From 2b7bb0c6b7aa4f7a43c82db1cf9a18d27600c62e Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Sun, 18 Dec 2011 14:16:30 +0100 Subject: Validate package signatures on db-update --- test/lib/common.inc | 29 +++++++++++++++++++++++++---- test/test.d/signed-packages.sh | 20 +++++++++++++++++++- 2 files changed, 44 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/lib/common.inc b/test/lib/common.inc index a2dee10..e0e7048 100644 --- a/test/lib/common.inc +++ b/test/lib/common.inc @@ -3,6 +3,21 @@ set -E . "$(dirname ${BASH_SOURCE[0]})/../../config" . "$(dirname ${BASH_SOURCE[0]})/../../db-functions" +signpkg() { + if [[ -r '/etc/makepkg.conf' ]]; then + source '/etc/makepkg.conf' + else + die '/etc/makepkg.conf not found!' + fi + if [[ -r ~/.makepkg.conf ]]; then + . ~/.makepkg.conf + fi + if [[ -n $GPGKEY ]]; then + SIGNWITHKEY="-u ${GPGKEY}" + fi + gpg --detach-sign --use-agent ${SIGNWITHKEY} ${@} || die +} + oneTimeSetUp() { local p local d @@ -110,18 +125,24 @@ releasePackage() { local repo=$1 local pkgbase=$2 local arch=$3 + local a + local p + local pkgver + local pkgname pushd "${TMP}/svn-packages-copy"/${pkgbase}/trunk/ >/dev/null archrelease ${repo}-${arch} >/dev/null 2&>1 pkgver=$(. PKGBUILD; echo $(get_full_version ${epoch:-0} ${pkgver} ${pkgrel})) + pkgname=($(. PKGBUILD; echo ${pkgname[@]})) popd >/dev/null cp "${pkgdir}/${pkgbase}"/*-${pkgver}-${arch}${PKGEXT} "${STAGING}"/${repo}/ if ${REQUIRE_SIGNATURE}; then - # TODO: really sign the packages with a valid key - find "${STAGING}"/${repo}/ -type f \ - -name "*-${pkgver}-${arch}${PKGEXT}" \ - -exec touch {}.sig \; + for a in ${arch[@]}; do + for p in ${pkgname[@]}; do + signpkg "${STAGING}"/${repo}/${p}-${pkgver}-${a}${PKGEXT} + done + done fi } diff --git a/test/test.d/signed-packages.sh b/test/test.d/signed-packages.sh index 5d6f4ff..20ad844 100755 --- a/test/test.d/signed-packages.sh +++ b/test/test.d/signed-packages.sh @@ -5,9 +5,27 @@ curdir=$(readlink -e $(dirname $0)) testAddUnsignedPackage() { releasePackage extra 'pkg-simple-a' 'i686' - # remove any signature rm "${STAGING}"/extra/*.sig ../db-update >/dev/null 2>&1 && fail "db-update should fail when a signature is missing!" } +testAddInvalidSignedPackage() { + local p + releasePackage extra 'pkg-simple-a' 'i686' + for p in "${STAGING}"/extra/*${PKGEXT}; do + unxz $p + xz -0 ${p%%.xz} + done + ../db-update >/dev/null 2>&1 && fail "db-update should fail when a signature is invalid!" +} + +testAddBrokenSignature() { + local s + releasePackage extra 'pkg-simple-a' 'i686' + for s in "${STAGING}"/extra/*.sig; do + echo 0 > $s + done + ../db-update >/dev/null 2>&1 && fail "db-update should fail when a signature is broken!" +} + . "${curdir}/../lib/shunit2" -- cgit v1.2.3-24-g4f1b