tests: Add a pre-signed-pull.sh test

I'm thinking about adding an implementation of ed25519 signatures
with OpenSSL (so we can ship the feature with Fedora CoreOS
without requiring an additional library) and in preparation for
that it's essential that we validate that libsodium-generated
signatures and OpenSSL-generated signatures are compatible.

I don't know if they are yet actually, but the goal of this
new test is to add a pre-generated repository with a signed
commit generated by libsodium.

This will catch if e.g. there's ever a change in libsodium,
or if existing libsodium implementation versions (e.g. the
one in Debian) might differ from what we ship here.
This commit is contained in:
Colin Walters 2020-06-11 18:31:33 +00:00
parent a128eb551a
commit 40d6f6b5ee
3 changed files with 54 additions and 0 deletions

View File

@ -140,6 +140,7 @@ _installed_or_uninstalled_test_scripts = \
tests/test-config.sh \ tests/test-config.sh \
tests/test-signed-commit.sh \ tests/test-signed-commit.sh \
tests/test-signed-pull.sh \ tests/test-signed-pull.sh \
tests/test-pre-signed-pull.sh \
tests/test-signed-pull-summary.sh \ tests/test-signed-pull-summary.sh \
$(NULL) $(NULL)
@ -201,6 +202,7 @@ dist_installed_test_data = tests/archive-test.sh \
tests/fah-deltadata-old.tar.xz \ tests/fah-deltadata-old.tar.xz \
tests/fah-deltadata-new.tar.xz \ tests/fah-deltadata-new.tar.xz \
tests/ostree-path-traverse.tar.gz \ tests/ostree-path-traverse.tar.gz \
tests/pre-signed-pull-data.tar.gz \
tests/libtest-core.sh \ tests/libtest-core.sh \
$(NULL) $(NULL)

Binary file not shown.

52
tests/test-pre-signed-pull.sh Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
#
# Copyright (C) 2020 Collabora Ltd.
#
# SPDX-License-Identifier: LGPL-2.0+
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. $(dirname $0)/libtest.sh
echo "1..1"
if ! has_sign_ed25519; then
echo "ok pre-signed pull # SKIP due ed25519 unavailability"
exit 0
fi
mkdir upstream
cd upstream
tar xzf $(dirname $0)/pre-signed-pull-data.tar.gz
cd ..
pubkey='45yzbkuEok0lLabxzdAHWUDSMZgYfxU40sN+LMfYHVA='
ostree --repo=repo init --mode=archive
ostree --repo=repo remote add upstream --set=gpg-verify=false --sign-verify=ed25519=inline:${pubkey} file://$(pwd)/upstream/repo
ostree --repo=repo pull upstream:testref
wrongkey=$(gen_ed25519_random_public)
rm repo -rf
ostree --repo=repo init --mode=archive
ostree --repo=repo remote add badupstream --set=gpg-verify=false --sign-verify=ed25519=inline:${wrongkey} file://$(pwd)/upstream/repo
if ostree --repo=repo pull badupstream:testref 2>err.txt; then
fatal "pulled with wrong key"
fi
assert_file_has_content err.txt 'error:.* no valid ed25519 signatures found'
echo "ok pre-signed pull"