tests/sign: add initial test for pulling

Test if we pull signed commits from remote. Signed-off-by: Denis Pynkin <[email protected]>
p5 · Mar 25, 2020 · 82c7737 · 82c7737
1 parent 3386893
commit 82c7737
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 0 deletions.
diff --git a/Makefile-tests.am b/Makefile-tests.am
@@ -140,6 +140,12 @@ _installed_or_uninstalled_test_scripts = \
 	tests/test-signed-commit.sh \
 	$(NULL)
 
+if USE_LIBSODIUM
+_installed_or_uninstalled_test_scripts += \
+	tests/test-signed-pull.sh \
+	$(NULL)
+endif
+
 if USE_GPGME
 _installed_or_uninstalled_test_scripts += \
 	tests/test-remote-gpg-import.sh \

diff --git a/tests/test-signed-pull.sh b/tests/test-signed-pull.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..4"
+
+setup_fake_remote_repo1 "archive"
+
+repo_mode="archive"
+
+function repo_init() {
+    cd ${test_tmpdir}
+    rm repo -rf
+    mkdir repo
+    ostree_repo_init repo --mode=${repo_mode}
+    ${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo "$@"
+}
+
+function test_signed_pull() {
+    local sign_type="$1"
+    cd ${test_tmpdir}
+    ${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo commit ${COMMIT_ARGS} \
+        -b main -s "A signed commit" --tree=ref=main
+
+    ${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo summary -u
+    # make sure gpg verification is correctly on
+    csum=$(${CMD_PREFIX} ostree --repo=ostree-srv/gnomerepo rev-parse main)
+    objpath=objects/${csum::2}/${csum:2}.commitmeta
+    remotesig=ostree-srv/gnomerepo/$objpath
+    localsig=repo/$objpath
+    mv $remotesig $remotesig.bak
+    if ${CMD_PREFIX} ostree --repo=repo --depth=0 pull origin main; then
+        assert_not_reached "pull with sign-verify unexpectedly succeeded?"
+    fi
+    # ok now check that we can pull correctly
+    mv $remotesig.bak $remotesig
+    ${CMD_PREFIX} ostree --repo=repo pull origin main
+    echo "ok pull ${sign_type} signed commit"
+    rm $localsig
+    ${CMD_PREFIX} ostree --repo=repo pull origin main
+    test -f $localsig
+    echo "ok re-pull ${sign_type} signature for stored commit"
+}
+
+DUMMYSIGN="dummysign"
+COMMIT_ARGS="--sign=${DUMMYSIGN} --sign-type=dummy"
+repo_init --set=sign-verify=true
+test_signed_pull "dummy"
+
+
+# Test ostree sign with 'ed25519' module
+# Generate private key in PEM format
+PEMFILE="$(mktemp -p ${test_tmpdir} ed25519_XXXXXX.pem)"
+openssl genpkey -algorithm ed25519 -outform PEM -out "${PEMFILE}"
+
+# Based on: http://openssl.6102.n7.nabble.com/ed25519-key-generation-td73907.html
+# Extract the private and public parts from generated key.
+PUBLIC="$(openssl pkey -outform DER -pubout -in ${PEMFILE} | tail -c 32 | base64)"
+SEED="$(openssl pkey -outform DER -in ${PEMFILE} | tail -c 32 | base64)"
+# Secret key is concantination of SEED and PUBLIC
+SECRET="$(echo ${SEED}${PUBLIC} | base64 -d | base64 -w 0)"
+
+echo "SEED = $SEED"
+echo "PUBLIC = $PUBLIC"
+
+COMMIT_ARGS="--sign=${SECRET} --sign-type=ed25519"
+
+repo_init --set=sign-verify=true
+${CMD_PREFIX} ostree --repo=repo config set 'remote "origin"'.verification-key "${PUBLIC}"
+test_signed_pull "ed25519"
+