From ecbfe08ec75497767b76a962319f7bff6449da0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= Date: Fri, 21 Aug 2020 17:24:49 +0200 Subject: [PATCH] tests/delta: Add new tests for applying signed deltas MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add new test to apply offline signed deltas. Signed-off-by: Frédéric Danis --- tests/test-delta-ed25519.sh | 41 ++++++++++++++++++++++++++++++++- tests/test-delta-sign.sh | 45 ++++++++++++++++++++++++++++++++++++- 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/tests/test-delta-ed25519.sh b/tests/test-delta-ed25519.sh index e50b9763..ef732cf9 100755 --- a/tests/test-delta-ed25519.sh +++ b/tests/test-delta-ed25519.sh @@ -29,7 +29,7 @@ skip_without_sign_ed25519 bindatafiles="bash true ostree" -echo '1..9' +echo '1..12' mkdir repo ostree_repo_init repo --mode=archive @@ -281,3 +281,42 @@ ${CMD_PREFIX} ostree --repo=repo static-delta verify --sign-type=ed25519 ${origr assert_file_has_content show-ed25519-multiplekeys-inline-signed-4.txt "Verification OK" echo 'ok verified with ed25519 (multiple keys)' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline --sign-type=ed25519 --keys-file=${PUBKEYS} repo/deltas/${deltaprefix}/${deltadir} +${CMD_PREFIX} ostree --repo=repo2 fsck +${CMD_PREFIX} ostree --repo=repo2 ls ${newrev} >/dev/null + +echo 'ok apply offline with ed25519 (keyfile)' + +mkdir -p ${test_tmpdir}/{trusted,revoked}.ed25519.d + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +echo ${PUBLIC} > ${test_tmpdir}/trusted.ed25519.d/correct +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline --keys-dir=${test_tmpdir} repo/deltas/${deltaprefix}/${deltadir} +${CMD_PREFIX} ostree --repo=repo2 fsck +${CMD_PREFIX} ostree --repo=repo2 ls ${newrev} >/dev/null + +echo 'ok apply offline with ed25519 (keydir)' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +echo ${PUBLIC} > ${test_tmpdir}/revoked.ed25519.d/correct +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +if ${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline --keys-dir=${test_tmpdir} repo/deltas/${deltaprefix}/${deltadir}; then + exit 1 +fi + +rm -rf ${test_tmpdir}/{trusted,revoked}.ed25519.d + +echo 'ok apply offline with ed25519 revoking key mechanism (keydir)' diff --git a/tests/test-delta-sign.sh b/tests/test-delta-sign.sh index b9854ce7..86f12f96 100755 --- a/tests/test-delta-sign.sh +++ b/tests/test-delta-sign.sh @@ -27,7 +27,7 @@ skip_without_user_xattrs bindatafiles="bash true ostree" -echo '1..3' +echo '1..7' # This is explicitly opt in for testing export OSTREE_DUMMY_SIGN_ENABLED=1 @@ -129,3 +129,46 @@ ${CMD_PREFIX} ostree --repo=repo static-delta verify --sign-type=dummy ${origrev assert_file_has_content show-dummy-bad-inline-signed.txt "Verification fails" echo 'ok verification failed with dummy and bad key' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline repo/deltas/${deltaprefix}/${deltadir} +${CMD_PREFIX} ostree --repo=repo2 fsck +${CMD_PREFIX} ostree --repo=repo2 ls ${newrev} >/dev/null + +echo 'ok apply offline with no signature verification and no key' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +${CMD_PREFIX} ostree --repo=repo2 config set core.sign-verify-deltas true +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline repo/deltas/${deltaprefix}/${deltadir} 2> apply-offline-verification-no-key.txt && exit 1 +assert_file_has_content apply-offline-verification-no-key.txt "Key is mandatory to check delta signature" + +echo 'ok apply offline failed with signature verification forced and no key' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline --sign-type=dummy repo/deltas/${deltaprefix}/${deltadir} dummysign +${CMD_PREFIX} ostree --repo=repo2 fsck +${CMD_PREFIX} ostree --repo=repo2 ls ${newrev} >/dev/null + +echo 'ok apply offline with dummy' + +rm -rf repo2 +ostree_repo_init repo2 --mode=bare-user + +${CMD_PREFIX} ostree --repo=repo2 pull-local repo ${origrev} +${CMD_PREFIX} ostree --repo=repo2 ls ${origrev} >/dev/null +${CMD_PREFIX} ostree --repo=repo2 static-delta apply-offline --sign-type=dummy repo/deltas/${deltaprefix}/${deltadir} badsign 2> apply-offline-bad-key.txt && exit 1 +assert_file_has_content apply-offline-bad-key.txt "signature: dummy: incorrect signature" + +echo 'ok apply offline failed with dummy and bad key'