1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
# Spack Project Developers. See the top-level COPYRIGHT file for details.
#
# SPDX-License-Identifier: (Apache-2.0 OR MIT)
import os
import pytest
import llnl.util.filesystem as fs
import spack.bootstrap
import spack.util.executable
import spack.util.gpg
from spack.main import SpackCommand
from spack.paths import mock_gpg_data_path, mock_gpg_keys_path
from spack.util.executable import ProcessError
#: spack command used by tests below
gpg = SpackCommand("gpg")
bootstrap = SpackCommand("bootstrap")
mirror = SpackCommand("mirror")
pytestmark = pytest.mark.not_on_windows("does not run on windows")
# test gpg command detection
@pytest.mark.parametrize(
"cmd_name,version",
[
("gpg", "undetectable"), # undetectable version
("gpg", "gpg (GnuPG) 1.3.4"), # insufficient version
("gpg", "gpg (GnuPG) 2.2.19"), # sufficient version
("gpg2", "gpg (GnuPG) 2.2.19"), # gpg2 command
],
)
def test_find_gpg(cmd_name, version, tmpdir, mock_gnupghome, monkeypatch):
TEMPLATE = "#!/bin/sh\n" 'echo "{version}"\n'
with tmpdir.as_cwd():
for fname in (cmd_name, "gpgconf"):
with open(fname, "w") as f:
f.write(TEMPLATE.format(version=version))
fs.set_executable(fname)
monkeypatch.setenv("PATH", str(tmpdir))
if version == "undetectable" or version.endswith("1.3.4"):
with pytest.raises(spack.util.gpg.SpackGPGError):
spack.util.gpg.init(force=True)
else:
spack.util.gpg.init(force=True)
assert spack.util.gpg.GPG is not None
assert spack.util.gpg.GPGCONF is not None
def test_no_gpg_in_path(tmpdir, mock_gnupghome, monkeypatch, mutable_config):
monkeypatch.setenv("PATH", str(tmpdir))
bootstrap("disable")
with pytest.raises(RuntimeError):
spack.util.gpg.init(force=True)
@pytest.mark.maybeslow
def test_gpg(tmpdir, mutable_config, mock_gnupghome):
# Verify a file with an empty keyring.
with pytest.raises(ProcessError):
gpg("verify", os.path.join(mock_gpg_data_path, "content.txt"))
# Import the default key.
gpg("init", "--from", mock_gpg_keys_path)
# List the keys.
# TODO: Test the output here.
gpg("list", "--trusted")
gpg("list", "--signing")
# Verify the file now that the key has been trusted.
gpg("verify", os.path.join(mock_gpg_data_path, "content.txt"))
# Untrust the default key.
gpg("untrust", "Spack testing")
# Now that the key is untrusted, verification should fail.
with pytest.raises(ProcessError):
gpg("verify", os.path.join(mock_gpg_data_path, "content.txt"))
# Create a file to test signing.
test_path = tmpdir.join("to-sign.txt")
with open(str(test_path), "w+") as fout:
fout.write("Test content for signing.\n")
# Signing without a private key should fail.
with pytest.raises(RuntimeError) as exc_info:
gpg("sign", str(test_path))
assert exc_info.value.args[0] == "no signing keys are available"
# Create a key for use in the tests.
keypath = tmpdir.join("testing-1.key")
gpg(
"create",
"--comment",
"Spack testing key",
"--export",
str(keypath),
"Spack testing 1",
"spack@googlegroups.com",
)
keyfp = spack.util.gpg.signing_keys()[0]
# List the keys.
# TODO: Test the output here.
gpg("list")
gpg("list", "--trusted")
gpg("list", "--signing")
# Signing with the default (only) key.
gpg("sign", str(test_path))
# Verify the file we just verified.
gpg("verify", str(test_path))
# Export the key for future use.
export_path = tmpdir.join("export.testing.key")
gpg("export", str(export_path))
# Test exporting the private key
private_export_path = tmpdir.join("export-secret.testing.key")
gpg("export", "--secret", str(private_export_path))
# Ensure we exported the right content!
with open(str(private_export_path), "r") as fd:
content = fd.read()
assert "BEGIN PGP PRIVATE KEY BLOCK" in content
# and for the public key
with open(str(export_path), "r") as fd:
content = fd.read()
assert "BEGIN PGP PUBLIC KEY BLOCK" in content
# Create a second key for use in the tests.
gpg("create", "--comment", "Spack testing key", "Spack testing 2", "spack@googlegroups.com")
# List the keys.
# TODO: Test the output here.
gpg("list", "--trusted")
gpg("list", "--signing")
test_path = tmpdir.join("to-sign-2.txt")
with open(str(test_path), "w+") as fout:
fout.write("Test content for signing.\n")
# Signing with multiple signing keys is ambiguous.
with pytest.raises(RuntimeError) as exc_info:
gpg("sign", str(test_path))
assert exc_info.value.args[0] == "multiple signing keys are available; please choose one"
# Signing with a specified key.
gpg("sign", "--key", keyfp, str(test_path))
# Untrusting signing keys needs a flag.
with pytest.raises(ProcessError):
gpg("untrust", "Spack testing 1")
# Untrust the key we created.
gpg("untrust", "--signing", keyfp)
# Verification should now fail.
with pytest.raises(ProcessError):
gpg("verify", str(test_path))
# Trust the exported key.
gpg("trust", str(export_path))
# Verification should now succeed again.
gpg("verify", str(test_path))
# Publish the keys using a directory path
test_path = tmpdir.join("dir_cache")
os.makedirs("%s" % test_path)
gpg("publish", "--rebuild-index", "-d", str(test_path))
assert os.path.exists("%s/build_cache/_pgp/index.json" % test_path)
# Publish the keys using a mirror url
test_path = tmpdir.join("url_cache")
os.makedirs("%s" % test_path)
test_url = "file://%s" % test_path
gpg("publish", "--rebuild-index", "--mirror-url", test_url)
assert os.path.exists("%s/build_cache/_pgp/index.json" % test_path)
# Publish the keys using a mirror name
test_path = tmpdir.join("named_cache")
os.makedirs("%s" % test_path)
mirror_url = "file://%s" % test_path
mirror("add", "gpg", mirror_url)
gpg("publish", "--rebuild-index", "-m", "gpg")
assert os.path.exists("%s/build_cache/_pgp/index.json" % test_path)
|
