Commit Graph

18 Commits

Author SHA1 Message Date
Dan Nicholson
9c20d162a4 tests/gpg: Don't assert subkey expiration when only primary expired
In gnupg 2.3.0[1], if a primary key is expired and a subkey does not
have an expiration or its expiration is older than the primary key, the
subkey's expiration will be reported as the primary's. Previously a
subkey without an expiration would not report one regardless of the
primary key's expiration.

This caused a regression in a test setting an expiration on a primary
key. The test was checking that the subkey was not expired by asserting
that there was no `Key expired` line in the signature verification
output. With gnupg 2.3.0+, it will show as expired, causing the test to
fail.

Remove the assertion since it's not consistent across gnupg versions. In
practice we don't care whether the subkey is considered expired or not
as long as the signature verification fails when the primary key is
expired.

1. https://dev.gnupg.org/T3343

Fixes: #2359
2021-05-28 15:35:58 -06:00
Dan Nicholson
d2a9c8604e tests/gpg: Skip tests when subkeys can't be expired
The ability to expire subkeys using gpg's --quick-set-expire is only
available on gnupg 2.1.22. If expiring a subkey fails, assume this is
why and skip the tests that require it but run the actions that the
subsequent tests depend on. This was failing on the Debian Stretch CI
tests since stretch has gnupg 2.1.18.

Closes: #1892
Approved by: jlebon
2019-07-27 03:20:21 +00:00
Dan Nicholson
8ac348d19a tests/gpg: Use exit hook to kill agent in temporary GPG homedir
This wasn't available when I originally wrote this, but it ensures that
the running gpg-agent in tmpgpghome is killed in case the tests exit
early.

Closes: #1892
Approved by: jlebon
2019-07-27 03:20:21 +00:00
Dan Nicholson
abb173352d tests: Always cleanup gpg-agent when exiting
Add `libtest_cleanup_gpg()` to the array of commands to run when
exiting. This provides 2 improvements:

1. You don't need to worry about whether the test will spawn a gpg-agent
   and therefore require adding a call to `libtest_cleanup_gpg()`.

2. All the existing users were calling `libtest_cleanup_gpg()` at the
   end of the script. If there was a failure and the script exited
   early, then it wouldn't cleanup and there may be a stray gpg-agent
   hanging around.

Closes: #1799
Approved by: cgwalters
2019-06-19 17:30:24 +00:00
Dan Nicholson
0c63f30783 tests/test-gpg-signed-commit: Test more key states
Extend test-gpg-signed-commit.sh to test various key states. If gpg is
found that supports the required options, keys will be generated on the
fly and changed in various ways to exercise the output from
`ostree_gpg_verify_result_describe_variant` used in `ostree show`.

I tested this using gnupg 2.2.12, so I hope it works well enough on
various gpgs found in the wild.

Closes: #1872
Approved by: cgwalters
2019-06-19 17:17:11 +00:00
Marcus Folkesson
6bf4b3e1d8 Add SPDX-License-Identifier to source files
SPDX License List is a list of (common) open source
licenses that can be referred to by a “short identifier”.
It has several advantages compared to the common "license header texts"
usually found in source files.

Some of the advantages:
* It is precise; there is no ambiguity due to variations in license header
  text
* It is language neutral
* It is easy to machine process
* It is concise
* It is simple and can be used without much cost in interpreted
  environments like java Script, etc.
* An SPDX license identifier is immutable.
* It provides simple guidance for developers who want to make sure the
  license for their code is respected

See http://spdx.org for further reading.

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>

Closes: #1439
Approved by: cgwalters
2018-01-30 20:03:42 +00:00
Colin Walters
88b25dc65c tree-wide: Replace archive-z2 with archive
In almost all places. There are just a few exceptions; one tricky bit for
example is that the repo config must still have `mode=archive-z2`, since
`archive` used to mean something else. (We could very likely just get rid of
that check, but eh, later).

I also added a test that one can still do `ostree repo init --mode=archive-z2`.

Closes: #1125
Approved by: jlebon
2017-09-01 20:54:12 +00:00
Jonathan Lebon
c4c030cc79 libtest: add has_gpgme() helper function
Closes: #469
Approved by: cgwalters
2016-08-31 16:52:12 +00:00
Colin Walters
bdf24cdc04 tests: Make failing to kill the GPG agent non-fatal
It's not working for me in `make check` on a RHEL 7 Workstation,
apparently because no GPG agent is spawned.  I'm guessing this has
something to do with the GPG version?

The downside of this is we will be less likely to notice if GPG
changes again and we start leaking agents like we're in The Matrix
Reloaded.  But the real solution to that is containers anyways.

Closes: #233
Approved by: smcv
2016-03-31 18:43:31 +00:00
Simon McVittie
b25ddd29ab In tests that use gpg, terminate the gpg-agent after testing
Otherwise we leak those processes.

Signed-off-by: Simon McVittie <smcv@debian.org>

Closes: #232
Approved by: cgwalters
2016-03-31 14:22:06 +00:00
Colin Walters
d25212f04a tests: Port to glib-tap.mk, make make check run all of the tests
OSTree's code for testing predates the `glib-tap.mk` making its
way into GLib.  Let's switch to it, as it provides a number
of advantages.

By far the biggest advantage is that `make check` can start to run
most of the tests *in addition* to having them work installed.

This commit keeps the installed tests working, but `make check` turns
out to be really broken because...our TAP usage has bitrotted to say
the least.  Fix that all up.

Do some hacks so that the tests work uninstalled as well - in
particular, `glib-tap.mk` and the bits encoded into
`g_test_build_filename()` assume *recursive* Automake (blah).  Work
around that by creating a symlink when installed to loop back.
2016-03-03 08:50:19 -05:00
Colin Walters
5ebe43859d tests: Use "bash strict mode"
I noticed in the static deltas tests, there were some tests that
should have been under `-o pipefail` to ensure we properly propagate
errors.

There were a few places where we were referencing undefined variables.

Overall, this is clearly a good idea IMO.
2016-01-27 11:44:10 -05:00
Giuseppe Scrivano
cd93780d97 show: add option --gpg-homedir
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2015-04-27 15:22:41 +02:00
Matthew Barnes
9b8bad3c2e tests: Update test-gpg-signed-commit.sh
Utilize and test new CLI capabilities:

  - Signature count in 'ostree show' result
  - Duplicate signatures now rejected
  - Ability to delete signatures
2015-03-18 11:53:26 -04:00
Giuseppe Scrivano
aea173b3f8 tests: enforce ${CMD_PREFIX} on all ostree processes
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2015-03-03 18:32:24 -05:00
Matthew Barnes
a5b002dae6 ostree: Add gpg-sign command
Signs a commit with one or more GPG keys.
2015-02-26 12:53:01 -05:00
Colin Walters
26d5db696b tests: Fix up GPG tests for more strict EL7 GPG
These GPG tests were failing for me on EL7 - it appears to be because
we had only one directory for both private and public keys, and we
were giving that to ostree for verification, which passed them onto
gpgv.

In EL7 beta at least, gpgv now barfs if it finds a private key where
it is just expecting to find public keys.

Fix this by splitting out the public trusted directory from the
private key directory.  Except now for signing, we still need the
public key there, so symlink it.  Whee!
2014-02-10 09:40:35 -05:00
Jeremy Whiting
7d5aa74dae core: Use libgpgme to add GPG signatures to detached metadata for commit object
Add an optional dependency on gpgme to add GPG signatures into the
detached metadata, with the key "ostree.gpgsigs", as an "aay", an
array of signatures (treated as binary data).

The commit command gains a --gpg-sign=<key-id> argument.  Also add an
argument --gpg-homedir to set the GPG homedir where we look for
keyrings.
2013-09-28 16:12:35 -04:00