def test_add_signature_sha384(tmpdir, test_keys): tmpmar = tmpdir.join('test.mar') with open(TEST_MAR_XZ, 'rb') as f: with tmpmar.open('wb') as dst: add_signature_block(f, dst, 'sha384') with MarReader(tmpmar.open('rb')) as m: hashes = m.calculate_hashes() assert hashes == [(2, b'\x08>\x82\x8d$\xbb\xa6Cg\xca\x15L\x9c\xf1\xde\x170\xbe\xeb8]\x17\xb9\xfdB\xa9\xd6\xf1(y\'\xf44\x1f\x01c%\xd4\x92\x1avm!\t\xd9\xc4\xfbv')] h = hashes[0][1] priv, pub = test_keys[4096] sig = sign_hash(priv, h, 'sha384') sigfile = tmpdir.join('signature') with sigfile.open('wb') as f: f.write(sig) tmpmar = tmpdir.join('output.mar') cli.do_add_signature(TEST_MAR_XZ, str(tmpmar), str(sigfile)) pubkey = tmpdir.join('pubkey') with pubkey.open('wb') as f: f.write(pub) assert cli.do_verify(str(tmpmar), [str(pubkey)])
def test_verify(tmpdir): assert cli.do_verify(TEST_MAR_BZ2, [':mozilla-release']) assert cli.do_verify(TEST_MAR_BZ2) with raises(SystemExit): assert not cli.do_verify(TEST_MAR_BZ2, [':mozilla-nightly']) with raises(SystemExit): assert not cli.do_verify(TEST_MAR_BZ2, [':mozilla-dep']) with raises(SystemExit): cli.do_verify(TEST_MAR_BZ2, [':mozilla-foo']) with raises(SystemExit): cli.do_verify(__file__) keyfile = tmpdir.join('release.pem') keyfile.write(mozilla.release1_sha1) assert cli.do_verify(TEST_MAR_BZ2, [str(keyfile)])
async def test_integration_autograph_mar(context, tmpdir): file_names = ['partial1.mar', 'partial2.mar'] for file_name in file_names: _copy_files_to_work_dir(file_name, context) context.config['signing_server_config'] = _write_server_config(tmpdir) context.task = _craft_task(file_names, signing_format='autograph_mar384') await async_main(context) mar_pub_key_path = os.path.join(TEST_DATA_DIR, 'autograph_mar.pub') signed_paths = [os.path.join(context.config['artifact_dir'], file_name) for file_name in file_names] for signed_path in signed_paths: assert do_verify(signed_path, keyfiles=[mar_pub_key_path]), "Mar signature doesn't match expected key"
def test_verify_malformed(mar_sha384, tmpdir): tmpmar = tmpdir.join('test.mar') mar_sha384.copy(tmpmar) with tmpmar.open('r+b') as f: # Mess with the mar's file offsets with MarReader(f) as m: offset = m.mardata.header.index_offset offset += 8 f.seek(offset) f.write(b'\x12\x34\x56\x78') f.seek(0) with raises(SystemExit): assert not cli.do_verify(str(tmpmar))
def test_verify(tmpdir): assert cli.do_verify(TEST_MAR, [':mozilla-release']) assert not cli.do_verify(TEST_MAR, [':mozilla-nightly']) assert not cli.do_verify(TEST_MAR, [':mozilla-dep']) with raises(ValueError): cli.do_verify(TEST_MAR, [':mozilla-foo']) keyfile = tmpdir.join('release.pem') keyfile.write(mozilla.release1_sha1) assert cli.do_verify(TEST_MAR, [str(keyfile)])
async def test_integration_autograph_mar_sign_hash(context, tmpdir, mocker): file_names = ["partial1.mar", "partial2.mar"] for file_name in file_names: _copy_files_to_work_dir(file_name, context) mocker.patch("signingscript.sign.verify_mar_signature", new=lambda *args: None) context.config["signing_server_config"] = _write_server_config(tmpdir) context.task = _craft_task(file_names, signing_format="autograph_hash_only_mar384") await async_main(context) mar_pub_key_path = os.path.join(TEST_DATA_DIR, "autograph_mar.pub") signed_paths = [ os.path.join(context.config["artifact_dir"], file_name) for file_name in file_names ] for signed_path in signed_paths: assert do_verify( signed_path, keyfiles=[mar_pub_key_path] ), "Mar signature doesn't match expected key"
def test_add_signature_sha1(tmpdir, test_keys): with MarReader(open(TEST_MAR_BZ2, 'rb')) as m: hashes = m.calculate_hashes() assert hashes == [(1, b'\xcd%\x0e\x82z%7\xdb\x96\xb4^\x063ZFV8\xfa\xe8k')] h = hashes[0][1] priv, pub = test_keys[2048] sig = sign_hash(priv, h, 'sha1') sigfile = tmpdir.join('signature') with sigfile.open('wb') as f: f.write(sig) tmpmar = tmpdir.join('output.mar') cli.do_add_signature(TEST_MAR_BZ2, str(tmpmar), str(sigfile)) pubkey = tmpdir.join('pubkey') with pubkey.open('wb') as f: f.write(pub) assert cli.do_verify(str(tmpmar), [str(pubkey)])