From 1ce0c6368d0908e25f9bd1bb8183b5f29053fac8 Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Sat, 2 Apr 2011 13:19:05 +0200 Subject: Add simple checks for handling signed packages In addition to this dbscripts wont accept unsigned pacakges when REQUIRE_SIGNATURE is set to true. Note: At this point no signature verification is performed at all. --- test/lib/common.inc | 30 +++++++++++++++++++++++++++++- test/test.d/signed-packages.sh | 13 +++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100755 test/test.d/signed-packages.sh (limited to 'test') diff --git a/test/lib/common.inc b/test/lib/common.inc index 2cf2769..eb46508 100644 --- a/test/lib/common.inc +++ b/test/lib/common.inc @@ -95,6 +95,7 @@ setUp() { TMPDIR="${TMP}/tmp" CLEANUP_DRYRUN=false SOURCE_CLEANUP_DRYRUN=false + REQUIRE_SIGNATURE=true eot . "$(dirname ${BASH_SOURCE[0]})/../../config" } @@ -115,6 +116,13 @@ releasePackage() { pkgver=$(. PKGBUILD; echo $(get_full_version ${epoch:-0} ${pkgver} ${pkgrel})) popd >/dev/null cp "${pkgdir}/${pkgbase}"/*-${pkgver}-${arch}${PKGEXT} "${STAGING}"/${repo}/ + + if ${REQUIRE_SIGNATURE}; then + # TODO: really sign the packages with a valid key + find "${STAGING}"/${repo}/ -type f \ + -name "*-${pkgver}-${arch}${PKGEXT}" \ + -exec touch {}.sig \; + fi } checkAnyPackage() { @@ -124,13 +132,23 @@ checkAnyPackage() { local db [ -r "${FTP_BASE}/${PKGPOOL}/${pkg}" ] || fail "${PKGPOOL}/${pkg} not found" + if ${REQUIRE_SIGNATURE}; then + [ -r "${FTP_BASE}/${PKGPOOL}/${pkg}.sig" ] || fail "${PKGPOOL}/${pkg}.sig not found" + fi for arch in i686 x86_64; do - [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} not a symlink" + [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} is not a symlink" [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/${PKGPOOL}/${pkg}" ] \ || fail "${repo}/os/${arch}/${pkg} does not link to ${PKGPOOL}/${pkg}" + + if ${REQUIRE_SIGNATURE}; then + [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}.sig" ] || fail "${repo}/os/${arch}/${pkg}.sig is not a symlink" + [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}.sig")" == "${FTP_BASE}/${PKGPOOL}/${pkg}.sig" ] \ + || fail "${repo}/os/${arch}/${pkg}.sig does not link to ${PKGPOOL}/${pkg}.sig" + fi done [ -r "${STAGING}"/${repo}/${pkg} ] && fail "${repo}/${pkg} found in staging dir" + [ -r "${STAGING}"/${repo}/${pkg}.sig ] && fail "${repo}/${pkg}.sig found in staging dir" for db in ${DBEXT} ${FILESEXT}; do ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${db%.tar.*}" ] \ @@ -139,6 +157,7 @@ checkAnyPackage() { done [ -r "${FTP_BASE}/${repo}/os/any/${pkg}" ] && fail "${repo}/os/any/${pkg} should not exist" + [ -r "${FTP_BASE}/${repo}/os/any/${pkg}.sig" ] && fail "${repo}/os/any/${pkg}.sig should not exist" } checkPackage() { @@ -154,6 +173,15 @@ checkPackage() { [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/${PKGPOOL}/${pkg}" ] \ || fail "${repo}/os/${arch}/${pkg} does not link to ${PKGPOOL}/${pkg}" + if ${REQUIRE_SIGNATURE}; then + [ -r "${FTP_BASE}/${PKGPOOL}/${pkg}.sig" ] || fail "${PKGPOOL}/${pkg}.sig not found" + [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}.sig" ] || fail "${repo}/os/${arch}/${pkg}.sig is not a symlink" + [ -r "${STAGING}"/${repo}/${pkg}.sig ] && fail "${repo}/${pkg}.sig found in staging dir" + + [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}.sig")" == "${FTP_BASE}/${PKGPOOL}/${pkg}.sig" ] \ + || fail "${repo}/os/${arch}/${pkg}.sig does not link to ${PKGPOOL}/${pkg}.sig" + fi + for db in ${DBEXT} ${FILESEXT}; do ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${db%.tar.*}" ] \ && bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${db%.tar.*}" -O | grep -q ${pkg}) \ diff --git a/test/test.d/signed-packages.sh b/test/test.d/signed-packages.sh new file mode 100755 index 0000000..5d6f4ff --- /dev/null +++ b/test/test.d/signed-packages.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +curdir=$(readlink -e $(dirname $0)) +. "${curdir}/../lib/common.inc" + +testAddUnsignedPackage() { + releasePackage extra 'pkg-simple-a' 'i686' + # remove any signature + rm "${STAGING}"/extra/*.sig + ../db-update >/dev/null 2>&1 && fail "db-update should fail when a signature is missing!" +} + +. "${curdir}/../lib/shunit2" -- cgit v1.2.3