diff mbox series

[v6,6/9] ssh signing: add test prereqs

Message ID 18a26ca49e7a9b0046559ac8d5c62c99ea7262ae.1627501009.git.gitgitgadget@gmail.com (mailing list archive)
State New
Headers show
Series ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen | expand

Commit Message

Fabian Stelzer July 28, 2021, 7:36 p.m. UTC
From: Fabian Stelzer <fs@gigacodes.de>

generate some ssh keys and a allowedSignersFile for testing

Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
---
 t/lib-gpg.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Comments

Josh Steadmon July 29, 2021, 7:09 p.m. UTC | #1
On 2021.07.28 19:36, Fabian Stelzer via GitGitGadget wrote:
> From: Fabian Stelzer <fs@gigacodes.de>
> 
> generate some ssh keys and a allowedSignersFile for testing
> 
> Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
> ---
>  t/lib-gpg.sh | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> index 9fc5241228e..600c8d1a026 100644
> --- a/t/lib-gpg.sh
> +++ b/t/lib-gpg.sh
> @@ -87,6 +87,35 @@ test_lazy_prereq RFC1991 '
>  	echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null
>  '
>  
> +test_lazy_prereq GPGSSH '
> +	ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1)
> +	test $? != 127 || exit 1
> +	echo $ssh_version | grep -q "find-principals:missing signature file"
> +	test $? = 0 || exit 1;
> +	mkdir -p "${GNUPGHOME}" &&
> +	chmod 0700 "${GNUPGHOME}" &&
> +	ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null &&
> +	echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
> +	ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null &&
> +	echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
> +	ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null &&
> +	echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
> +	cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
> +	ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null
> +'
> +
> +SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key"
> +SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key"
> +SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key"
> +SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key"
> +SIGNING_KEY_PASSPHRASE="super_secret"
> +SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile"
> +
> +GOOD_SIGNATURE_TRUSTED='Good "git" signature for'
> +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with'
> +KEY_NOT_TRUSTED="No principal matched"
> +BAD_SIGNATURE="Signature verification failed"
> +

Is there a reason why we don't use these variables in the script above?

Also, in general I feel that it's better to add tests in the same commit
where new features are added, rather than having standalone test
commits.


>  sanitize_pgp() {
>  	perl -ne '
>  		/^-----END PGP/ and $in_pgp = 0;
> -- 
> gitgitgadget
>
Junio C Hamano July 29, 2021, 7:57 p.m. UTC | #2
Josh Steadmon <steadmon@google.com> writes:

>> ...
>> +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with'
>> +KEY_NOT_TRUSTED="No principal matched"
>> +BAD_SIGNATURE="Signature verification failed"
>> +
>
> Is there a reason why we don't use these variables in the script above?
>
> Also, in general I feel that it's better to add tests in the same commit
> where new features are added, rather than having standalone test
> commits.

Again, good suggestions.

Thanks for excellent reviews.
Fabian Stelzer July 30, 2021, 7:32 a.m. UTC | #3
On 29.07.21 21:09, Josh Steadmon wrote:
> On 2021.07.28 19:36, Fabian Stelzer via GitGitGadget wrote:
>> From: Fabian Stelzer <fs@gigacodes.de>
>>   
>> +test_lazy_prereq GPGSSH '
>> +	ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1)
>> +	test $? != 127 || exit 1
>> +	echo $ssh_version | grep -q "find-principals:missing signature file"
>> +	test $? = 0 || exit 1;
>> +	mkdir -p "${GNUPGHOME}" &&
>> +	chmod 0700 "${GNUPGHOME}" &&
>> +	ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null &&
>> +	echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
>> +	ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null &&
>> +	echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
>> +	ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null &&
>> +	echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
>> +	cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
>> +	ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null
>> +'
>> +
>> +SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key"
>> +SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key"
>> +SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key"
>> +SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key"
>> +SIGNING_KEY_PASSPHRASE="super_secret"
>> +SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile"
>> +
>> +GOOD_SIGNATURE_TRUSTED='Good "git" signature for'
>> +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with'
>> +KEY_NOT_TRUSTED="No principal matched"
>> +BAD_SIGNATURE="Signature verification failed"
>> +
> 
> Is there a reason why we don't use these variables in the script above?
> 
> Also, in general I feel that it's better to add tests in the same commit
> where new features are added, rather than having standalone test
> commits.
> 

Intially i wanted to fill them in the prereq but couldn't acces them in 
the tests then.

Thanks, i have moved the variables above the prereq and used them there 
as well. makes sense.
Also i have prefixed them now with GPGSSH so we don't collide with any 
other tests accidentally.
diff mbox series

Patch

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index 9fc5241228e..600c8d1a026 100644
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -87,6 +87,35 @@  test_lazy_prereq RFC1991 '
 	echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null
 '
 
+test_lazy_prereq GPGSSH '
+	ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1)
+	test $? != 127 || exit 1
+	echo $ssh_version | grep -q "find-principals:missing signature file"
+	test $? = 0 || exit 1;
+	mkdir -p "${GNUPGHOME}" &&
+	chmod 0700 "${GNUPGHOME}" &&
+	ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null &&
+	echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
+	ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null &&
+	echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
+	ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null &&
+	echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
+	cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" &&
+	ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null
+'
+
+SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key"
+SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key"
+SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key"
+SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key"
+SIGNING_KEY_PASSPHRASE="super_secret"
+SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile"
+
+GOOD_SIGNATURE_TRUSTED='Good "git" signature for'
+GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with'
+KEY_NOT_TRUSTED="No principal matched"
+BAD_SIGNATURE="Signature verification failed"
+
 sanitize_pgp() {
 	perl -ne '
 		/^-----END PGP/ and $in_pgp = 0;