tests: Move keys into ./tests/keys/ and add a third ed25519 key.

The third key will be used in an upcoming commit.

Rename public keys to .pub.

* guix/tests/gnupg.scm (%ed25519-3-public-key-file): New variable.
(%ed25519-3-secret-key-file): New variable.
(%ed25519-2-public-key-file): Renamed from %ed25519bis-public-key-file.
(%ed25519-2-secret-key-file): Renamed from %ed25519bis-secret-key-file.
* tests/keys/ed25519-3.key: New file.
* tests/keys/ed25519-3.sec: New file.

Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
This commit is contained in:
Attila Lendvai 2021-12-21 22:56:10 +01:00 committed by Mathieu Othacehe
parent 5b8ae331f7
commit 9ebc9ca070
No known key found for this signature in database
GPG Key ID: 8354763531769CA6
18 changed files with 92 additions and 60 deletions

@ -653,16 +653,18 @@ EXTRA_DIST += \
build-aux/update-guix-package.scm \
build-aux/update-NEWS.scm \
tests/test.drv \
tests/signing-key.pub \
tests/signing-key.sec \
tests/cve-sample.json \
tests/civodul.key \
tests/rsa.key \
tests/dsa.key \
tests/ed25519.key \
tests/ed25519.sec \
tests/ed25519bis.key \
tests/ed25519bis.sec \
tests/keys/signing-key.pub \
tests/keys/signing-key.sec \
tests/keys/civodul.pub \
tests/keys/rsa.pub \
tests/keys/dsa.pub \
tests/keys/ed25519.pub \
tests/keys/ed25519.sec \
tests/keys/ed25519-2.pub \
tests/keys/ed25519-2.sec \
tests/keys/ed25519-3.pub \
tests/keys/ed25519-3.sec \
build-aux/config.rpath \
bootstrap \
doc/build.scm \

@ -73,9 +73,9 @@ then
# Copy the keys so that the secret key has the right permissions (the
# daemon errors out when this is not the case.)
mkdir -p "$GUIX_CONFIGURATION_DIRECTORY"
cp "@abs_top_srcdir@/tests/signing-key.sec" \
"@abs_top_srcdir@/tests/signing-key.pub" \
"$GUIX_CONFIGURATION_DIRECTORY"
cp "@abs_top_srcdir@/tests/keys/signing-key.sec" \
"@abs_top_srcdir@/tests/keys/signing-key.pub" \
"$GUIX_CONFIGURATION_DIRECTORY"
chmod 400 "$GUIX_CONFIGURATION_DIRECTORY/signing-key.sec"
fi

@ -28,8 +28,10 @@
%ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file
%ed25519-2-public-key-file
%ed25519-2-secret-key-file
%ed25519-3-public-key-file
%ed25519-3-secret-key-file
read-openpgp-packet
key-fingerprint
@ -63,13 +65,17 @@ process is terminated afterwards."
(call-with-fresh-gnupg-setup imported (lambda () exp ...)))
(define %ed25519-public-key-file
(search-path %load-path "tests/ed25519.key"))
(search-path %load-path "tests/keys/ed25519.pub"))
(define %ed25519-secret-key-file
(search-path %load-path "tests/ed25519.sec"))
(define %ed25519bis-public-key-file
(search-path %load-path "tests/ed25519bis.key"))
(define %ed25519bis-secret-key-file
(search-path %load-path "tests/ed25519bis.sec"))
(search-path %load-path "tests/keys/ed25519.sec"))
(define %ed25519-2-public-key-file
(search-path %load-path "tests/keys/ed25519-2.pub"))
(define %ed25519-2-secret-key-file
(search-path %load-path "tests/keys/ed25519-2.sec"))
(define %ed25519-3-public-key-file
(search-path %load-path "tests/keys/ed25519-3.pub"))
(define %ed25519-3-secret-key-file
(search-path %load-path "tests/keys/ed25519-3.sec"))
(define (read-openpgp-packet file)
(get-openpgp-packet

@ -480,8 +480,8 @@
#t
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
%ed25519-2-public-key-file
%ed25519-2-secret-key-file)
(with-temporary-git-repository directory
`((add ".guix-channel"
,(object->string
@ -507,7 +507,7 @@
(commit-id-string commit1)
(openpgp-public-key-fingerprint
(read-openpgp-packet
%ed25519bis-public-key-file)))) ;different key
%ed25519-2-public-key-file)))) ;different key
(channel (channel (name 'example)
(url (string-append "file://" directory))
(introduction intro))))
@ -519,7 +519,7 @@
(oid->string (commit-id commit1))
(key-fingerprint %ed25519-public-key-file)
(key-fingerprint
%ed25519bis-public-key-file))))))
%ed25519-2-public-key-file))))))
(authenticate-channel channel directory
(commit-id-string commit2)
#:keyring-reference-prefix "")
@ -530,8 +530,8 @@
#t
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
%ed25519-2-public-key-file
%ed25519-2-secret-key-file)
(with-temporary-git-repository directory
`((add ".guix-channel"
,(object->string
@ -552,12 +552,12 @@
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "c.txt" "C")
(commit "third commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
(branch "channel-keyring")
(checkout "channel-keyring")
(add "signer.key" ,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add "other.key" ,(call-with-input-file %ed25519bis-public-key-file
(add "other.key" ,(call-with-input-file %ed25519-2-public-key-file
get-string-all))
(commit "keyring commit")
(checkout "master"))
@ -588,7 +588,7 @@
(unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint
(read-openpgp-packet
%ed25519bis-public-key-file))))))
%ed25519-2-public-key-file))))))
(authenticate-channel channel directory
(commit-id-string commit3)
#:keyring-reference-prefix "")

@ -161,14 +161,14 @@
(test-assert "signed commits, .guix-authorizations, unauthorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
%ed25519-2-public-key-file
%ed25519-2-secret-key-file)
(with-temporary-git-repository directory
`((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file
,(call-with-input-file %ed25519-2-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
@ -184,7 +184,7 @@
(checkout "devel")
(add "devel/1.txt" "1")
(commit "first devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
(checkout "master")
(add "b.txt" "B")
(commit "second commit"
@ -203,7 +203,7 @@
(openpgp-public-key-fingerprint
(unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint
(read-openpgp-packet %ed25519bis-public-key-file)))))
(read-openpgp-packet %ed25519-2-public-key-file)))))
(and (authenticate-commits repository (list master1 master2)
#:keyring-reference "master")
@ -230,14 +230,14 @@
(test-assert "signed commits, .guix-authorizations, authorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
%ed25519-2-public-key-file
%ed25519-2-secret-key-file)
(with-temporary-git-repository directory
`((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file
,(call-with-input-file %ed25519-2-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
@ -258,12 +258,12 @@
%ed25519-public-key-file)
(name "Alice"))
(,(key-fingerprint
%ed25519bis-public-key-file))))))
%ed25519-2-public-key-file))))))
(commit "first devel commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "devel/2.txt" "2")
(commit "second devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
(signer ,(key-fingerprint %ed25519-2-public-key-file)))
(checkout "master")
(add "b.txt" "B")
(commit "second commit"
@ -273,7 +273,7 @@
;; After the merge, the second signer is authorized.
(add "c.txt" "C")
(commit "third commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file))))
(signer ,(key-fingerprint %ed25519-2-public-key-file))))
(with-repository directory repository
(let ((master1 (find-commit repository "first commit"))
(master2 (find-commit repository "second commit"))
@ -328,4 +328,3 @@
'failed)))))))
(test-end "git-authenticate")

@ -28,7 +28,7 @@ rm -f "$sig" "$hash"
trap 'rm -f "$sig" "$hash"' EXIT
key="$abs_top_srcdir/tests/signing-key.sec"
key="$abs_top_srcdir/tests/keys/signing-key.sec"
key_len="`echo -n $key | wc -c`"
# A hexadecimal string as long as a sha256 hash.
@ -67,7 +67,7 @@ test "$code" -ne 0
# encoded independently of the current locale: <https://bugs.gnu.org/43421>.
hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9"
latin1_cafe="caf$(printf '\351')"
echo "sign 21:tests/signing-key.sec 64:$hash" | guix authenticate \
echo "sign 26:tests/keys/signing-key.sec 64:$hash" | guix authenticate \
| LC_ALL=C grep "hash sha256 \"$latin1_cafe"
# Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces

9
tests/keys/ed25519-3.pub Normal file

@ -0,0 +1,9 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
ILfFldm0FTxleGFtcGxlQGV4YW1wbGUuY29tPoiWBBMWCAA+FiEEjO6M85jMSK68
7tINGBzA7NyoagkFAmFR/+8CGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQGBzA7Nyoagl3lgEAw6yqIlX11lTqwxBGhZk/Oy34O13cbJSZCGv+m0ja
+hcA/3DCNOmT+oXjgO/w6enQZUQ1m/d6dUjCc2wOLlLz+ZoG
=+r3i
-----END PGP PUBLIC KEY BLOCK-----

10
tests/keys/ed25519-3.sec Normal file

@ -0,0 +1,10 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEYVH/7xYJKwYBBAHaRw8BAQdALMLeUhjEG2/UPCJj2j/debFwwAK5gT3G0l5d
ILfFldkAAP92goSbbzQ0ttElr9lr5Cm6rmQtqUZ2Cu/Jk9fvfZROwxI0tBU8ZXhh
bXBsZUBleGFtcGxlLmNvbT6IlgQTFggAPhYhBIzujPOYzEiuvO7SDRgcwOzcqGoJ
BQJhUf/vAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBgcwOzc
qGoJd5YBAMOsqiJV9dZU6sMQRoWZPzst+Dtd3GyUmQhr/ptI2voXAP9wwjTpk/qF
44Dv8Onp0GVENZv3enVIwnNsDi5S8/maBg==
=EmOt
-----END PGP PRIVATE KEY BLOCK-----

@ -59,18 +59,22 @@ vBSFjNSiVHsuAA==
(define %civodul-fingerprint
"3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5")
(define %civodul-key-id #x090B11993D9AEBB5) ;civodul.key
(define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
;; Test keys. They were generated in a container along these lines:
;; guix environment -CP --ad-hoc gnupg pinentry
;; then, within the container:
;; mkdir ~/.gnupg
;; echo pinentry-program ~/.guix-profile/bin/pinentry-tty > ~/.gnupg/gpg-agent.conf
;; gpg --quick-gen-key '<ludo+test-rsa@chbouib.org>' rsa
;; or similar.
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.key
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.key
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.key
#|
Test keys in ./tests/keys. They were generated in a container along these lines:
guix environment -CP --ad-hoc gnupg pinentry coreutils
then, within the container:
mkdir ~/.gnupg && chmod -R og-rwx ~/.gnupg
gpg --batch --passphrase '' --quick-gen-key '<example@example.com>' ed25519
gpg --armor --export example@example.com
gpg --armor --export-secret-key example@example.com
# echo pinentry-program ~/.guix-profile/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
or similar.
|#
(define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.pub
(define %dsa-key-id #x587918047BE8BD2C) ;dsa.pub
(define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.pub
(define %rsa-key-fingerprint
(base16-string->bytevector
@ -168,7 +172,7 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
(not (port-ascii-armored? (open-bytevector-input-port %binary-sample))))
(test-assert "get-openpgp-keyring"
(let* ((key (search-path %load-path "tests/civodul.key"))
(let* ((key (search-path %load-path "tests/keys/civodul.pub"))
(keyring (get-openpgp-keyring
(open-bytevector-input-port
(call-with-input-file key read-radix-64)))))
@ -228,8 +232,10 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
(verify-openpgp-signature signature keyring
(open-input-string "Hello!\n"))))
(list status (openpgp-public-key-id key)))))
(list "tests/rsa.key" "tests/dsa.key"
"tests/ed25519.key" "tests/ed25519.key" "tests/ed25519.key")
(list "tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/keys/ed25519.pub"
"tests/keys/ed25519.pub"
"tests/keys/ed25519.pub")
(list %hello-signature/rsa %hello-signature/dsa
%hello-signature/ed25519/sha256
%hello-signature/ed25519/sha512
@ -248,9 +254,9 @@ Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
(call-with-input-file key read-radix-64))
keyring)))
%empty-keyring
'("tests/rsa.key" "tests/dsa.key"
"tests/ed25519.key" "tests/ed25519.key"
"tests/ed25519.key"))))
'("tests/keys/rsa.pub" "tests/keys/dsa.pub"
"tests/keys/ed25519.pub" "tests/keys/ed25519.pub"
"tests/keys/ed25519.pub"))))
(map (lambda (signature)
(let ((signature (string->openpgp-packet signature)))
(let-values (((status key)