tests: Move keys into ./tests/keys/ and add a third ed25519 key.

The third key will be used in an upcoming commit.

Rename public keys to .pub.

* guix/tests/gnupg.scm (%ed25519-3-public-key-file): New variable.
(%ed25519-3-secret-key-file): New variable.
(%ed25519-2-public-key-file): Renamed from %ed25519bis-public-key-file.
(%ed25519-2-secret-key-file): Renamed from %ed25519bis-secret-key-file.
* tests/keys/ed25519-3.key: New file.
* tests/keys/ed25519-3.sec: New file.

Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
This commit is contained in:
Attila Lendvai 2021-12-21 22:56:10 +01:00 committed by Mathieu Othacehe
parent 5b8ae331f7
commit 9ebc9ca070
No known key found for this signature in database
GPG key ID: 8354763531769CA6
18 changed files with 92 additions and 60 deletions

View file

@ -653,16 +653,18 @@ EXTRA_DIST += \
build-aux/update-guix-package.scm \ build-aux/update-guix-package.scm \
build-aux/update-NEWS.scm \ build-aux/update-NEWS.scm \
tests/test.drv \ tests/test.drv \
tests/signing-key.pub \
tests/signing-key.sec \
tests/cve-sample.json \ tests/cve-sample.json \
tests/civodul.key \ tests/keys/signing-key.pub \
tests/rsa.key \ tests/keys/signing-key.sec \
tests/dsa.key \ tests/keys/civodul.pub \
tests/ed25519.key \ tests/keys/rsa.pub \
tests/ed25519.sec \ tests/keys/dsa.pub \
tests/ed25519bis.key \ tests/keys/ed25519.pub \
tests/ed25519bis.sec \ tests/keys/ed25519.sec \
tests/keys/ed25519-2.pub \
tests/keys/ed25519-2.sec \
tests/keys/ed25519-3.pub \
tests/keys/ed25519-3.sec \
build-aux/config.rpath \ build-aux/config.rpath \
bootstrap \ bootstrap \
doc/build.scm \ doc/build.scm \

View file

@ -73,9 +73,9 @@ then
# Copy the keys so that the secret key has the right permissions (the # Copy the keys so that the secret key has the right permissions (the
# daemon errors out when this is not the case.) # daemon errors out when this is not the case.)
mkdir -p "$GUIX_CONFIGURATION_DIRECTORY" mkdir -p "$GUIX_CONFIGURATION_DIRECTORY"
cp "@abs_top_srcdir@/tests/signing-key.sec" \ cp "@abs_top_srcdir@/tests/keys/signing-key.sec" \
"@abs_top_srcdir@/tests/signing-key.pub" \ "@abs_top_srcdir@/tests/keys/signing-key.pub" \
"$GUIX_CONFIGURATION_DIRECTORY" "$GUIX_CONFIGURATION_DIRECTORY"
chmod 400 "$GUIX_CONFIGURATION_DIRECTORY/signing-key.sec" chmod 400 "$GUIX_CONFIGURATION_DIRECTORY/signing-key.sec"
fi fi

View file

@ -28,8 +28,10 @@ (define-module (guix tests gnupg)
%ed25519-public-key-file %ed25519-public-key-file
%ed25519-secret-key-file %ed25519-secret-key-file
%ed25519bis-public-key-file %ed25519-2-public-key-file
%ed25519bis-secret-key-file %ed25519-2-secret-key-file
%ed25519-3-public-key-file
%ed25519-3-secret-key-file
read-openpgp-packet read-openpgp-packet
key-fingerprint key-fingerprint
@ -63,13 +65,17 @@ (define-syntax-rule (with-fresh-gnupg-setup imported exp ...)
(call-with-fresh-gnupg-setup imported (lambda () exp ...))) (call-with-fresh-gnupg-setup imported (lambda () exp ...)))
(define %ed25519-public-key-file (define %ed25519-public-key-file
(search-path %load-path "tests/ed25519.key")) (search-path %load-path "tests/keys/ed25519.pub"))
(define %ed25519-secret-key-file (define %ed25519-secret-key-file
(search-path %load-path "tests/ed25519.sec")) (search-path %load-path "tests/keys/ed25519.sec"))
(define %ed25519bis-public-key-file (define %ed25519-2-public-key-file
(search-path %load-path "tests/ed25519bis.key")) (search-path %load-path "tests/keys/ed25519-2.pub"))
(define %ed25519bis-secret-key-file (define %ed25519-2-secret-key-file
(search-path %load-path "tests/ed25519bis.sec")) (search-path %load-path "tests/keys/ed25519-2.sec"))
(define %ed25519-3-public-key-file
(search-path %load-path "tests/keys/ed25519-3.pub"))
(define %ed25519-3-secret-key-file
(search-path %load-path "tests/keys/ed25519-3.sec"))
(define (read-openpgp-packet file) (define (read-openpgp-packet file)
(get-openpgp-packet (get-openpgp-packet

View file

@ -480,8 +480,8 @@ (define (find-commit* message)
#t #t
(with-fresh-gnupg-setup (list %ed25519-public-key-file (with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file %ed25519-secret-key-file
%ed25519bis-public-key-file %ed25519-2-public-key-file
%ed25519bis-secret-key-file) %ed25519-2-secret-key-file)
(with-temporary-git-repository directory (with-temporary-git-repository directory
`((add ".guix-channel" `((add ".guix-channel"
,(object->string ,(object->string
@ -507,7 +507,7 @@ (define (find-commit* message)
(commit-id-string commit1) (commit-id-string commit1)
(openpgp-public-key-fingerprint (openpgp-public-key-fingerprint
(read-openpgp-packet (read-openpgp-packet
%ed25519bis-public-key-file)))) ;different key %ed25519-2-public-key-file)))) ;different key
(channel (channel (name 'example) (channel (channel (name 'example)
(url (string-append "file://" directory)) (url (string-append "file://" directory))
(introduction intro)))) (introduction intro))))
@ -519,7 +519,7 @@ (define (find-commit* message)
(oid->string (commit-id commit1)) (oid->string (commit-id commit1))
(key-fingerprint %ed25519-public-key-file) (key-fingerprint %ed25519-public-key-file)
(key-fingerprint (key-fingerprint
%ed25519bis-public-key-file)))))) %ed25519-2-public-key-file))))))
(authenticate-channel channel directory (authenticate-channel channel directory
(commit-id-string commit2) (commit-id-string commit2)
#:keyring-reference-prefix "") #:keyring-reference-prefix "")
@ -530,8 +530,8 @@ (define (find-commit* message)
#t #t
(with-fresh-gnupg-setup (list %ed25519-public-key-file (with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file %ed25519-secret-key-file
%ed25519bis-public-key-file %ed25519-2-public-key-file
%ed25519bis-secret-key-file) %ed25519-2-secret-key-file)
(with-temporary-git-repository directory (with-temporary-git-repository directory
`((add ".guix-channel" `((add ".guix-channel"
,(object->string ,(object->string
@ -552,12 +552,12 @@ (define (find-commit* message)
(signer ,(key-fingerprint %ed25519-public-key-file))) (signer ,(key-fingerprint %ed25519-public-key-file)))
(add "c.txt" "C") (add "c.txt" "C")
(commit "third commit" (commit "third commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file))) (signer ,(key-fingerprint %ed25519-2-public-key-file)))
(branch "channel-keyring") (branch "channel-keyring")
(checkout "channel-keyring") (checkout "channel-keyring")
(add "signer.key" ,(call-with-input-file %ed25519-public-key-file (add "signer.key" ,(call-with-input-file %ed25519-public-key-file
get-string-all)) get-string-all))
(add "other.key" ,(call-with-input-file %ed25519bis-public-key-file (add "other.key" ,(call-with-input-file %ed25519-2-public-key-file
get-string-all)) get-string-all))
(commit "keyring commit") (commit "keyring commit")
(checkout "master")) (checkout "master"))
@ -588,7 +588,7 @@ (define (find-commit* message)
(unauthorized-commit-error-signing-key c)) (unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint (openpgp-public-key-fingerprint
(read-openpgp-packet (read-openpgp-packet
%ed25519bis-public-key-file)))))) %ed25519-2-public-key-file))))))
(authenticate-channel channel directory (authenticate-channel channel directory
(commit-id-string commit3) (commit-id-string commit3)
#:keyring-reference-prefix "") #:keyring-reference-prefix "")

View file

@ -161,14 +161,14 @@ (define (gpg+git-available?)
(test-assert "signed commits, .guix-authorizations, unauthorized merge" (test-assert "signed commits, .guix-authorizations, unauthorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file (with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file %ed25519-secret-key-file
%ed25519bis-public-key-file %ed25519-2-public-key-file
%ed25519bis-secret-key-file) %ed25519-2-secret-key-file)
(with-temporary-git-repository directory (with-temporary-git-repository directory
`((add "signer1.key" `((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file ,(call-with-input-file %ed25519-public-key-file
get-string-all)) get-string-all))
(add "signer2.key" (add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file ,(call-with-input-file %ed25519-2-public-key-file
get-string-all)) get-string-all))
(add ".guix-authorizations" (add ".guix-authorizations"
,(object->string ,(object->string
@ -184,7 +184,7 @@ (define (gpg+git-available?)
(checkout "devel") (checkout "devel")
(add "devel/1.txt" "1") (add "devel/1.txt" "1")
(commit "first devel commit" (commit "first devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file))) (signer ,(key-fingerprint %ed25519-2-public-key-file)))
(checkout "master") (checkout "master")
(add "b.txt" "B") (add "b.txt" "B")
(commit "second commit" (commit "second commit"
@ -203,7 +203,7 @@ (define (correct? c commit)
(openpgp-public-key-fingerprint (openpgp-public-key-fingerprint
(unauthorized-commit-error-signing-key c)) (unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint (openpgp-public-key-fingerprint
(read-openpgp-packet %ed25519bis-public-key-file))))) (read-openpgp-packet %ed25519-2-public-key-file)))))
(and (authenticate-commits repository (list master1 master2) (and (authenticate-commits repository (list master1 master2)
#:keyring-reference "master") #:keyring-reference "master")
@ -230,14 +230,14 @@ (define (correct? c commit)
(test-assert "signed commits, .guix-authorizations, authorized merge" (test-assert "signed commits, .guix-authorizations, authorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file (with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file %ed25519-secret-key-file
%ed25519bis-public-key-file %ed25519-2-public-key-file
%ed25519bis-secret-key-file) %ed25519-2-secret-key-file)
(with-temporary-git-repository directory (with-temporary-git-repository directory
`((add "signer1.key" `((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file ,(call-with-input-file %ed25519-public-key-file
get-string-all)) get-string-all))
(add "signer2.key" (add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file ,(call-with-input-file %ed25519-2-public-key-file
get-string-all)) get-string-all))
(add ".guix-authorizations" (add ".guix-authorizations"
,(object->string ,(object->string
@ -258,12 +258,12 @@ (define (correct? c commit)
%ed25519-public-key-file) %ed25519-public-key-file)
(name "Alice")) (name "Alice"))
(,(key-fingerprint (,(key-fingerprint
%ed25519bis-public-key-file)))))) %ed25519-2-public-key-file))))))
(commit "first devel commit" (commit "first devel commit"
(signer ,(key-fingerprint %ed25519-public-key-file))) (signer ,(key-fingerprint %ed25519-public-key-file)))
(add "devel/2.txt" "2") (add "devel/2.txt" "2")
(commit "second devel commit" (commit "second devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file))) (signer ,(key-fingerprint %ed25519-2-public-key-file)))
(checkout "master") (checkout "master")
(add "b.txt" "B") (add "b.txt" "B")
(commit "second commit" (commit "second commit"
@ -273,7 +273,7 @@ (define (correct? c commit)
;; After the merge, the second signer is authorized. ;; After the merge, the second signer is authorized.
(add "c.txt" "C") (add "c.txt" "C")
(commit "third commit" (commit "third commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))) (signer ,(key-fingerprint %ed25519-2-public-key-file))))
(with-repository directory repository (with-repository directory repository
(let ((master1 (find-commit repository "first commit")) (let ((master1 (find-commit repository "first commit"))
(master2 (find-commit repository "second commit")) (master2 (find-commit repository "second commit"))
@ -328,4 +328,3 @@ (define (correct? c commit)
'failed))))))) 'failed)))))))
(test-end "git-authenticate") (test-end "git-authenticate")

View file

@ -28,7 +28,7 @@ rm -f "$sig" "$hash"
trap 'rm -f "$sig" "$hash"' EXIT trap 'rm -f "$sig" "$hash"' EXIT
key="$abs_top_srcdir/tests/signing-key.sec" key="$abs_top_srcdir/tests/keys/signing-key.sec"
key_len="`echo -n $key | wc -c`" key_len="`echo -n $key | wc -c`"
# A hexadecimal string as long as a sha256 hash. # A hexadecimal string as long as a sha256 hash.
@ -67,7 +67,7 @@ test "$code" -ne 0
# encoded independently of the current locale: <https://bugs.gnu.org/43421>. # encoded independently of the current locale: <https://bugs.gnu.org/43421>.
hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9" hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9"
latin1_cafe="caf$(printf '\351')" latin1_cafe="caf$(printf '\351')"
echo "sign 21:tests/signing-key.sec 64:$hash" | guix authenticate \ echo "sign 26:tests/keys/signing-key.sec 64:$hash" | guix authenticate \
| LC_ALL=C grep "hash sha256 \"$latin1_cafe" | LC_ALL=C grep "hash sha256 \"$latin1_cafe"
# Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces # Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces

9
tests/keys/ed25519-3.pub Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
ILfFldm0FTxleGFtcGxlQGV4YW1wbGUuY29tPoiWBBMWCAA+FiEEjO6M85jMSK68
7tINGBzA7NyoagkFAmFR/+8CGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQGBzA7Nyoagl3lgEAw6yqIlX11lTqwxBGhZk/Oy34O13cbJSZCGv+m0ja
+hcA/3DCNOmT+oXjgO/w6enQZUQ1m/d6dUjCc2wOLlLz+ZoG
=+r3i
-----END PGP PUBLIC KEY BLOCK-----

10
tests/keys/ed25519-3.sec Normal file
View file

@ -0,0 +1,10 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
ILfFldkAAP92goSbbzQ0ttElr9lr5Cm6rmQtqUZ2Cu/Jk9fvfZROwxI0tBU8ZXhh
bXBsZUBleGFtcGxlLmNvbT6IlgQTFggAPhYhBIzujPOYzEiuvO7SDRgcwOzcqGoJ
BQJhUf/vAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBgcwOzc
qGoJd5YBAMOsqiJV9dZU6sMQRoWZPzst+Dtd3GyUmQhr/ptI2voXAP9wwjTpk/qF
44Dv8Onp0GVENZv3enVIwnNsDi5S8/maBg==
=EmOt
-----END PGP PRIVATE KEY BLOCK-----

View file

@ -59,18 +59,22 @@ (define %binary-sample
(define %civodul-fingerprint (define %civodul-fingerprint
"3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5") "3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5")
(define %civodul-key-id #x090B11993D9AEBB5) ;civodul.key (define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
;; Test keys. They were generated in a container along these lines: #|
;; guix environment -CP --ad-hoc gnupg pinentry Test keys in ./tests/keys. They were generated in a container along these lines:
;; then, within the container: guix environment -CP --ad-hoc gnupg pinentry coreutils
;; mkdir ~/.gnupg then, within the container:
;; echo pinentry-program ~/.guix-profile/bin/pinentry-tty > ~/.gnupg/gpg-agent.conf mkdir ~/.gnupg && chmod -R og-rwx ~/.gnupg
;; gpg --quick-gen-key '<ludo+test-rsa@chbouib.org>' rsa gpg --batch --passphrase '' --quick-gen-key '<example@example.com>' ed25519
;; or similar. gpg --armor --export example@example.com
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.key gpg --armor --export-secret-key example@example.com
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.key # echo pinentry-program ~/.guix-profile/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.key or similar.
|#
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.pub
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.pub
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.pub
(define %rsa-key-fingerprint (define %rsa-key-fingerprint
(base16-string->bytevector (base16-string->bytevector
@ -168,7 +172,7 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(not (port-ascii-armored? (open-bytevector-input-port %binary-sample)))) (not (port-ascii-armored? (open-bytevector-input-port %binary-sample))))
(test-assert "get-openpgp-keyring" (test-assert "get-openpgp-keyring"
(let* ((key (search-path %load-path "tests/civodul.key")) (let* ((key (search-path %load-path "tests/keys/civodul.pub"))
(keyring (get-openpgp-keyring (keyring (get-openpgp-keyring
(open-bytevector-input-port (open-bytevector-input-port
(call-with-input-file key read-radix-64))))) (call-with-input-file key read-radix-64)))))
@ -228,8 +232,10 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(verify-openpgp-signature signature keyring (verify-openpgp-signature signature keyring
(open-input-string "Hello!\n")))) (open-input-string "Hello!\n"))))
(list status (openpgp-public-key-id key))))) (list status (openpgp-public-key-id key)))))
(list "tests/rsa.key" "tests/dsa.key" (list "tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/ed25519.key" "tests/ed25519.key" "tests/ed25519.key") "tests/keys/ed25519.pub"
"tests/keys/ed25519.pub"
"tests/keys/ed25519.pub")
(list %hello-signature/rsa %hello-signature/dsa (list %hello-signature/rsa %hello-signature/dsa
%hello-signature/ed25519/sha256 %hello-signature/ed25519/sha256
%hello-signature/ed25519/sha512 %hello-signature/ed25519/sha512
@ -248,9 +254,9 @@ (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
(call-with-input-file key read-radix-64)) (call-with-input-file key read-radix-64))
keyring))) keyring)))
%empty-keyring %empty-keyring
'("tests/rsa.key" "tests/dsa.key" '("tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/ed25519.key" "tests/ed25519.key" "tests/keys/ed25519.pub" "tests/keys/ed25519.pub"
"tests/ed25519.key")))) "tests/keys/ed25519.pub"))))
(map (lambda (signature) (map (lambda (signature)
(let ((signature (string->openpgp-packet signature))) (let ((signature (string->openpgp-packet signature)))
(let-values (((status key) (let-values (((status key)