def test_invalid_wrong_signature_verbose(self, tmp_path, copy_keyring,
mock_msg_callback):
gpg = IcetrustUtils.pgp_init(tmp_path)
assert IcetrustUtils.pgp_verify(
gpg,
os.path.join(TEST_DIR, 'file1.txt'),
os.path.join(TEST_DIR, 'file1.SHA256SUMS.txt.sig'),
msg_callback=mock_msg_callback) is False
assert len(mock_msg_callback.messages) == 1
assert mock_msg_callback.messages[0] ==\
"[Errno 2] No such file or directory: 'test_data/file1.SHA256SUMS.txt.sig'"
def test_valid_file_verbose(self, tmp_path, copy_keyring,
mock_msg_callback):
gpg = IcetrustUtils.pgp_init(tmp_path)
assert IcetrustUtils.pgp_verify(gpg,
os.path.join(TEST_DIR, 'file1.txt'),
os.path.join(TEST_DIR,
'file1.txt.sig'),
msg_callback=mock_msg_callback) is True
assert len(mock_msg_callback.messages) == 2
assert mock_msg_callback.messages[
0] == '\n--- Results of verification ---'
assert '[GNUPG:] SIG_ID crXxiKwsoGFwp1pyl+csVQd53aA 2021-04-22 1619099716' in mock_msg_callback.messages[
1]
def pgp(verbose, filename, signaturefile, keyfile, keyid, keyserver):
"""Verify FILENAME via a PGP signature in SIGNATUREFILE using provided keys"""
# Check input parameters
if keyfile is None and (keyid is None or keyserver is None):
click.echo("ERROR: Either '--keyfile' or '--keyid/--keyserver' parameters must be set!")
sys.exit(2)
# Initialize PGP and import keys
gpg = IcetrustUtils.pgp_init(verbose)
import_result = IcetrustUtils.pgp_import_keys(gpg, keyfile=keyfile, keyid=keyid, keyserver=keyserver,
msg_callback=IcetrustUtils.process_verbose_flag(verbose))
if import_result is False:
_process_result(import_result)
# Verify file
verification_result = IcetrustUtils.pgp_verify(gpg, filename, signaturefile,
msg_callback=IcetrustUtils.process_verbose_flag(verbose))
_process_result(verification_result)
def pgpchecksumfile(verbose, filename, checksumfile, signaturefile, algorithm, keyfile, keyid, keyserver):
"""Verify FILENAME via a PGP-signed CHECKSUMFILE, with a signature in SIGNATUREFILE using provided keys"""
# Check input parameters
if keyfile is None and (keyid is None or keyserver is None):
click.echo("ERROR: Either '--keyfile' or '--keyid/--keyserver' parameters must be set!")
sys.exit(2)
# Initialize PGP and import keys
gpg = IcetrustUtils.pgp_init(verbose)
import_result = IcetrustUtils.pgp_import_keys(gpg, keyfile=keyfile, keyid=keyid, keyserver=keyserver,
msg_callback=IcetrustUtils.process_verbose_flag(verbose))
if import_result is False:
_process_result(import_result)
# Verify checksums file
verification_result = IcetrustUtils.pgp_verify(gpg, checksumfile, signaturefile,
msg_callback=IcetrustUtils.process_verbose_flag(verbose))
if verification_result.status is False:
_process_result(verification_result)
# Check hash against the checksums file
checksum_valid = IcetrustUtils.verify_checksum(filename, algorithm, checksumfile=checksumfile,
msg_callback=IcetrustUtils.process_verbose_flag(verbose))
_process_result(checksum_valid)
def test_valid_checksums(self, tmp_path, copy_keyring):
gpg = IcetrustUtils.pgp_init(tmp_path)
assert IcetrustUtils.pgp_verify(
gpg, os.path.join(TEST_DIR, 'file1.txt.SHA256SUMS'),
os.path.join(TEST_DIR, 'file1.txt.SHA256SUMS.sig')) is True
def test_invalid_invalid_signature(self, tmp_path, copy_keyring):
gpg = IcetrustUtils.pgp_init(tmp_path)
assert IcetrustUtils.pgp_verify(gpg, os.path.join(
TEST_DIR, 'file1.txt'), os.path.join(TEST_DIR,
'file2.txt')) is False
def test_invalid_file_doesnt_exist(self, tmp_path, copy_keyring):
gpg = IcetrustUtils.pgp_init(tmp_path)
assert IcetrustUtils.pgp_verify(
gpg, os.path.join(TEST_DIR, 'foobar'),
os.path.join(TEST_DIR, 'file1.txt.sig')) is False
def canary(verbose, configfile, output_json, save_file):
"""Does a canary check against a project using information in CONFIGFILE"""
# Setup objects to be used
cmd_output = []
msg_callback = IcetrustUtils.process_verbose_flag(verbose)
# Validate the config file
config_data = IcetrustCanaryUtils.validate_config_file(configfile, msg_callback=msg_callback)
if config_data is None:
_process_result(False)
# Select the right mode
verification_mode =\
IcetrustCanaryUtils.get_verification_mode(config_data, msg_callback=msg_callback)
if verification_mode is None:
click.echo('Unknown verification mode in the config file!')
_process_result(False)
print('Using verification mode: ' + verification_mode.name)
# Extract verification data
verification_data = IcetrustCanaryUtils.extract_verification_data(config_data, verification_mode,
msg_callback=msg_callback)
# Check verification_data for warnings
if verbose:
IcetrustCanaryUtils.check_verification_data(config_data, verification_mode, verification_data,
msg_callback=msg_callback)
# Create temporary directory
temp_dir_obj = tempfile.TemporaryDirectory()
temp_dir = os.path.join(temp_dir_obj.name, '')
# Download all of the files required
IcetrustCanaryUtils.download_all_files(verification_mode, temp_dir, config_data['filename_url'],
verification_data, msg_callback=msg_callback)
# Import keys for those operations that need it
if verification_mode in [VerificationModes.PGP, VerificationModes.PGPCHECKSUMFILE]:
# Initialize PGP
gpg = IcetrustUtils.pgp_init(gpg_home_dir=temp_dir_obj.name)
# Import keys if needed
import_output = []
import_result = IcetrustCanaryUtils.import_key_material(gpg, temp_dir, verification_data,
cmd_output=import_output,
msg_callback=msg_callback)
if import_result is False:
if output_json is not None:
json_data = IcetrustCanaryUtils.generate_json(config_data, verification_mode, import_result,
import_output, os.path.join(temp_dir, FILENAME_FILE1),
msg_callback)
open(output_json, "w").write(json_data)
_process_result(import_result)
# Main operation code
verification_result = False
if verification_mode == VerificationModes.COMPARE_FILES:
verification_result = IcetrustUtils.compare_files(os.path.join(temp_dir, FILENAME_FILE1),
os.path.join(temp_dir, FILENAME_FILE2),
msg_callback=msg_callback, cmd_output=cmd_output)
elif verification_mode == VerificationModes.CHECKSUM:
algorithm = IcetrustCanaryUtils.get_algorithm(verification_data, msg_callback=msg_callback)
verification_result = IcetrustUtils.verify_checksum(os.path.join(temp_dir, FILENAME_FILE1), algorithm,
checksum_value=verification_data['checksum_value'],
msg_callback=msg_callback, cmd_output=cmd_output)
elif verification_mode == VerificationModes.CHECKSUMFILE:
algorithm = IcetrustCanaryUtils.get_algorithm(verification_data, msg_callback=msg_callback)
verification_result = IcetrustUtils.verify_checksum(os.path.join(temp_dir, FILENAME_FILE1), algorithm,
checksumfile=os.path.join(temp_dir, FILENAME_CHECKSUM),
msg_callback=msg_callback, cmd_output=cmd_output)
elif verification_mode == VerificationModes.PGP:
verification_result = IcetrustUtils.pgp_verify(gpg, os.path.join(temp_dir, FILENAME_FILE1),
os.path.join(temp_dir, FILENAME_SIGNATURE),
msg_callback=msg_callback, cmd_output=cmd_output)
elif verification_mode == VerificationModes.PGPCHECKSUMFILE:
# Verify the signature of the checksum file first
signature_result = IcetrustUtils.pgp_verify(gpg, os.path.join(temp_dir, FILENAME_CHECKSUM),
os.path.join(temp_dir, FILENAME_SIGNATURE),
msg_callback=msg_callback, cmd_output=cmd_output)
# Then verify the checksums themselves
if signature_result:
algorithm = IcetrustCanaryUtils.get_algorithm(verification_data, msg_callback=msg_callback)
verification_result = IcetrustUtils.verify_checksum(os.path.join(temp_dir, FILENAME_FILE1), algorithm,
checksumfile=os.path.join(temp_dir, FILENAME_CHECKSUM),
msg_callback=msg_callback, cmd_output=cmd_output)
else:
click.echo("ERROR: Verification mode not supported!")
sys.exit(-1)
# Compare previous version if needed
comparison_result = None
if 'previous_version' in config_data:
previous_file_path = os.path.join(os.getcwd(), config_data['previous_version'])
if os.path.exists(previous_file_path):
click.echo('\nComparing with previous version...')
comparison_result = IcetrustUtils.compare_files(config_data['previous_version'],
os.path.join(temp_dir, FILENAME_FILE1),
msg_callback=msg_callback)
if comparison_result:
click.echo('File matches previous version')
else:
click.echo('ERROR: File doesn\'t match previous version!')
# Saves the file if needed
if save_file is not None:
click.echo('\nSaving file...')
shutil.copy(os.path.join(temp_dir, FILENAME_FILE1), save_file)
# Generate JSON file if needed
if output_json is not None:
json_data = IcetrustCanaryUtils.generate_json(config_data, verification_mode,
verification_result, comparison_result,
cmd_output, os.path.join(temp_dir, FILENAME_FILE1),
msg_callback)
open(output_json, "w").write(json_data)
_process_result(verification_result)