[PATCH] git-authenticate: Test introductory commit signature verification.

  • Done
  • quality assurance status badge
Details
One participant
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 28 Jan 2022 18:10
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20220128171020.5778-1-ludo@gnu.org
These tests mimic similar tests already in 'tests/channels.scm', but
without using the higher-level 'authenticate-channel'.

* tests/git-authenticate.scm ("introductory commit, valid signature")
("introductory commit, missing signature")
("introductory commit, wrong signature"): New tests.
---
tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++-
1 file changed, 105 insertions(+), 1 deletion(-)

Hello!

(Cc: Maxime + Attila since you’ve already looked into this code.)

This patch adds tests to ensure that an invalidate introductory commit
signature and lack of a signature on the introductory commit both lead
to an error.

These tests do not uncover any problem. In fact, this behavior was
already tested in ‘tests/channels.scm’, but using the higher-level
‘authenticate-channel’ procedure.

They were prompted by Attila’s comments in https://issues.guix.gnu.org/50814
and by investigations that led to the bug fix I’m about to send (separately).

Thoughts?

Thanks,
Ludo’.


Toggle diff (137 lines)
diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm
index f66ef191b0..6ec55fb2e5 100644
--- a/tests/git-authenticate.scm
+++ b/tests/git-authenticate.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020, 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -20,12 +20,17 @@ (define-module (test-git-authenticate)
#:use-module (git)
#:use-module (guix git)
#:use-module (guix git-authenticate)
+ #:use-module ((guix channels) #:select (openpgp-fingerprint))
+ #:use-module ((guix diagnostics)
+ #:select (formatted-message? formatted-message-arguments))
#:use-module (guix openpgp)
+ #:use-module ((guix tests) #:select (random-text))
#:use-module (guix tests git)
#:use-module (guix tests gnupg)
#:use-module (guix build utils)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
+ #:use-module (srfi srfi-35)
#:use-module (srfi srfi-64)
#:use-module (rnrs bytevectors)
#:use-module (rnrs io ports))
@@ -327,4 +332,103 @@ (define (correct? c commit)
#:keyring-reference "master")
'failed)))))))
+(unless (gpg+git-available?) (test-skip 1))
+(test-assert "introductory commit, valid signature"
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit" (signer ,fingerprint))
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero"))
+ (commit1 (find-commit repository "first")))
+ ;; COMMIT0 is signed with the right key, and COMMIT1 is fine.
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text))))))))
+
+(unless (gpg+git-available?) (test-skip 1))
+(test-equal "introductory commit, missing signature"
+ 'intro-lacks-signature
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit") ;unsigned!
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero")))
+ ;; COMMIT0 is not signed.
+ (guard (c ((formatted-message? c)
+ ;; Message like "commit ~a lacks a signature".
+ (and (equal? (formatted-message-arguments c)
+ (list (oid->string (commit-id commit0))))
+ 'intro-lacks-signature)))
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text)))))))))
+
+(unless (gpg+git-available?) (test-skip 1))
+(test-equal "introductory commit, wrong signature"
+ 'wrong-intro-signing-key
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file
+ %ed25519-2-public-key-file
+ %ed25519-2-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file))
+ (wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit" (signer ,wrong-fingerprint))
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero"))
+ (commit1 (find-commit repository "first")))
+ ;; COMMIT0 is signed with the wrong key--not the one passed as the
+ ;; SIGNER argument to 'authenticate-repository'.
+ (guard (c ((formatted-message? c)
+ ;; Message like "commit ~a signed by ~a instead of ~a".
+ (and (equal? (formatted-message-arguments c)
+ (list (oid->string (commit-id commit0))
+ wrong-fingerprint fingerprint))
+ 'wrong-intro-signing-key)))
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text)))))))))
+
(test-end "git-authenticate")

base-commit: e778910bdfc68c60a5be59aac93049d32feae904
--
2.34.0
L
L
Ludovic Courtès wrote on 29 Jan 2022 11:38
control message for bug #53607
(address . control@debbugs.gnu.org)
87a6febzef.fsf@gnu.org
tags 53607 + security
quit
L
L
Ludovic Courtès wrote on 14 Feb 2022 11:30
Re: bug#53607: [PATCH] git-authenticate: Test introductory commit signature verification.
(address . 53607-done@debbugs.gnu.org)
87y22dyc40.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (25 lines)
> These tests mimic similar tests already in 'tests/channels.scm', but
> without using the higher-level 'authenticate-channel'.
>
> * tests/git-authenticate.scm ("introductory commit, valid signature")
> ("introductory commit, missing signature")
> ("introductory commit, wrong signature"): New tests.
> ---
> tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++-
> 1 file changed, 105 insertions(+), 1 deletion(-)
>
> Hello!
>
> (Cc: Maxime + Attila since you’ve already looked into this code.)
>
> This patch adds tests to ensure that an invalidate introductory commit
> signature and lack of a signature on the introductory commit both lead
> to an error.
>
> These tests do not uncover any problem. In fact, this behavior was
> already tested in ‘tests/channels.scm’, but using the higher-level
> ‘authenticate-channel’ procedure.
>
> They were prompted by Attila’s comments in <https://issues.guix.gnu.org/50814>
> and by investigations that led to the bug fix I’m about to send (separately).

I went ahead and pushed it as 36cb04df96623ffe8f1074172a4ed9e51bcf6e3a.

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 53607@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53607
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch