particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support packages that are head-signed

Browse source 
This supports packages which do not have the RPMv3 signature scheme
(over the full RPM header+payload), but instead only have signatures
over the header (v4 scheme).
For the v4 scheme, the signature is only stored in SIGTAG_RSA (or
SIGTAG_DSA).

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk 2021-08-03 22:27:56 +02:00 committed by Tomas Kopecek
parent f358fd7bc4
commit af25fc2e24
6 changed files with 162 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

49
tests/test_cli/test_import_sig.py
View file

@ -43,6 +43,8 @@ class TestImportSIG(utils.CliTestCase):
'arch': 'x86_64',
'siggpg': None,
'sigpgp': None,
'dsaheader': None,
'rsaheader': None,
},
{
'sourcepackage': 1,
@ -52,6 +54,8 @@ class TestImportSIG(utils.CliTestCase):
'arch': 'x86_64',
'siggpg': None,
'sigpgp': None,
'dsaheader': None,
'rsaheader': None,
},
{
'sourcepackage': 1,
@ -61,6 +65,8 @@ class TestImportSIG(utils.CliTestCase):
'arch': 'x86_64',
'siggpg': None,
'sigpgp': None,
'dsaheader': None,
'rsaheader': None,
}
]
@ -121,6 +127,8 @@ class TestImportSIG(utils.CliTestCase):
for data in self.rpm_headers:
data['siggpg'] = fake_sigkey
data['sigpgp'] = fake_sigkey
data['dsaheader'] = fake_sigkey
data['rsaheader'] = fake_sigkey
tmp = data.copy()
tmp['arch'] = 'src' if tmp['sourcepackage'] else tmp['arch']
expected += "No such rpm in system: %(name)s-%(version)s-%(release)s.%(arch)s" % \
@ -240,6 +248,47 @@ class TestImportSIG(utils.CliTestCase):
# restore os.path.exists patch
os_path_exists_patch.stop()
@mock.patch('sys.stderr', new_callable=six.StringIO)
@mock.patch('sys.stdout', new_callable=six.StringIO)
@mock.patch('koji_cli.commands.activate_session')
def test_handle_import_sig_sigkey_from_header_signed(
self,
activate_session_mock,
stdout, stderr):
"""Test sigkey computation from header-only signed rpm in handle_import_sig function"""
data_path = os.path.abspath("tests/test_hub/data/rpms")
arguments = [os.path.join(data_path, 'header-signed.rpm')]
sigkey = '15f712be'
options = mock.MagicMock()
session = mock.MagicMock()
expected = ''
for pkg in arguments:
expected += "Importing signature [key %s] from %s..." % (sigkey, pkg) + "\n"
expected += "Writing signed copy" + "\n"
session.getRPM.side_effect = [
{
'sourcepackage': 0,
'name': 'testpkg',
'version': '1.0.0',
'release': '1',
'arch': 'x86_64',
'external_repo_id': 0,
'id': 1,
}
]
session.queryRPMSigs.side_effect = None
session.queryRPMSigs.return_value = []
# Run
handle_import_sig(options, session, arguments + ['--test'])
self.assert_console_message(stdout, expected)
session.addRPMSig.assert_not_called()
session.writeSignedRPM.assert_not_called()
def test_handle_import_sig_argument_test(self):
"""Test handle_import_sig function without arguments"""
options = mock.MagicMock()

BIN
tests/test_hub/data/rpms/header-signed.rpm Normal file
View file

Binary file not shown.

86
tests/test_hub/test_add_rpm_sig.py Normal file
View file

@ -0,0 +1,86 @@
import base64
import mock
import os
import unittest
import koji
import kojihub
IP = kojihub.InsertProcessor
class TestAddRPMSig(unittest.TestCase):
def getInsert(self, *args, **kwargs):
insert = IP(*args, **kwargs)
insert.execute = mock.MagicMock()
self.inserts.append(insert)
return insert
def setUp(self):
self.InsertProcessor = mock.patch('kojihub.InsertProcessor',
side_effect=self.getInsert).start()
self.inserts = []
self.context = mock.patch('kojihub.context').start()
# It seems MagicMock will not automatically handle attributes that
# start with "assert"
self.context.session.assertLogin = mock.MagicMock()
self.context.session.assertPerm = mock.MagicMock()
self.context.opts = {'HostPrincipalFormat': '-%s-'}
self.exports = kojihub.RootExports()
self.data_path = os.path.abspath("tests/test_hub/data/rpms")
def tearDown(self):
mock.patch.stopall()
@mock.patch('kojihub._fetchMulti')
@mock.patch('koji.plugin.run_callbacks')
@mock.patch('kojihub.get_rpm')
@mock.patch('kojihub.get_build')
@mock.patch('os.path.isdir')
@mock.patch('koji.ensuredir')
@mock.patch('kojihub.open')
def test_add_rpm_sig_header_signed(
self,
open,
ensuredir,
isdir,
get_build,
get_rpm,
run_callbacks,
_fetchMulti):
"""Test addRPMSig with header-only signed RPM"""
_fetchMulti.side_effect = [[]]
isdir.side_effect = [True]
get_rpm.side_effect = [{
'id': 1,
'name': 'testpkg',
'version': '1.0.0',
'release': '1',
'arch': 'noarch',
'epoch': None,
'payloadhash': '1706d0174aa29a5a3e5c60855a778c35',
'size': 123,
'external_repo_id': None,
'build_id': 1,
}]
open.side_effect = [mock.MagicMock()]
rpm_path = os.path.join(self.data_path, 'header-signed.rpm')
sighdr = koji.rip_rpm_sighdr(rpm_path)
self.exports.addRPMSig(1, base64.b64encode(sighdr))
self.context.session.assertPerm.assert_called_once_with('sign')
self.assertEqual(len(self.inserts), 1)
insert = self.inserts[0]
self.assertEqual(insert.data['rpm_id'], 1)
self.assertEqual(insert.data['sigkey'], '15f712be')
def test_scan_sighdr_header_signed(self):
"""Test _scan_sighdr on a header-only signed package"""
rpm_path = os.path.join(self.data_path, 'header-signed.rpm')
sighdr = koji.rip_rpm_sighdr(rpm_path)
sigmd5, sig = kojihub._scan_sighdr(sighdr, rpm_path)
self.assertEqual(koji.hex_string(sigmd5), '1706d0174aa29a5a3e5c60855a778c35')
sigkey = koji.get_sigpacket_key_id(sig)
self.assertEqual(sigkey, '15f712be')