From d785e7e48375288f3d212da146c036f47b30e29a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20W=C3=B3jcik?= Date: Sat, 2 Nov 2019 11:06:55 +0100 Subject: [PATCH] Tests for signing metadata --- tests/xbps/xbps-rindex/Kyuafile | 1 + tests/xbps/xbps-rindex/Makefile | 2 +- ...:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist | 12 +++ tests/xbps/xbps-rindex/data/id_xbps | 51 +++++++++++ tests/xbps/xbps-rindex/sign_test.sh | 85 +++++++++++++++++++ 5 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 tests/xbps/xbps-rindex/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist create mode 100644 tests/xbps/xbps-rindex/data/id_xbps create mode 100644 tests/xbps/xbps-rindex/sign_test.sh diff --git a/tests/xbps/xbps-rindex/Kyuafile b/tests/xbps/xbps-rindex/Kyuafile index 149df6f4..170fd42b 100644 --- a/tests/xbps/xbps-rindex/Kyuafile +++ b/tests/xbps/xbps-rindex/Kyuafile @@ -4,3 +4,4 @@ test_suite("xbps-rindex") atf_test_program{name="add_test"} atf_test_program{name="clean_test"} atf_test_program{name="remove_test"} +atf_test_program{name="sign_test"} diff --git a/tests/xbps/xbps-rindex/Makefile b/tests/xbps/xbps-rindex/Makefile index ca28e3ad..69e0f6fd 100644 --- a/tests/xbps/xbps-rindex/Makefile +++ b/tests/xbps/xbps-rindex/Makefile @@ -1,7 +1,7 @@ TOPDIR = ../../.. -include $(TOPDIR)/config.mk -TESTSHELL = add_test clean_test remove_test +TESTSHELL = add_test clean_test remove_test sign_test TESTSSUBDIR = xbps/xbps-rindex EXTRA_FILES = Kyuafile diff --git a/tests/xbps/xbps-rindex/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist b/tests/xbps/xbps-rindex/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist new file mode 100644 index 00000000..4ca463c0 --- /dev/null +++ b/tests/xbps/xbps-rindex/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist @@ -0,0 +1,12 @@ + + + + + public-key + LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF0WlRZM3ZpT1k2a1JLRTlXVnROdwpVTFVpTmV1ZSs3M1doS2hENGtDRFo3aDdLUkxGbGdvZ2p3dHdRbWN5UDRieHVXVDZjSkcyRVRDSE1tSEFFaHZqCmlaNks4d3gwSXRiZ1cxMjEvcllpbkdTTjJQbXRmUWJLV1QyeUF2aEJVUU1SRm52YjNWT1BkRitKSW45ckVWSFUKMVJMREdHNnh1SzBSZjBiazQ1Rkp4TUV1YUVNTEQ0OHJGYUlMU0JYRmI0QjBWV01vNjVhemxldkJ6QjZMdkpibwpMOUo2MERIQzdja3BRTTB1OXRkWGs3clRUMEJ4N2RTY0R5aVhGQXJhZ2cxNkE5Nm5yMjE1NDN2TFZnNTQxQTJBCkhheGJkZ1FENjM0ZzdlWXNQOFRsK1c1OXdPS09CTUt1Z2ZrYjB0ZEIwbnI2MXgwdUt3OXh0ak05YTFwS0VTZkYKeHhMZFR6bkdvWDRWYlU2Z2JLVStIb1AyVWRJZFZwUDZOZit4dHhtSkdMY2J4MWtNSEFaTmQvMUxBa0c5ZG1EMgpVdWRDcjlBWEhEQTFiUGFLN3k5bE85bCtkN29CZGtJTU5UZW4za0VLS2ZEQVpaT1NONmhHU2tzOU5JN3ZrOUM5CmFoZVhFemFNZWoxZHRsQ0EzM1Y3dlh3KzZsaUdscDVYY1M0bnJoZjg3MG9WOFcyS0VIbVozeTZqYzBGMDBRMHcKVXRaREM3RGpOWlJwSStCWFRJdkYvWEFxWlB6UVViR3A0cVltbFdsRW1qQWJKOXYrQUZIMTJDZU9aTE1KSWVIVApJeWM1NTRLTGVmK3N3bDR4K1BFWVFvSFFEKzUxWnpaaDdOdW9ad0hDZFZzcm5QTHc0VnZwR1F0SW55Qll0Q0luCm1vRUNhaFg4ZTgvMndmNGZFVUdCUVBrQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo= + public-key-size + 4096 + signature-by + Void Linux + + diff --git a/tests/xbps/xbps-rindex/data/id_xbps b/tests/xbps/xbps-rindex/data/id_xbps new file mode 100644 index 00000000..35a41717 --- /dev/null +++ b/tests/xbps/xbps-rindex/data/id_xbps @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAtZTY3viOY6kRKE9WVtNwULUiNeue+73WhKhD4kCDZ7h7KRLF +lgogjwtwQmcyP4bxuWT6cJG2ETCHMmHAEhvjiZ6K8wx0ItbgW121/rYinGSN2Pmt +fQbKWT2yAvhBUQMRFnvb3VOPdF+JIn9rEVHU1RLDGG6xuK0Rf0bk45FJxMEuaEML +D48rFaILSBXFb4B0VWMo65azlevBzB6LvJboL9J60DHC7ckpQM0u9tdXk7rTT0Bx +7dScDyiXFAragg16A96nr21543vLVg541A2AHaxbdgQD634g7eYsP8Tl+W59wOKO +BMKugfkb0tdB0nr61x0uKw9xtjM9a1pKESfFxxLdTznGoX4VbU6gbKU+HoP2UdId +VpP6Nf+xtxmJGLcbx1kMHAZNd/1LAkG9dmD2UudCr9AXHDA1bPaK7y9lO9l+d7oB +dkIMNTen3kEKKfDAZZOSN6hGSks9NI7vk9C9aheXEzaMej1dtlCA33V7vXw+6liG +lp5XcS4nrhf870oV8W2KEHmZ3y6jc0F00Q0wUtZDC7DjNZRpI+BXTIvF/XAqZPzQ +UbGp4qYmlWlEmjAbJ9v+AFH12CeOZLMJIeHTIyc554KLef+swl4x+PEYQoHQD+51 +ZzZh7NuoZwHCdVsrnPLw4VvpGQtInyBYtCInmoECahX8e8/2wf4fEUGBQPkCAwEA +AQKCAgBMXBP3cD8w2eBFO1frm28YAZQpaLSq2OJlVv11H/wimgnw89vzhL68aOsE +gbE31d/BPx2ySRRvliDEpybGdsPxE6MLIqmUHRisU3Q9cQqNChw8qoKymTBu5ur9 +JLkTAF8nPV7wbDtfjO12fG7iEa+XCxTQKXzDVMSO6ZlHuclz3GlPnyH/oQ1VQ5fK +8Jzejv5dCh4jNHTBDyuoUxAgdrWdpr3O355BsN6QSbj+RQCnN2G1ajx+73HRThh6 +bTYGivRMvE14EGm5qE2SGvPk+OhvkhPERVwApEHkyW7CQmMTyctIWf2vMs+ACOoS +eENN6DmkTLklkpEXNeUWSBntrPQWVfN2vRJJ6qxxl7Ma8Au16BZycauq4iSVp1BC +ZFk99qTbi77qNW+ryP/RKSn07k8l2oN4NyF185pCAPrwTYHdXRS6O0bC1ysTT7zI +Md1eshoyl7uFI5AaVxOntA+5f8Uw9ZT3y9gz5ZU9k+mDhhw4+MJb3yilN++Y1saT +ZywWf9e8vMTpJ72r22ha60g4W3yLrKgtM1QMvsrlonJe9NZXIJIXruzMwabWPAP6 +UeSVU8aVR9PAVWcy4eDdRsMYPRUoVhxQyGfWuOxLSd2SyiyWHWa5jUq4woNQvdS5 +n5TGsJmHs0MLxBJUxvS6J3juWvxrYHLFNKp6zcztNWbyFJfegQKCAQEA4J6r0M3w +RfxWOYCLlCLEICVB/GKXlu9dZhaE0nmvMIYCjpUPyLRBxgCdHvhxQ8sva6tOVAUF +lqmmVCw8ugUhCfB7NP1i3BB6hnsafFml9Wf36Ie2IuivcG1ij2q8tErC88cz3Mhh +WjubXQLXhRua7Gr6Wj6AO1LO3JsLOVw3nRHtFEXEVkNoodyO3k7ljKfttXapEXRi +RGIxlfTStYOQXYC5RF6gQsryK7sZpHHi8atGJpH00hWkbLmTSgxctv/qZvTHlo7D +NlSYMBGj+tHWS4+kWjRkGpowQwKsBk9MHO1wwgJX+pL0wlQsCY2WA0bsi0ocUzE+ +/lVAOou+5gOMNQKCAQEAzvLyUqsyGhd9cawBI8V4FDCHBynfVXoXSC5jzMkXyP4U +mEhTUMDO1/2vvAsc0Qlc6NDMK6apigNdKE5WPCLYnBy+UlOuDtYa5e88dhduNrYX +JxU8WKgCYIPi3ofC1DrpxU7kxIzjCFouL9dIhLOrLDiC0SIS9o3g5zdhuFzRuOv4 +3O4Kxpvo+muUeDkh7/QBK1CRCMsxXQjpZeEplr/AT5YM6MdWyd4yg4odagaXgosk +028XFMxuy/ZXBiadx/EeVybQ9cpW6zO2pPDg5CYrUf+0ltCsMNi5Pd0FxeMDvZvz +JoC28NkRsgQeaQbPKpfLyZi+WMFu+dXeL0mJPXOSNQKCAQEAzHI/ys8XSmwyAyao +ZM38G5It7E3E0mHObjRC8txFA/KF80dj1XeUgmdem6jgVydiYyrKIZlsi8Sgmu6k +21/9wXE8g2+6grkQ/MShx9tFPghC0khsFHwb60X0trsdRTDjH0YKQ4OzcJDeiZsj +lYkZyuRYOLm4t8ZYeN06KxxvliyR0Kjr2uSCIQmClH/VWeAjcc6udi+rnbiOj4IG +I6a7SQ/4EW3bis/z+q/S2CW8veD5+fNRlcKTJU8H7BcycHKg5NMZs0UAE7yNxPrZ +eVtzJNV6b4xOLRR4pxWQhDG7An1v63Z8o5sM4rAAYTWY/CSa+vEatPIW9yGbU26M +9Aj4nQKCAQEAgI7big9faGX/P4Yijx40ohYjS4fvfSIDJIvs42JorCtqj88eMqQT +2ol1idM9a33tgZNzwgoed+XvEQLY/zKGbTRN5sak8gJ/Yydi39leVg54A4dlnY2B +LIPBg4vCtCSE5FVGN/NtddrPpliObCFQzH+uhEwui4tHk1sMEYNXpRCx4Ezf1NE1 +wZri+GxFcNKbh1TdRCE14R2QIAHn3AXyaX5FNrXebDjkGGLMMvk1VZsqnU39gKYe +jgXRubhze6mFt44dcRLpO+M8KuqYSiKL9rxqauXmkdGQAaYz1+JWiItAWULMYoH2 +RCfa3FOmjkcOCYYhePFxBzKce7Oq1cndoQKCAQAT4a/uLfmVvZwPOf4vYhm+tqEk +dwibC7bHT/gEtZEAcIvDuNEeRp62dCQlqs4g9pXU/Cj7BTIS7QtQ2WM+dBhcf9Mm +3UX5msEVwaGuSBvLf6aZ/FZAqT6mnX+JYN7Er+zWbMVYkS2So0XVf+LRcKhJYR/b +NJ29CPY8hvSS5IoCeoxiUBIWRWETv4dLSxM0ND012+PxsY0eYV/4jM5T0JpCrvZi +ugb+FxtJgO5IdVg4faWCRcUYrODh1aqrS0et+LkuccvEqsw1gWbeQUMGtMN0FNs4 +cYAo45EPUFXEGwzeJlqjeXt6aX7t9hm/BxJ9hzW0EP2fkYokSmu2ohVqb8XF +-----END RSA PRIVATE KEY----- diff --git a/tests/xbps/xbps-rindex/sign_test.sh b/tests/xbps/xbps-rindex/sign_test.sh new file mode 100644 index 00000000..4cee5cd2 --- /dev/null +++ b/tests/xbps/xbps-rindex/sign_test.sh @@ -0,0 +1,85 @@ +#! /usr/bin/env atf-sh +# Test that xbps-rindex(1) signing repo metadata works as expected. + +get_resources() { + mkdir -p root/var/db/xbps/keys + mkdir -p /var/db/xbps/keys + cp $(atf_get_srcdir)/data/id_xbps . + cp $(atf_get_srcdir)/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist root/var/db/xbps/keys + cp $(atf_get_srcdir)/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist /var/db/xbps/keys +} + +atf_test_case sign + +sign_head() { + atf_set "descr" "xbps-rindex(1) signing test" +} + +sign_body() { + get_resources + # make pkg + mkdir -p some_repo pkg_A + touch pkg_A/file00 + cd some_repo + xbps-create -A noarch -n foo-1.0_1 -s "foo pkg" ../pkg_A + atf_check_equal $? 0 + # make repodata + xbps-rindex -a $PWD/*.xbps + atf_check_equal $? 0 + repodata=$(ls *-repodata) + atf_check_equal $(tar tf $repodata | wc -l) 2 + # sign repodata + xbps-rindex -s $PWD --signedby test --privkey ../id_xbps + atf_check_equal $? 0 + atf_check_equal $(tar tf $repodata | wc -l) 3 + # update pkg + xbps-create -A noarch -n foo-1.1_1 -s "foo pkg" ../pkg_A + atf_check_equal $? 0 + # update repodata + xbps-rindex -a $PWD/*.xbps --privkey ../id_xbps + atf_check_equal $? 0 + atf_check_equal $(tar tf $repodata | wc -l) 3 +} + +atf_test_case verify + +verify_head() { + atf_set "descr" "xbps-rindex(1) verifying test" +} + +verify_body() { + get_resources + # make pkg + mkdir -p some_repo pkg_A + touch pkg_A/file00 + cd some_repo + xbps-create -A noarch -n foo-1.0_1 -s "foo pkg" ../pkg_A + atf_check_equal $? 0 + # make repodata + xbps-rindex -a $PWD/*.xbps + atf_check_equal $? 0 + repodata=$(ls *-repodata) + # sign repodata + xbps-rindex -s $PWD --signedby test --privkey ../id_xbps + atf_check_equal $? 0 + # verify signature + xbps-install -nid --repository=$PWD foo 2>&1 | grep -q "some_repo/$repodata' signature passed." + atf_check_equal $? 0 + # modify what is signed + tar tf $repodata + mkdir repodata + cd repodata + tar xf ../$repodata + sed -i -e 's:string>test<:string>stranger<:' index-meta.plist + tar cf ../$repodata index.plist index-meta.plist index-meta.plist.sig + atf_check_equal $? 0 + cd .. + # verify wrong signature + xbps-install -nid --repository=$PWD foo 2>&1 | grep -q "some_repo/$repodata' signature failed. Taking safe part." + atf_check_equal $? 0 +} + +atf_init_test_cases() { + atf_add_test_case sign + atf_add_test_case verify +}