def test_gpg_verify_trusted_dir(self):
"""
gpg_verify uses keys from the trusted.gpg.d if such a folder exists.
"""
apt_dir = self.makeDir()
os.mkdir("{}/trusted.gpg.d".format(apt_dir))
os.mknod("{}/trusted.gpg.d/foo.gpg".format(apt_dir))
os.mknod("{}/trusted.gpg.d/baz.gpg".format(apt_dir))
os.mknod("{}/trusted.gpg.d/bad.gpg~".format(apt_dir))
gpg_call = self.makeFile()
fake_gpg = self.makeFile(
textwrap.dedent("""\
#!/bin/sh
touch $3/trustdb.gpg
echo -n $@ > {}
""").format(gpg_call))
os.chmod(fake_gpg, 0o755)
gpg_home = self.makeDir()
with mock.patch("tempfile.mkdtemp", return_value=gpg_home):
yield gpg_verify("/some/file",
"/some/signature",
gpg=fake_gpg,
apt_dir=apt_dir)
expected = ("--no-options --homedir {gpg_home} --no-default-keyring "
"--ignore-time-conflict "
"--keyring {apt_dir}/trusted.gpg.d/baz.gpg "
"--keyring {apt_dir}/trusted.gpg.d/foo.gpg "
"--verify /some/signature /some/file").format(
gpg_home=gpg_home, apt_dir=apt_dir)
with open(gpg_call) as call:
self.assertEqual(expected, call.read())
self.assertFalse(os.path.exists(gpg_home))
def do_test(mkdtemp_mock):
mkdtemp_mock.return_value = gpg_home
result = gpg_verify("/some/file", "/some/signature", gpg=gpg)
def check_failure(failure):
self.assertEqual(
str(failure.value), "%s failed (out='out\n', err='err\n', "
"code='1')" % gpg)
self.assertFalse(os.path.exists(gpg_home))
result.addCallback(self.fail)
result.addErrback(check_failure)
result.chainDeferred(deferred)
def do_test(mkdtemp_mock):
mkdtemp_mock.return_value = gpg_home
result = gpg_verify("/some/file", "/some/signature", gpg=gpg)
def check_result(ignored):
self.assertEqual(
open(gpg_options).read(),
"--no-options --homedir %s --no-default-keyring "
"--ignore-time-conflict --keyring /etc/apt/trusted.gpg "
"--verify /some/signature /some/file" % gpg_home)
self.assertFalse(os.path.exists(gpg_home))
result.addCallback(check_result)
result.chainDeferred(deferred)
def verify(self, tarball_filename, signature_filename):
"""Verify the upgrade-tool tarball against its signature.
@param tarball_filename: The filename of the upgrade-tool tarball.
@param signature_filename: The filename of the tarball signature.
"""
result = gpg_verify(tarball_filename, signature_filename)
def log_success(ignored):
logging.info("Successfully verified upgrade-tool tarball")
def log_failure(failure):
logging.warning("Invalid signature for upgrade-tool tarball: %s" %
str(failure.value))
return failure
result.addCallback(log_success)
result.addErrback(log_failure)
return result