mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2025-01-18 21:46:35 +01:00
tests: Move keys into ./tests/keys/ and add a third ed25519 key.
The third key will be used in an upcoming commit. Rename public keys to .pub. * guix/tests/gnupg.scm (%ed25519-3-public-key-file): New variable. (%ed25519-3-secret-key-file): New variable. (%ed25519-2-public-key-file): Renamed from %ed25519bis-public-key-file. (%ed25519-2-secret-key-file): Renamed from %ed25519bis-secret-key-file. * tests/keys/ed25519-3.key: New file. * tests/keys/ed25519-3.sec: New file. Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
This commit is contained in:
parent
5b8ae331f7
commit
9ebc9ca070
18 changed files with 92 additions and 60 deletions
20
Makefile.am
20
Makefile.am
|
@ -653,16 +653,18 @@ EXTRA_DIST += \
|
|||
build-aux/update-guix-package.scm \
|
||||
build-aux/update-NEWS.scm \
|
||||
tests/test.drv \
|
||||
tests/signing-key.pub \
|
||||
tests/signing-key.sec \
|
||||
tests/cve-sample.json \
|
||||
tests/civodul.key \
|
||||
tests/rsa.key \
|
||||
tests/dsa.key \
|
||||
tests/ed25519.key \
|
||||
tests/ed25519.sec \
|
||||
tests/ed25519bis.key \
|
||||
tests/ed25519bis.sec \
|
||||
tests/keys/signing-key.pub \
|
||||
tests/keys/signing-key.sec \
|
||||
tests/keys/civodul.pub \
|
||||
tests/keys/rsa.pub \
|
||||
tests/keys/dsa.pub \
|
||||
tests/keys/ed25519.pub \
|
||||
tests/keys/ed25519.sec \
|
||||
tests/keys/ed25519-2.pub \
|
||||
tests/keys/ed25519-2.sec \
|
||||
tests/keys/ed25519-3.pub \
|
||||
tests/keys/ed25519-3.sec \
|
||||
build-aux/config.rpath \
|
||||
bootstrap \
|
||||
doc/build.scm \
|
||||
|
|
|
@ -73,8 +73,8 @@ then
|
|||
# Copy the keys so that the secret key has the right permissions (the
|
||||
# daemon errors out when this is not the case.)
|
||||
mkdir -p "$GUIX_CONFIGURATION_DIRECTORY"
|
||||
cp "@abs_top_srcdir@/tests/signing-key.sec" \
|
||||
"@abs_top_srcdir@/tests/signing-key.pub" \
|
||||
cp "@abs_top_srcdir@/tests/keys/signing-key.sec" \
|
||||
"@abs_top_srcdir@/tests/keys/signing-key.pub" \
|
||||
"$GUIX_CONFIGURATION_DIRECTORY"
|
||||
chmod 400 "$GUIX_CONFIGURATION_DIRECTORY/signing-key.sec"
|
||||
fi
|
||||
|
|
|
@ -28,8 +28,10 @@ (define-module (guix tests gnupg)
|
|||
|
||||
%ed25519-public-key-file
|
||||
%ed25519-secret-key-file
|
||||
%ed25519bis-public-key-file
|
||||
%ed25519bis-secret-key-file
|
||||
%ed25519-2-public-key-file
|
||||
%ed25519-2-secret-key-file
|
||||
%ed25519-3-public-key-file
|
||||
%ed25519-3-secret-key-file
|
||||
|
||||
read-openpgp-packet
|
||||
key-fingerprint
|
||||
|
@ -63,13 +65,17 @@ (define-syntax-rule (with-fresh-gnupg-setup imported exp ...)
|
|||
(call-with-fresh-gnupg-setup imported (lambda () exp ...)))
|
||||
|
||||
(define %ed25519-public-key-file
|
||||
(search-path %load-path "tests/ed25519.key"))
|
||||
(search-path %load-path "tests/keys/ed25519.pub"))
|
||||
(define %ed25519-secret-key-file
|
||||
(search-path %load-path "tests/ed25519.sec"))
|
||||
(define %ed25519bis-public-key-file
|
||||
(search-path %load-path "tests/ed25519bis.key"))
|
||||
(define %ed25519bis-secret-key-file
|
||||
(search-path %load-path "tests/ed25519bis.sec"))
|
||||
(search-path %load-path "tests/keys/ed25519.sec"))
|
||||
(define %ed25519-2-public-key-file
|
||||
(search-path %load-path "tests/keys/ed25519-2.pub"))
|
||||
(define %ed25519-2-secret-key-file
|
||||
(search-path %load-path "tests/keys/ed25519-2.sec"))
|
||||
(define %ed25519-3-public-key-file
|
||||
(search-path %load-path "tests/keys/ed25519-3.pub"))
|
||||
(define %ed25519-3-secret-key-file
|
||||
(search-path %load-path "tests/keys/ed25519-3.sec"))
|
||||
|
||||
(define (read-openpgp-packet file)
|
||||
(get-openpgp-packet
|
||||
|
|
|
@ -480,8 +480,8 @@ (define (find-commit* message)
|
|||
#t
|
||||
(with-fresh-gnupg-setup (list %ed25519-public-key-file
|
||||
%ed25519-secret-key-file
|
||||
%ed25519bis-public-key-file
|
||||
%ed25519bis-secret-key-file)
|
||||
%ed25519-2-public-key-file
|
||||
%ed25519-2-secret-key-file)
|
||||
(with-temporary-git-repository directory
|
||||
`((add ".guix-channel"
|
||||
,(object->string
|
||||
|
@ -507,7 +507,7 @@ (define (find-commit* message)
|
|||
(commit-id-string commit1)
|
||||
(openpgp-public-key-fingerprint
|
||||
(read-openpgp-packet
|
||||
%ed25519bis-public-key-file)))) ;different key
|
||||
%ed25519-2-public-key-file)))) ;different key
|
||||
(channel (channel (name 'example)
|
||||
(url (string-append "file://" directory))
|
||||
(introduction intro))))
|
||||
|
@ -519,7 +519,7 @@ (define (find-commit* message)
|
|||
(oid->string (commit-id commit1))
|
||||
(key-fingerprint %ed25519-public-key-file)
|
||||
(key-fingerprint
|
||||
%ed25519bis-public-key-file))))))
|
||||
%ed25519-2-public-key-file))))))
|
||||
(authenticate-channel channel directory
|
||||
(commit-id-string commit2)
|
||||
#:keyring-reference-prefix "")
|
||||
|
@ -530,8 +530,8 @@ (define (find-commit* message)
|
|||
#t
|
||||
(with-fresh-gnupg-setup (list %ed25519-public-key-file
|
||||
%ed25519-secret-key-file
|
||||
%ed25519bis-public-key-file
|
||||
%ed25519bis-secret-key-file)
|
||||
%ed25519-2-public-key-file
|
||||
%ed25519-2-secret-key-file)
|
||||
(with-temporary-git-repository directory
|
||||
`((add ".guix-channel"
|
||||
,(object->string
|
||||
|
@ -552,12 +552,12 @@ (define (find-commit* message)
|
|||
(signer ,(key-fingerprint %ed25519-public-key-file)))
|
||||
(add "c.txt" "C")
|
||||
(commit "third commit"
|
||||
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
|
||||
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
|
||||
(branch "channel-keyring")
|
||||
(checkout "channel-keyring")
|
||||
(add "signer.key" ,(call-with-input-file %ed25519-public-key-file
|
||||
get-string-all))
|
||||
(add "other.key" ,(call-with-input-file %ed25519bis-public-key-file
|
||||
(add "other.key" ,(call-with-input-file %ed25519-2-public-key-file
|
||||
get-string-all))
|
||||
(commit "keyring commit")
|
||||
(checkout "master"))
|
||||
|
@ -588,7 +588,7 @@ (define (find-commit* message)
|
|||
(unauthorized-commit-error-signing-key c))
|
||||
(openpgp-public-key-fingerprint
|
||||
(read-openpgp-packet
|
||||
%ed25519bis-public-key-file))))))
|
||||
%ed25519-2-public-key-file))))))
|
||||
(authenticate-channel channel directory
|
||||
(commit-id-string commit3)
|
||||
#:keyring-reference-prefix "")
|
||||
|
|
|
@ -161,14 +161,14 @@ (define (gpg+git-available?)
|
|||
(test-assert "signed commits, .guix-authorizations, unauthorized merge"
|
||||
(with-fresh-gnupg-setup (list %ed25519-public-key-file
|
||||
%ed25519-secret-key-file
|
||||
%ed25519bis-public-key-file
|
||||
%ed25519bis-secret-key-file)
|
||||
%ed25519-2-public-key-file
|
||||
%ed25519-2-secret-key-file)
|
||||
(with-temporary-git-repository directory
|
||||
`((add "signer1.key"
|
||||
,(call-with-input-file %ed25519-public-key-file
|
||||
get-string-all))
|
||||
(add "signer2.key"
|
||||
,(call-with-input-file %ed25519bis-public-key-file
|
||||
,(call-with-input-file %ed25519-2-public-key-file
|
||||
get-string-all))
|
||||
(add ".guix-authorizations"
|
||||
,(object->string
|
||||
|
@ -184,7 +184,7 @@ (define (gpg+git-available?)
|
|||
(checkout "devel")
|
||||
(add "devel/1.txt" "1")
|
||||
(commit "first devel commit"
|
||||
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
|
||||
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
|
||||
(checkout "master")
|
||||
(add "b.txt" "B")
|
||||
(commit "second commit"
|
||||
|
@ -203,7 +203,7 @@ (define (correct? c commit)
|
|||
(openpgp-public-key-fingerprint
|
||||
(unauthorized-commit-error-signing-key c))
|
||||
(openpgp-public-key-fingerprint
|
||||
(read-openpgp-packet %ed25519bis-public-key-file)))))
|
||||
(read-openpgp-packet %ed25519-2-public-key-file)))))
|
||||
|
||||
(and (authenticate-commits repository (list master1 master2)
|
||||
#:keyring-reference "master")
|
||||
|
@ -230,14 +230,14 @@ (define (correct? c commit)
|
|||
(test-assert "signed commits, .guix-authorizations, authorized merge"
|
||||
(with-fresh-gnupg-setup (list %ed25519-public-key-file
|
||||
%ed25519-secret-key-file
|
||||
%ed25519bis-public-key-file
|
||||
%ed25519bis-secret-key-file)
|
||||
%ed25519-2-public-key-file
|
||||
%ed25519-2-secret-key-file)
|
||||
(with-temporary-git-repository directory
|
||||
`((add "signer1.key"
|
||||
,(call-with-input-file %ed25519-public-key-file
|
||||
get-string-all))
|
||||
(add "signer2.key"
|
||||
,(call-with-input-file %ed25519bis-public-key-file
|
||||
,(call-with-input-file %ed25519-2-public-key-file
|
||||
get-string-all))
|
||||
(add ".guix-authorizations"
|
||||
,(object->string
|
||||
|
@ -258,12 +258,12 @@ (define (correct? c commit)
|
|||
%ed25519-public-key-file)
|
||||
(name "Alice"))
|
||||
(,(key-fingerprint
|
||||
%ed25519bis-public-key-file))))))
|
||||
%ed25519-2-public-key-file))))))
|
||||
(commit "first devel commit"
|
||||
(signer ,(key-fingerprint %ed25519-public-key-file)))
|
||||
(add "devel/2.txt" "2")
|
||||
(commit "second devel commit"
|
||||
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
|
||||
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
|
||||
(checkout "master")
|
||||
(add "b.txt" "B")
|
||||
(commit "second commit"
|
||||
|
@ -273,7 +273,7 @@ (define (correct? c commit)
|
|||
;; After the merge, the second signer is authorized.
|
||||
(add "c.txt" "C")
|
||||
(commit "third commit"
|
||||
(signer ,(key-fingerprint %ed25519bis-public-key-file))))
|
||||
(signer ,(key-fingerprint %ed25519-2-public-key-file))))
|
||||
(with-repository directory repository
|
||||
(let ((master1 (find-commit repository "first commit"))
|
||||
(master2 (find-commit repository "second commit"))
|
||||
|
@ -328,4 +328,3 @@ (define (correct? c commit)
|
|||
'failed)))))))
|
||||
|
||||
(test-end "git-authenticate")
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ rm -f "$sig" "$hash"
|
|||
|
||||
trap 'rm -f "$sig" "$hash"' EXIT
|
||||
|
||||
key="$abs_top_srcdir/tests/signing-key.sec"
|
||||
key="$abs_top_srcdir/tests/keys/signing-key.sec"
|
||||
key_len="`echo -n $key | wc -c`"
|
||||
|
||||
# A hexadecimal string as long as a sha256 hash.
|
||||
|
@ -67,7 +67,7 @@ test "$code" -ne 0
|
|||
# encoded independently of the current locale: <https://bugs.gnu.org/43421>.
|
||||
hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9"
|
||||
latin1_cafe="caf$(printf '\351')"
|
||||
echo "sign 21:tests/signing-key.sec 64:$hash" | guix authenticate \
|
||||
echo "sign 26:tests/keys/signing-key.sec 64:$hash" | guix authenticate \
|
||||
| LC_ALL=C grep "hash sha256 \"$latin1_cafe"
|
||||
|
||||
# Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces
|
||||
|
|
9
tests/keys/ed25519-3.pub
Normal file
9
tests/keys/ed25519-3.pub
Normal file
|
@ -0,0 +1,9 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mDMEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
|
||||
ILfFldm0FTxleGFtcGxlQGV4YW1wbGUuY29tPoiWBBMWCAA+FiEEjO6M85jMSK68
|
||||
7tINGBzA7NyoagkFAmFR/+8CGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
|
||||
F4AACgkQGBzA7Nyoagl3lgEAw6yqIlX11lTqwxBGhZk/Oy34O13cbJSZCGv+m0ja
|
||||
+hcA/3DCNOmT+oXjgO/w6enQZUQ1m/d6dUjCc2wOLlLz+ZoG
|
||||
=+r3i
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
10
tests/keys/ed25519-3.sec
Normal file
10
tests/keys/ed25519-3.sec
Normal file
|
@ -0,0 +1,10 @@
|
|||
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
|
||||
lFgEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
|
||||
ILfFldkAAP92goSbbzQ0ttElr9lr5Cm6rmQtqUZ2Cu/Jk9fvfZROwxI0tBU8ZXhh
|
||||
bXBsZUBleGFtcGxlLmNvbT6IlgQTFggAPhYhBIzujPOYzEiuvO7SDRgcwOzcqGoJ
|
||||
BQJhUf/vAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBgcwOzc
|
||||
qGoJd5YBAMOsqiJV9dZU6sMQRoWZPzst+Dtd3GyUmQhr/ptI2voXAP9wwjTpk/qF
|
||||
44Dv8Onp0GVENZv3enVIwnNsDi5S8/maBg==
|
||||
=EmOt
|
||||
-----END PGP PRIVATE KEY BLOCK-----
|
|
@ -59,18 +59,22 @@ (define %binary-sample
|
|||
(define %civodul-fingerprint
|
||||
"3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5")
|
||||
|
||||
(define %civodul-key-id #x090B11993D9AEBB5) ;civodul.key
|
||||
(define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
|
||||
|
||||
;; Test keys. They were generated in a container along these lines:
|
||||
;; guix environment -CP --ad-hoc gnupg pinentry
|
||||
;; then, within the container:
|
||||
;; mkdir ~/.gnupg
|
||||
;; echo pinentry-program ~/.guix-profile/bin/pinentry-tty > ~/.gnupg/gpg-agent.conf
|
||||
;; gpg --quick-gen-key '<ludo+test-rsa@chbouib.org>' rsa
|
||||
;; or similar.
|
||||
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.key
|
||||
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.key
|
||||
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.key
|
||||
#|
|
||||
Test keys in ./tests/keys. They were generated in a container along these lines:
|
||||
guix environment -CP --ad-hoc gnupg pinentry coreutils
|
||||
then, within the container:
|
||||
mkdir ~/.gnupg && chmod -R og-rwx ~/.gnupg
|
||||
gpg --batch --passphrase '' --quick-gen-key '<example@example.com>' ed25519
|
||||
gpg --armor --export example@example.com
|
||||
gpg --armor --export-secret-key example@example.com
|
||||
# echo pinentry-program ~/.guix-profile/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
|
||||
or similar.
|
||||
|#
|
||||
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.pub
|
||||
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.pub
|
||||
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.pub
|
||||
|
||||
(define %rsa-key-fingerprint
|
||||
(base16-string->bytevector
|
||||
|
@ -168,7 +172,7 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
|
|||
(not (port-ascii-armored? (open-bytevector-input-port %binary-sample))))
|
||||
|
||||
(test-assert "get-openpgp-keyring"
|
||||
(let* ((key (search-path %load-path "tests/civodul.key"))
|
||||
(let* ((key (search-path %load-path "tests/keys/civodul.pub"))
|
||||
(keyring (get-openpgp-keyring
|
||||
(open-bytevector-input-port
|
||||
(call-with-input-file key read-radix-64)))))
|
||||
|
@ -228,8 +232,10 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
|
|||
(verify-openpgp-signature signature keyring
|
||||
(open-input-string "Hello!\n"))))
|
||||
(list status (openpgp-public-key-id key)))))
|
||||
(list "tests/rsa.key" "tests/dsa.key"
|
||||
"tests/ed25519.key" "tests/ed25519.key" "tests/ed25519.key")
|
||||
(list "tests/keys/rsa.pub" "tests/keys/dsa.pub"
|
||||
"tests/keys/ed25519.pub"
|
||||
"tests/keys/ed25519.pub"
|
||||
"tests/keys/ed25519.pub")
|
||||
(list %hello-signature/rsa %hello-signature/dsa
|
||||
%hello-signature/ed25519/sha256
|
||||
%hello-signature/ed25519/sha512
|
||||
|
@ -248,9 +254,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
|
|||
(call-with-input-file key read-radix-64))
|
||||
keyring)))
|
||||
%empty-keyring
|
||||
'("tests/rsa.key" "tests/dsa.key"
|
||||
"tests/ed25519.key" "tests/ed25519.key"
|
||||
"tests/ed25519.key"))))
|
||||
'("tests/keys/rsa.pub" "tests/keys/dsa.pub"
|
||||
"tests/keys/ed25519.pub" "tests/keys/ed25519.pub"
|
||||
"tests/keys/ed25519.pub"))))
|
||||
(map (lambda (signature)
|
||||
(let ((signature (string->openpgp-packet signature)))
|
||||
(let-values (((status key)
|
||||
|
|
Loading…
Reference in a new issue