Example #1
0
def test_generate_cot(artifacts, context):
    path = os.path.join(context.config['work_dir'], "foo")
    signed_body = cot.generate_cot(context, path=path)
    with open(path, "r") as fh:
        assert fh.read() == signed_body
    body = sgpg.get_body(sgpg.GPG(context), signed_body)
    log.info(body)
    assert body.rstrip() == cot.format_json(cot.generate_cot_body(context))
Example #2
0
def verify_cot_signatures(chain):
    """Verify the signatures of the chain of trust artifacts populated in ``download_cot``.

    Populate each link.cot with the chain of trust json body.

    Args:
        chain (ChainOfTrust): the chain of trust to add to.

    Raises:
        CoTError: on failure.
    """
    for link in chain.links:
        path = link.get_artifact_full_path('public/chainOfTrust.json.asc')
        gpg_home = os.path.join(chain.context.config['base_gpg_home_dir'],
                                link.worker_impl)
        gpg = GPG(chain.context, gpg_home=gpg_home)
        log.debug(
            "Verifying the {} {} chain of trust signature against {}".format(
                link.name, link.task_id, gpg_home))
        try:
            with open(path, "r") as fh:
                contents = fh.read()
        except OSError as exc:
            raise CoTError("Can't read {}: {}!".format(path, str(exc)))
        try:
            # TODO remove verify_sig pref and kwarg when git repo pubkey
            # verification works reliably!
            body = get_body(
                gpg,
                contents,
                verify_sig=chain.context.config['verify_cot_signature'])
        except ScriptWorkerGPGException as exc:
            raise CoTError(
                "GPG Error verifying chain of trust for {}: {}!".format(
                    path, str(exc)))
        link.cot = load_json(
            body,
            exception=CoTError,
            message="{} {}: Invalid cot json body! %(exc)s".format(
                link.name, link.task_id))
        unsigned_path = link.get_artifact_full_path('chainOfTrust.json')
        log.debug("Good.  Writing json contents to {}".format(unsigned_path))
        with open(unsigned_path, "w") as fh:
            fh.write(format_json(link.cot))
def check_sigs(context, manifest, pubkey_dir, trusted_emails=None):
    messages = []
    gpg = sgpg.GPG(context)
    for fingerprint, info in manifest.items():
        try:
            with open(
                    os.path.join(pubkey_dir, "data",
                                 "{}.asc".format(fingerprint))) as fh:
                message = sgpg.get_body(gpg, fh.read())
            if message != info['message'] + '\n':
                messages.append(
                    "Unexpected message '{}', expected '{}'".format(
                        message, info['message']))
        except ScriptWorkerGPGException as exc:
            if trusted_emails and info['signing_email'] not in trusted_emails:
                pass
            else:
                messages.append("{} {} error: {}".format(
                    fingerprint, info['signing_email'], str(exc)))
    return messages
 def check_body(gpg):
     body = sgpg.get_body(gpg, dstr, verify_sig=False)
     assert json.loads(body) == d
def test_get_body(base_context, text, params, verify_sig):
    gpg = sgpg.GPG(base_context)
    data = sgpg.sign(gpg, text, keyid=params[1]["fingerprint"])
    if not text.endswith('\n'):
        text = "{}\n".format(text)
    assert sgpg.get_body(gpg, data, verify_sig=verify_sig) == text