diff options
| author | Dan Nicholson <nicholson@endlessm.com> | 2019-06-21 06:59:56 -0500 |
|---|---|---|
| committer | Dan Nicholson <nicholson@endlessm.com> | 2020-01-24 13:02:17 -0700 |
| commit | b81a6b4ab2186b9521b9144b7247f2a26d9c675c (patch) | |
| tree | c7e4686106016bea3f74b568e85cef8dfabe7c0f | |
| parent | 01da2371c5451edc184915fa50b051fb589a157e (diff) | |
| download | ostree-b81a6b4ab2186b9521b9144b7247f2a26d9c675c.tar.gz | |
tests/gpg: Add tests for importing updated remote GPG keys
This checks whether gpg-import will properly update the keyring for a
key that already exists. In particular, we check that changing the key
expiration time or revoking it results in commit verification failure
after re-importing the keys.
| -rwxr-xr-x | tests/test-remote-gpg-import.sh | 61 |
1 files changed, 60 insertions, 1 deletions
diff --git a/tests/test-remote-gpg-import.sh b/tests/test-remote-gpg-import.sh index b8673852..cf13b499 100755 --- a/tests/test-remote-gpg-import.sh +++ b/tests/test-remote-gpg-import.sh @@ -28,7 +28,12 @@ unset OSTREE_GPG_HOME setup_fake_remote_repo1 "archive" -echo "1..4" +# Some tests require an appropriate gpg +num_non_gpg_tests=4 +num_gpg_tests=2 +num_tests=$((num_non_gpg_tests + num_gpg_tests)) + +echo "1..${num_tests}" cd ${test_tmpdir} mkdir repo @@ -280,3 +285,57 @@ ${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u --gpg ${OSTREE} pull --require-static-deltas R1:main echo "ok gpg trusted signed commit for delta upgrades" + +# Run some more tests if an appropriate gpg is available +GPG=$(which_gpg) +if [ -z "${GPG}" ]; then + # Print a skip message per skipped test + for (( i = 0; i < num_gpg_tests; i++ )); do + echo "ok # SKIP this test requires gpg" + done +else + # Create a commit signed with keyid 1 + echo $(date) > workdir/testfile-for-key-mangling + ${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo commit -b main --gpg-sign ${TEST_GPG_KEYID_1} --gpg-homedir ${test_tmpdir}/gpghome workdir + + # Re-add the remote + ${OSTREE} remote delete R1 + ${OSTREE} remote add --gpg-import ${test_tmpdir}/gpghome/key1.asc R1 $(cat httpd-address)/ostree/gnomerepo | grep -o 'Imported [[:digit:]] GPG key' > result + assert_file_has_content result 'Imported 1 GPG key' + + # Expire key 1, wait for it to be expired and import the expired key. Only + # new keys are reported. + ${GPG} --homedir=${test_tmpdir}/gpghome --quick-set-expire ${TEST_GPG_KEYFPR_1} seconds=1 + sleep 2 + ${GPG} --homedir=${test_tmpdir}/gpghome --armor --export ${TEST_GPG_KEYID_1} > ${test_tmpdir}/key1expired.asc + ${OSTREE} remote gpg-import --keyring ${test_tmpdir}/key1expired.asc R1 | grep -o 'Imported [[:digit:]] GPG key' > result + assert_file_has_content result 'Imported 0 GPG key' + + # Pulling should fail since the key is expired + rm repo/refs/remotes/* -rf + ${OSTREE} prune --refs-only + if ${OSTREE} pull R1:main 2>err.txt; then + assert_not_reached "Unexpectedly succeeded at pulling commit signed with expired key" + fi + assert_file_has_content err.txt "Key expired" + + echo "ok imported expired key" + + # Unexpire keyid 1 and revoke it. Revoking is done by importing the + # pre-generated revocation certificate. + ${GPG} --homedir=${test_tmpdir}/gpghome --quick-set-expire ${TEST_GPG_KEYFPR_1} seconds=0 + ${GPG} --homedir=${TEST_GPG_KEYHOME} --import ${TEST_GPG_KEYHOME}/revocations/key1.rev + ${GPG} --homedir=${test_tmpdir}/gpghome --armor --export ${TEST_GPG_KEYID_1} > ${test_tmpdir}/key1revoked.asc + ${OSTREE} remote gpg-import --keyring ${test_tmpdir}/key1revoked.asc R1 | grep -o 'Imported [[:digit:]] GPG key' > result + assert_file_has_content result 'Imported 0 GPG key' + + # Pulling should fail since the key is revoked + rm repo/refs/remotes/* -rf + ${OSTREE} prune --refs-only + if ${OSTREE} pull R1:main 2>err.txt; then + assert_not_reached "Unexpectedly succeeded at pulling commit signed with revoked key" + fi + assert_file_has_content err.txt "Key revoked" + + echo "ok imported revoked key" +fi |