Message ID | 18a26ca49e7a9b0046559ac8d5c62c99ea7262ae.1627501009.git.gitgitgadget@gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen | expand |
On 2021.07.28 19:36, Fabian Stelzer via GitGitGadget wrote: > From: Fabian Stelzer <fs@gigacodes.de> > > generate some ssh keys and a allowedSignersFile for testing > > Signed-off-by: Fabian Stelzer <fs@gigacodes.de> > --- > t/lib-gpg.sh | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh > index 9fc5241228e..600c8d1a026 100644 > --- a/t/lib-gpg.sh > +++ b/t/lib-gpg.sh > @@ -87,6 +87,35 @@ test_lazy_prereq RFC1991 ' > echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null > ' > > +test_lazy_prereq GPGSSH ' > + ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1) > + test $? != 127 || exit 1 > + echo $ssh_version | grep -q "find-principals:missing signature file" > + test $? = 0 || exit 1; > + mkdir -p "${GNUPGHOME}" && > + chmod 0700 "${GNUPGHOME}" && > + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null && > + echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && > + ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null && > + echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && > + ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null && > + echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && > + cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && > + ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null > +' > + > +SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key" > +SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key" > +SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key" > +SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key" > +SIGNING_KEY_PASSPHRASE="super_secret" > +SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile" > + > +GOOD_SIGNATURE_TRUSTED='Good "git" signature for' > +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with' > +KEY_NOT_TRUSTED="No principal matched" > +BAD_SIGNATURE="Signature verification failed" > + Is there a reason why we don't use these variables in the script above? Also, in general I feel that it's better to add tests in the same commit where new features are added, rather than having standalone test commits. > sanitize_pgp() { > perl -ne ' > /^-----END PGP/ and $in_pgp = 0; > -- > gitgitgadget >
Josh Steadmon <steadmon@google.com> writes: >> ... >> +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with' >> +KEY_NOT_TRUSTED="No principal matched" >> +BAD_SIGNATURE="Signature verification failed" >> + > > Is there a reason why we don't use these variables in the script above? > > Also, in general I feel that it's better to add tests in the same commit > where new features are added, rather than having standalone test > commits. Again, good suggestions. Thanks for excellent reviews.
On 29.07.21 21:09, Josh Steadmon wrote: > On 2021.07.28 19:36, Fabian Stelzer via GitGitGadget wrote: >> From: Fabian Stelzer <fs@gigacodes.de> >> >> +test_lazy_prereq GPGSSH ' >> + ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1) >> + test $? != 127 || exit 1 >> + echo $ssh_version | grep -q "find-principals:missing signature file" >> + test $? = 0 || exit 1; >> + mkdir -p "${GNUPGHOME}" && >> + chmod 0700 "${GNUPGHOME}" && >> + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null && >> + echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && >> + ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null && >> + echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && >> + ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null && >> + echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && >> + cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && >> + ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null >> +' >> + >> +SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key" >> +SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key" >> +SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key" >> +SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key" >> +SIGNING_KEY_PASSPHRASE="super_secret" >> +SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile" >> + >> +GOOD_SIGNATURE_TRUSTED='Good "git" signature for' >> +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with' >> +KEY_NOT_TRUSTED="No principal matched" >> +BAD_SIGNATURE="Signature verification failed" >> + > > Is there a reason why we don't use these variables in the script above? > > Also, in general I feel that it's better to add tests in the same commit > where new features are added, rather than having standalone test > commits. > Intially i wanted to fill them in the prereq but couldn't acces them in the tests then. Thanks, i have moved the variables above the prereq and used them there as well. makes sense. Also i have prefixed them now with GPGSSH so we don't collide with any other tests accidentally.
diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index 9fc5241228e..600c8d1a026 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -87,6 +87,35 @@ test_lazy_prereq RFC1991 ' echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null ' +test_lazy_prereq GPGSSH ' + ssh_version=$(ssh-keygen -Y find-principals -n "git" 2>&1) + test $? != 127 || exit 1 + echo $ssh_version | grep -q "find-principals:missing signature file" + test $? = 0 || exit 1; + mkdir -p "${GNUPGHOME}" && + chmod 0700 "${GNUPGHOME}" && + ssh-keygen -t ed25519 -N "" -C "git ed25519 key" -f "${GNUPGHOME}/ed25519_ssh_signing_key" >/dev/null && + echo "\"principal with number 1\" $(cat "${GNUPGHOME}/ed25519_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && + ssh-keygen -t rsa -b 2048 -N "" -C "git rsa2048 key" -f "${GNUPGHOME}/rsa_2048_ssh_signing_key" >/dev/null && + echo "\"principal with number 2\" $(cat "${GNUPGHOME}/rsa_2048_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && + ssh-keygen -t ed25519 -N "super_secret" -C "git ed25519 encrypted key" -f "${GNUPGHOME}/protected_ssh_signing_key" >/dev/null && + echo "\"principal with number 3\" $(cat "${GNUPGHOME}/protected_ssh_signing_key.pub")" >> "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && + cat "${GNUPGHOME}/ssh.all_valid.allowedSignersFile" && + ssh-keygen -t ed25519 -N "" -f "${GNUPGHOME}/untrusted_ssh_signing_key" >/dev/null +' + +SIGNING_KEY_PRIMARY="${GNUPGHOME}/ed25519_ssh_signing_key" +SIGNING_KEY_SECONDARY="${GNUPGHOME}/rsa_2048_ssh_signing_key" +SIGNING_KEY_UNTRUSTED="${GNUPGHOME}/untrusted_ssh_signing_key" +SIGNING_KEY_WITH_PASSPHRASE="${GNUPGHOME}/protected_ssh_signing_key" +SIGNING_KEY_PASSPHRASE="super_secret" +SIGNING_ALLOWED_SIGNERS="${GNUPGHOME}/ssh.all_valid.allowedSignersFile" + +GOOD_SIGNATURE_TRUSTED='Good "git" signature for' +GOOD_SIGNATURE_UNTRUSTED='Good "git" signature with' +KEY_NOT_TRUSTED="No principal matched" +BAD_SIGNATURE="Signature verification failed" + sanitize_pgp() { perl -ne ' /^-----END PGP/ and $in_pgp = 0;