2019-11-29 16:17:17 +01:00
#!/bin/bash
#
# Copyright (C) 2011,2013 Colin Walters <walters@verbum.org>
#
# SPDX-License-Identifier: LGPL-2.0+
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
2021-12-06 20:20:55 -05:00
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
2019-11-29 16:17:17 +01:00
set -euo pipefail
. $( dirname $0 ) /libtest.sh
skip_without_user_xattrs
bindatafiles = "bash true ostree"
2020-08-21 17:24:49 +02:00
echo '1..7'
2019-11-29 16:17:17 +01:00
# This is explicitly opt in for testing
export OSTREE_DUMMY_SIGN_ENABLED = 1
mkdir repo
ostree_repo_init repo --mode= archive
mkdir files
for bin in ${ bindatafiles } ; do
cp $( which ${ bin } ) files
done
${ CMD_PREFIX } ostree --repo= repo commit -b test -s test --tree= dir = files
function permuteFile( ) {
permutation = $(( $1 % 2 ))
output = $2
case $permutation in
0) dd if = /dev/zero count = 40 bs = 1 >> $output ; ;
1) echo aheader | cat - $output >> $output .new && mv $output .new $output ; ;
esac
}
function permuteDirectory( ) {
permutation = $1
dir = $2
for x in ${ dir } /*; do
for z in $( seq ${ permutation } ) ; do
permuteFile ${ z } ${ x }
done
done
}
get_assert_one_direntry_matching( ) {
local path = $1
local r = $2
local child = ""
local bn
for p in ${ path } /*; do
bn = $( basename $p )
if ! echo ${ bn } | grep -q " $r " ; then
continue
fi
if test -z " ${ child } " ; then
child = ${ bn }
else
assert_not_reached " Expected only one child matching ${ r } in ${ path } " ;
fi
done
if test -z " ${ child } " ; then
assert_not_reached " Failed to find child matching ${ r } "
fi
echo ${ child }
}
origrev = $( ${ CMD_PREFIX } ostree --repo= repo rev-parse test )
permuteDirectory 1 files
${ CMD_PREFIX } ostree --repo= repo commit -b test -s test --tree= dir = files
newrev = $( ${ CMD_PREFIX } ostree --repo= repo rev-parse test )
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev }
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } dummysign > show-not-signed.txt 2>& 1 && exit 1
assert_file_has_content show-not-signed.txt "Verification fails"
assert_file_has_content show-not-signed.txt "no signatures in static-delta"
deltaprefix = $( get_assert_one_direntry_matching repo/deltas '.' )
deltadir = $( get_assert_one_direntry_matching repo/deltas/${ deltaprefix } '-' )
rm -rf repo/deltas/${ deltaprefix } /${ deltadir } /*
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev } --inline
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } dummysign > show-inline-not-signed.txt 2>& 1 && exit 1
assert_file_has_content show-not-signed.txt "Verification fails"
assert_file_has_content show-not-signed.txt "no signatures in static-delta"
echo 'ok verify ok with unsigned deltas'
rm -rf repo/deltas/${ deltaprefix } /${ deltadir } /*
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev } --sign-type= dummy --sign= dummysign
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } dummysign > show-dummy-signed.txt
assert_file_has_content show-dummy-signed.txt "Verification OK"
rm -rf repo/deltas/${ deltaprefix } /${ deltadir } /*
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev } --inline --sign-type= dummy --sign= dummysign
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } dummysign > show-dummy-inline-signed.txt
assert_file_has_content show-dummy-inline-signed.txt "Verification OK"
echo 'ok verified with dummy'
rm -rf repo/deltas/${ deltaprefix } /${ deltadir } /*
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev } --sign-type= dummy --sign= dummysign
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } badsign > show-dummy-bad-signed.txt && exit 1
assert_file_has_content show-dummy-bad-signed.txt "Verification fails"
rm -rf repo/deltas/${ deltaprefix } /${ deltadir } /*
${ CMD_PREFIX } ostree --repo= repo static-delta generate --from= ${ origrev } --to= ${ newrev } --inline --sign-type= dummy --sign= dummysign
${ CMD_PREFIX } ostree --repo= repo static-delta verify --sign-type= dummy ${ origrev } -${ newrev } badsign > show-dummy-bad-inline-signed.txt && exit 1
assert_file_has_content show-dummy-bad-inline-signed.txt "Verification fails"
echo 'ok verification failed with dummy and bad key'
2020-08-21 17:24:49 +02:00
rm -rf repo2
ostree_repo_init repo2 --mode= bare-user
${ CMD_PREFIX } ostree --repo= repo2 pull-local repo ${ origrev }
${ CMD_PREFIX } ostree --repo= repo2 ls ${ origrev } >/dev/null
${ CMD_PREFIX } ostree --repo= repo2 static-delta apply-offline repo/deltas/${ deltaprefix } /${ deltadir }
${ CMD_PREFIX } ostree --repo= repo2 fsck
${ CMD_PREFIX } ostree --repo= repo2 ls ${ newrev } >/dev/null
echo 'ok apply offline with no signature verification and no key'
rm -rf repo2
ostree_repo_init repo2 --mode= bare-user
${ CMD_PREFIX } ostree --repo= repo2 config set core.sign-verify-deltas true
${ CMD_PREFIX } ostree --repo= repo2 pull-local repo ${ origrev }
${ CMD_PREFIX } ostree --repo= repo2 ls ${ origrev } >/dev/null
${ CMD_PREFIX } ostree --repo= repo2 static-delta apply-offline repo/deltas/${ deltaprefix } /${ deltadir } 2> apply-offline-verification-no-key.txt && exit 1
assert_file_has_content apply-offline-verification-no-key.txt "Key is mandatory to check delta signature"
echo 'ok apply offline failed with signature verification forced and no key'
rm -rf repo2
ostree_repo_init repo2 --mode= bare-user
${ CMD_PREFIX } ostree --repo= repo2 pull-local repo ${ origrev }
${ CMD_PREFIX } ostree --repo= repo2 ls ${ origrev } >/dev/null
${ CMD_PREFIX } ostree --repo= repo2 static-delta apply-offline --sign-type= dummy repo/deltas/${ deltaprefix } /${ deltadir } dummysign
${ CMD_PREFIX } ostree --repo= repo2 fsck
${ CMD_PREFIX } ostree --repo= repo2 ls ${ newrev } >/dev/null
echo 'ok apply offline with dummy'
rm -rf repo2
ostree_repo_init repo2 --mode= bare-user
${ CMD_PREFIX } ostree --repo= repo2 pull-local repo ${ origrev }
${ CMD_PREFIX } ostree --repo= repo2 ls ${ origrev } >/dev/null
${ CMD_PREFIX } ostree --repo= repo2 static-delta apply-offline --sign-type= dummy repo/deltas/${ deltaprefix } /${ deltadir } badsign 2> apply-offline-bad-key.txt && exit 1
2021-08-03 16:33:28 -04:00
assert_file_has_content apply-offline-bad-key.txt "signature: dummy: incorrect signatures found: 1"
2020-08-21 17:24:49 +02:00
echo 'ok apply offline failed with dummy and bad key'