone +if ${OSTREE} show test2 | grep -o 'Found [[:digit:]] signature'; then + assert_not_reached +fi