diff options
author | realtime-neil <neil@rtr.ai> | 2021-09-24 18:07:02 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-24 15:07:02 -0700 |
commit | 7fd0d2d5474d6be5ca5288de521e1b0fa3abd8c6 (patch) | |
tree | 86f7fe0a31e31306438ced0b4ae687855c51fa7a | |
parent | 3114b013a974dcc75b0d21a9b51e351ef89d2f3d (diff) | |
download | makeself-7fd0d2d5474d6be5ca5288de521e1b0fa3abd8c6.tar.gz |
signtest: more and better (#258)
update `test/signtest` with the following improvements:
* add function `cat_key` to manage secret keys as heredocs of ascii-armored
content
* add function `checked_import_key` to manage/verify secret key imports
* add function `create_sign_verify` to create, sign, and verify signatures on
makeself archives
* remove the two existing tests and add four new tests:
* `testSingleKey`: test simple sign/verify with one existing key
* `testMultipleKeys`: test more complicated sign/verify when more than one
key is present (this would have caught issue #257)
* `testWrongKey`: ensure that using the wrong key fails signature
verification
* `testWrongPassword`: ensure that using the wrong password fails to create a
signature
-rwxr-xr-x | test/signtest | 310 |
1 files changed, 278 insertions, 32 deletions
diff --git a/test/signtest b/test/signtest index 9ba9ded..d07233f 100755 --- a/test/signtest +++ b/test/signtest @@ -1,44 +1,290 @@ -#!/usr/bin/env bash - -SUT=$(realpath $(dirname $0)/../makeself.sh) -SOURCE=$(realpath ..) -GPG_SECRET_KEY="secret_key.gpg" -GPG_KEY_ID="64F66800CCC556CB7E8FE108EE8CE9E55B602BD9" -BAD_GPG_KEY_ID="64F66800CCC556CB7E8FE108EE8CE9E55B602BD8" -GPG_KEY_PASSPHRASE="123123" -ARCHIVE="makeself-test.run" +#!/bin/bash + +set -eu + +THIS="$(realpath "$0")" +HERE="$(dirname "${THIS}")" +SUT="$(dirname "${HERE}")/makeself.sh" + ################################################################################ -setupGPGKey() -{ - echo $GPG_KEY_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --import $GPG_SECRET_KEY +# Generate new gpg key. +# +# This function is not used by the test unit, but it was used to create the +# keys that appear in this test unit. +# +# https://gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html#Unattended-GPG-key-generation +gpg_genkey() { + gpg --batch --generate-key - <<'EOF' +%echo Generating temporary key... +Key-Type: default +Name-Real: Makeself Tester +Name-Comment: time to test the makeself +Name-Email: noreply@makeself.io +Expire-Date: 0 +Passphrase: password123 +%commit +%echo ...generated temporary key. +EOF } -deleteGPGKey() -{ - gpg --batch --yes --delete-secret-keys $GPG_KEY_ID +# $1 : keyid +# +# print the ascii-armored key content for the given keyid +cat_key() { + case "$1" in + 3DD6797A5EDE9A253311C13AED3E040B19F6996E) + # sec rsa3072 2021-09-24 [SC] + # 3DD6797A5EDE9A253311C13AED3E040B19F6996E + # uid [ unknown] Makeself Tester (time to test the makeself) <noreply@makeself.io> + cat <<'EOF' +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQWGBGFN1BoBDADnA63BvrK27AgPUQNqwpUP6TrQS87F8zD+Tw1vjHGTkgK83DF5 +bKYn4H5L85721eSJJnsbrX3LuRmO6vqtsyzmFwQs91GuKhGBlDAtZ+ly1v4KGcDW +SFffOWv98uLhPBhyxWQfPSmjrTP7IIu/p0axVrOG5+jU/YBiMbjAXVb0AycCOgl2 +vCE4Ym6g3M2Kr4ApIC3p+zUOvDRn7ZGg0UwwwBITND5VJZRcPShLlQ9nCS51qvMO +Ed+yCrg6TLJlScD0g/on/DA01NPeQHVS8c4SsCwE1LHNNG9b3/IxWlD6LmyJO03S +m7504fqjq8Dbp1oCBqoL76WzcYgIu7wQGZwYzDwvL0WyAfHDNZDPGSPVxCz1LOFS +++iTfUFzb/szBTfIeYufKsedUhw4KE3Yg6/ONYtUGK6HxwJqZ6O4UBgNvw+NaZYR +960hAJ48oZgJ4dgCBu/MgLxegTcbPip7SRcvUUZJA6OpbvfwPTcYYaKKSjjX0C2W +EN3RAINg9t1ma3sAEQEAAf4HAwLupUzIoBbd3v8D8VVaQitipfkdWdZFtOp17OGF +bv04MLr7r5CFyLsXLHpEnzXYGrZgFCsJBlpvmnvdyBieAhTWFYfgeX2g4jNOfIwn +gQn0wchPlQLgGllIvuVWe+EHT6HI0aJ8cbMOfvynrXykWCyBt8z3+DbgHmu1YYMI +mkOG1Nl3mAIyYMexdCrYSWdm6IWScuUqKZ9B6rjaC3eiUusUqSHVWlXY3W4cSBnY +JInPLe5G580Ieb9y3cwExZC/A4Rfb4Bg2z4nZQshceO47gO3XyOx7cC6dH5TLEOL +8AGDuaIH4sTjl/aChMpTARU+FES6/AdmMMlP4KXt0dfeCAiADcFR2fofLsdD38Ex +WFDHDEE62x2bi4QYkg+gp6Ez+ueT9ddH9kv4gotiEID+7EdlkHhQJ1xD7Qw9C5pV +lb+IcnMMNlvGYMsO6lXlQEHtPqZowPT5iyWBMirL9/s5MxEePGyNz+31f8RlOJEp +3ruOEdLzMt/rFiUKmY+JHEJB8dO7RpUH9lp0IGeg6YY1kWZmNqDB7G0q2/hTD8Ov +tVpCXV9TSh6koz98nUStBcmIaEQJKtjvUCCeyWzFUT+RYjiGjlZu18Rb7tZFEZ8T +uy7V4oyFMWePA/wSOyaBtbHg2aqUoGfYxC1Cggvt0vkB1SasDkWfL7/4Wryq11xF +S0LnXp/gOC2w0sgLSPVov0d243iF3KRsCO59sU6UZQurz9fyi5jCEHSmQ9G8kQc5 +VEUXgb6FvW6OoUQnM+epIkJBUJIDDRvvDD5w1tNQBfTtLRX9OzMwX59cJuri3OVv +HDNJHBqcLhD6HX4KEAaj5gkBO7OINpm7G53XFTR4FaJwdoKIibgk/i6BqgrI7mvk +KgXrbow56ZdDc01eZcOdYWDMhTDnPoWrMxGJCvf0v0qdiTryNmvoqINclLPOPOQk +lgeLFaJmN02iOZYfxp9dhnE4361boMStL5Gev4ID+1jx0Ki952QkD/WR4hC0Ddlx +esz65nelbn6dJOYQohO+qE1qbDZ9fjnXNb5NJTla64OK8U/+TeBQTnDEcBdSsakN +DGJZUBisEw+LtJmKDAPvcENRSlqqiMSq+onGKTiP9ao9tuflA/Qd6XyNDVvakbQE +UiUrr1LpCjypxFfhzN3CEz/cWJlXJ61tX3z7N73khEhagE/D0PAOZ6T3Fb5vt2Xg +n34UJL0dDYYLcAxstHjOek27PRWNu/8t6DLAYMA2LInLds4d56K0j9NQ9hC+q8jq +qg1SDbxBSWBtqieUD8nVRG77KCdjg7yaxnYbg6/qxiN6XLeMQGUTP6p/nrsd9/ME +l+H1JcYNO3Q6V47MWVXDetJQoG3OFlyUWrRBTWFrZXNlbGYgVGVzdGVyICh0aW1l +IHRvIHRlc3QgdGhlIG1ha2VzZWxmKSA8bm9yZXBseUBtYWtlc2VsZi5pbz6JAc4E +EwEKADgWIQQ91nl6Xt6aJTMRwTrtPgQLGfaZbgUCYU3UGgIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRDtPgQLGfaZbmz+C/sHLNqWBymHp1IZ47K2Cq84SAWA +leMC4o05aTkVZQ/VISivbm+zX7Z55h4gWtQRpOnUjZvkRR4qzxFQuBji4RwV8fjn +Tmc85E2T+5ElBuvM0E7yKbeZUqar38LvB2PVxHvS54uoz/wNBM0EzQTWkzsj3rL6 +G9RctR9sPd8ExKrepm3Wi9FH6oUcfBQDVcGQnkT/mWtuxJu6cRgflejlowXJQNpi +xNUovCfEPJoembw2w2Zd2jt+j6LumEyKDH6NY0isaFM14zv3xi4DnXd5nDiICUT0 +M6g9A6knE6DopURSAUqj5Jh2YtiiqBFLuywSGDZ1Yr0/iK0YUKOwqkWK6l6WAKUZ +xbHYjmdB2W/mb5KsZQtPA8f64MLnYFUyM/dzKJTNydwdsDfISpo2LQo3x1UlW/iG +o4oajMXFpMzKuE4OSLUjgwHZbmcO6row39ygR9mutiJK4ATLEgz63szELkQqvYiO +F/K8LdM3iHJ5iWSRmORhAM4oXxZbV6v73Qm+Aw0= +=ePfs +-----END PGP PRIVATE KEY BLOCK----- +EOF + ;; + 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1) + # sec rsa3072 2021-09-24 [SC] + # 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 + # uid [ultimate] Makeself Tester (time to test the makeself) <noreply@makeself.io> + cat <<'EOF' +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQWGBGFOL4MBDAC30nl0ptKgL9KxHSWSW4GpAPmCVPiqDuRpRf5J6GArtu4dnkO+ +I/Jc1H0cGw3uvuVlb8LjCafyFLMIg/3IG0CixruV5Nvg+c6vPZtYFV33+Zjg8UKx +7BJEt/dd31V9okWFEh05ItI0JPn+3IH/oqHGH0dUzLFFjVWwjM+7DU+700/HLc6X +CihBbNrFHXzQrAucRLEc3cphKuJf4Gds/hc8ECQWnM/TE/o7/jgUs6yFM3x5kV0Z +uSpcrxjTsj6NZDWiNFGOgwoZl0y/ePvW+Yd+0tWkToj812hNTa/qL82stEH/C2nI +OxavZATLSQP6vpCBrVYf00FPkHrUuvutb2LOKM8Cn9geYIjCj+pISD4tJuEzD+M4 +/fNdrB+uoetQJO3R8iJeNxh8XNPteLpQzeLjOowqn5OllOsx+JNbfEvwwRbyzyyY +RG+a8/RgmMJxqbIwQBtFxYvB6DSi4/TXtKkmIvDcz7lnw5G883tXAEfVPItARfYJ +ozZ1h0PtVckcDnEAEQEAAf4HAwIHYMcvIwTYk///il08EKBzo/DEWbaFbUzCBLnq +p9c8oxNGEnjjxce5l9e0sDSW1U2t8lGhhKTAxyDZuMSFFuCZe2hbFqPle6UBNyJJ +MsFJJ/se3+s+Mnjk7aezjpi+3E6hbcNCwQJzCwKCeHAgnHSKtKsqTcdM3kqoVV/I +CQ92GamhPw6d0KZyYIFNQiIOEP5dcV4CQx6w3mkMm686A3sboSt3hwWE/yvSUhzR +JqQR0OE1O49LE3NPovIQ9Fd6YPHj/LaGrzZyOJxwNbrJlnZAK4kaRK0Q1rduRIco +aUBEeenWBYnZYTNEgK8G42MUnxr5iHzHWMPWGvlIUZeZgSPzD4JybOvVtkIBLjft +RF8sfRuzVDsVWTJX8gZmzkS6WuPpn+oq7p8/b4jBBIMimtv+hFzydDIZKOA/KTMn +tlvuVCwxPyZaW8w/eJ9LoCshgoEEcE7Rf74/XII+TShm5aIbFiXgYAIdSojiExIJ +KBcolcZDRoeT+Zc4RVNwhNiCmbjYMN1VYRSJgLvlgqag3EsecQoLsraLRAlLZrbF +s7LAQNGoG2Rmtp+nq4VvBb9pu1MIn4lP3gnXj6XOfp7GF5ihB6d5UJtFwru4SX0g +vb6JzXP9m+ohPm3TVXw9gmQOqFztyI0lpCzAD1Smk7dWbhgnxGBRineq2IqdzRUY +hzesRHgx7CDG6bUPBXyY2H/Cktb6o86/Zg4QIl/Zqd+whPZTi2W2Go4pHZi4t935 +YKS9Qy13Snp4n4q8Wc5ZwlSCHneRIhE8zm1RWhjM2AjjozKxm91D0lUYc5a8Kw8Y +e49f1xYjTqYQrx1Axjus/rS7bHO2v1Q2h8+rFdXnQ3ZIuyg0dgKVEEi0ckuA7Gx6 +p/aCs9Pb4KhDAtFmTBltj7M9BdTE0sbqB6kVBwtBAyUapyTVhkAjBJnQgHnJXBk9 +1OEl2pityMOUF0TAxJxYGNJA9hrFW5pd5Ekl7tMf7TmglugOevasRouF4XuNTIM1 +DmqZh6VN9+UJs3vn/TfywCmFnTtsOKHLO7ff49X56rG/NH8zysOE9pgurumtcHE0 +xP+UZStNiQVlAJVYF3wcgTQQ70+sToKDlTah28xADdTD+Yfq5i+nEoY5RT0bQEIv +TRF8zRwll68FgjLXBBFoRT1uuD26VuqdcdwUVsr0XDR0ULLfZ5H3XyCXTKErpQ97 +zbPyTJtK0clhdPRDb0nY0bzJ0lCb9rboVx3Fy+s635buWqbBpSCo+2nD1CsN5ibf +SMv0Y54Yd/AMVlX+xvlVFDjW5kkhKahv4dQGrGNljksFPZIlHlh+LK6kMA0itYcY +8mS3c8fr5eyqWPov4b1xzLWWH0Y1f3H4p7RBTWFrZXNlbGYgVGVzdGVyICh0aW1l +IHRvIHRlc3QgdGhlIG1ha2VzZWxmKSA8bm9yZXBseUBtYWtlc2VsZi5pbz6JAc4E +EwEKADgWIQQ/cXmI332NVaFmD8Gl7PJVta534QUCYU4vgwIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRCl7PJVta534dB9C/9oiivbvzBtfP4U+0GDZJmbGu94 +wiRyrADyby7+TByTADVi+sCmtQs1JsAlfo2VEz5azkaBZCWYcElFlv1EPEBSFsj0 +z1KY7dqL837JtHeuoQMDVj54P8QoKVAwPdeUGIF1+9t1jjIO7wZm/hAOwNpwo8IE +0G5F1wzlEhfC2cgcI0gMDNZ7goRIeeBdq1hCP2odX8R1gKKyLV8oLUwCX7G/E1ex +OxciLnx46GN/LSrq1wQucaFsI3pbhXdNhR6QjIpn+M/+6/rlIUC4i90Gdgc5/Smu +nOzvHmhFXMaT/3vudavZIUAJjquJaEEEQkqUION2gB1ddUR82Agx5yEY8WuBddTK +aMSyEtbYTiLFrZaep1WMA70euk2ZhisTmJkxcDQKCWrpsTOeDsag8ukQJu3SM+A2 +drBmXKda/DnUAyGUT4URYi4SLSv05QnFhhmjbCFE8/EuqrJvvf9pBuQiwXFvu4mS +PQl0YDACFfPjOrJmtqQctIB61Bzgem8OVT90j9s= +=Lm2k +-----END PGP PRIVATE KEY BLOCK----- +EOF + ;; + *) + cat </dev/null + ;; + esac } -testCreateSingedArchive() -{ - setupGPGKey - mkdir archive - touch archive/file - output=$($SUT --sign "$GPG_KEY_PASSPHRASE" archive $ARCHIVE "Test" id) - assertReturn $? 0 - assertEqual "$(echo $output | grep -c Signature:)" "1" +# $1 : keyid +checked_import_key() { + cat_key "$1" \ + | gpg --quiet --import --passphrase=password123 --pinentry-mode=loopback --trust-model=always + assertEqual "$?" 0 + gpg --list-secret-keys "$1" >/dev/null 2>&1 + assertEqual "$?" 0 } -testVerifySingedArchive() -{ - ./$ARCHIVE --verify-sig $GPG_KEY_ID - assertReturn $? 0 - ./$ARCHIVE --verify-sig $BAD_GPG_KEY_ID - assertReturn $? 2 - deleteGPGKey - rm -rf archive $ARCHIVE +# $1 : keyid +# rest : makeself options +create_sign_verify() { + local keyid="$1" + shift + + # prepare archive directory + local archive_dir="" + archive_dir="$(mktemp -dt archive_dir.XXXXXX)" + touch "${archive_dir}"/foo.txt + touch "${archive_dir}"/bar.txt + touch "${archive_dir}"/qux.txt + + # create archive + local archive_run="" + archive_run="${archive_dir}.run" + local output="" + output="${archive_run}.out" + "${SUT}" --sign password123 "$@" \ + "${archive_dir}" "${archive_run}" "signtest" ls \ + >"${output}" + assertEqual "$?" 0 + + # check output for signature + grep -Exq 'Signature: [[:alnum:]+/]+' "${output}" + assertEqual "$?" 0 + + # verify signature + local res="" + if eval "${archive_run}" --verify-sig "${keyid}"; then + res="$?" + else + res="$?" + fi + + # clean up + rm -rf "${archive_dir}" "${archive_run}" "${output}" + return "${res}" } +testSingleKey() ( + GNUPGHOME="$(mktemp -dt GNUPGHOME.XXXXXX)" + export GNUPGHOME + + checked_import_key 3DD6797A5EDE9A253311C13AED3E040B19F6996E + assertEqual "$?" 0 + + create_sign_verify 3DD6797A5EDE9A253311C13AED3E040B19F6996E + assertEqual "$?" 0 + + rm -rf "${GNUPGHOME}" +) + +testMultipleKeys() ( + GNUPGHOME="$(mktemp -dt GNUPGHOME.XXXXXX)" + export GNUPGHOME + + checked_import_key 3DD6797A5EDE9A253311C13AED3E040B19F6996E + assertEqual "$?" 0 + + checked_import_key 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 + assertEqual "$?" 0 + + create_sign_verify \ + 3DD6797A5EDE9A253311C13AED3E040B19F6996E \ + --gpg-extra "--local-user=3DD6797A5EDE9A253311C13AED3E040B19F6996E" + assertEqual "$?" 0 + + create_sign_verify \ + 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 \ + --gpg-extra "--local-user=3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1" + assertEqual "$?" 0 + + rm -rf "${GNUPGHOME}" +) + +testWrongKey() ( + GNUPGHOME="$(mktemp -dt GNUPGHOME.XXXXXX)" + export GNUPGHOME + + checked_import_key 3DD6797A5EDE9A253311C13AED3E040B19F6996E + assertEqual "$?" 0 + + checked_import_key 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 + assertEqual "$?" 0 + + create_sign_verify \ + 3DD6797A5EDE9A253311C13AED3E040B19F6996E \ + --gpg-extra "--local-user=3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1" \ + || assertEqual "$?" 2 + + create_sign_verify \ + 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 \ + --gpg-extra "--local-user=3DD6797A5EDE9A253311C13AED3E040B19F6996E" \ + || assertEqual "$?" 2 + + rm -rf "${GNUPGHOME}" +) + +testWrongPassword() ( + GNUPGHOME="$(mktemp -dt GNUPGHOME.XXXXXX)" + export GNUPGHOME + + checked_import_key 3DD6797A5EDE9A253311C13AED3E040B19F6996E + assertEqual "$?" 0 + + checked_import_key 3F717988DF7D8D55A1660FC1A5ECF255B5AE77E1 + assertEqual "$?" 0 + + # prepare archive directory + local archive_dir="" + archive_dir="$(mktemp -dt archive_dir.XXXXXX)" + touch "${archive_dir}"/foo.txt + touch "${archive_dir}"/bar.txt + touch "${archive_dir}"/qux.txt + + # create archive + local archive_run="" + archive_run="${archive_dir}.run" + local output="" + output="${archive_run}.out" + "${SUT}" --sign TheWrongPassword1357 "$@" \ + "${archive_dir}" "${archive_run}" "signtest" ls \ + >"${output}" + assertEqual "$?" 0 + + grep -Fxq 'Signature: ' "${output}" + assertEqual "$?" 0 + + rm -rf "${GNUPGHOME}" "${archive_dir}" "${archive_run}" "${output}" +) + ################################################################################ -source bashunit/bashunit.bash +# shellcheck disable=SC1091 +source "${HERE}/bashunit/bashunit.bash" |