tests: Add a pre-signed-pull.sh test

I'm thinking about adding an implementation of ed25519 signatures
with OpenSSL (so we can ship the feature with Fedora CoreOS
without requiring an additional library) and in preparation for
that it's essential that we validate that libsodium-generated
signatures and OpenSSL-generated signatures are compatible.

I don't know if they are yet actually, but the goal of this
new test is to add a pre-generated repository with a signed
commit generated by libsodium.

This will catch if e.g. there's ever a change in libsodium,
or if existing libsodium implementation versions (e.g. the
one in Debian) might differ from what we ship here.

Makefile-tests.am

@@ -140,6 +140,7 @@ _installed_or_uninstalled_test_scripts = \
 	tests/test-config.sh \
 	tests/test-signed-commit.sh \
 	tests/test-signed-pull.sh \
+	tests/test-pre-signed-pull.sh \
 	tests/test-signed-pull-summary.sh \
 	$(NULL)
 
@@ -201,6 +202,7 @@ dist_installed_test_data = tests/archive-test.sh \
 	tests/fah-deltadata-old.tar.xz \
 	tests/fah-deltadata-new.tar.xz \
 	tests/ostree-path-traverse.tar.gz \
+	tests/pre-signed-pull-data.tar.gz \
 	tests/libtest-core.sh \
 	$(NULL)
 

tests/test-pre-signed-pull.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (C) 2020 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..1"
+
+if ! has_sign_ed25519; then
+    echo "ok pre-signed pull # SKIP due ed25519 unavailability"
+    exit 0
+fi
+
+mkdir upstream
+cd upstream
+tar xzf $(dirname $0)/pre-signed-pull-data.tar.gz
+cd ..
+
+pubkey='45yzbkuEok0lLabxzdAHWUDSMZgYfxU40sN+LMfYHVA='
+
+ostree --repo=repo init --mode=archive
+ostree --repo=repo remote add upstream --set=gpg-verify=false --sign-verify=ed25519=inline:${pubkey} file://$(pwd)/upstream/repo
+ostree --repo=repo pull upstream:testref
+
+wrongkey=$(gen_ed25519_random_public)
+rm repo -rf
+ostree --repo=repo init --mode=archive
+ostree --repo=repo remote add badupstream --set=gpg-verify=false --sign-verify=ed25519=inline:${wrongkey} file://$(pwd)/upstream/repo
+if ostree --repo=repo pull badupstream:testref 2>err.txt; then
+    fatal "pulled with wrong key"
+fi
+assert_file_has_content err.txt 'error:.* no valid ed25519 signatures found'
+echo "ok pre-signed pull"