def test_add_signature_sha384(tmpdir, test_keys):
tmpmar = tmpdir.join('test.mar')
with open(TEST_MAR_XZ, 'rb') as f:
with tmpmar.open('wb') as dst:
add_signature_block(f, dst, 'sha384')
with MarReader(tmpmar.open('rb')) as m:
hashes = m.calculate_hashes()
assert hashes == [(2, b'\x08>\x82\x8d$\xbb\xa6Cg\xca\x15L\x9c\xf1\xde\x170\xbe\xeb8]\x17\xb9\xfdB\xa9\xd6\xf1(y\'\xf44\x1f\x01c%\xd4\x92\x1avm!\t\xd9\xc4\xfbv')]
h = hashes[0][1]
priv, pub = test_keys[4096]
sig = sign_hash(priv, h, 'sha384')
sigfile = tmpdir.join('signature')
with sigfile.open('wb') as f:
f.write(sig)
tmpmar = tmpdir.join('output.mar')
cli.do_add_signature(TEST_MAR_XZ, str(tmpmar), str(sigfile))
pubkey = tmpdir.join('pubkey')
with pubkey.open('wb') as f:
f.write(pub)
assert cli.do_verify(str(tmpmar), [str(pubkey)])
def test_verify(tmpdir):
assert cli.do_verify(TEST_MAR_BZ2, [':mozilla-release'])
assert cli.do_verify(TEST_MAR_BZ2)
with raises(SystemExit):
assert not cli.do_verify(TEST_MAR_BZ2, [':mozilla-nightly'])
with raises(SystemExit):
assert not cli.do_verify(TEST_MAR_BZ2, [':mozilla-dep'])
with raises(SystemExit):
cli.do_verify(TEST_MAR_BZ2, [':mozilla-foo'])
with raises(SystemExit):
cli.do_verify(__file__)
keyfile = tmpdir.join('release.pem')
keyfile.write(mozilla.release1_sha1)
assert cli.do_verify(TEST_MAR_BZ2, [str(keyfile)])
async def test_integration_autograph_mar(context, tmpdir):
file_names = ['partial1.mar', 'partial2.mar']
for file_name in file_names:
_copy_files_to_work_dir(file_name, context)
context.config['signing_server_config'] = _write_server_config(tmpdir)
context.task = _craft_task(file_names, signing_format='autograph_mar384')
await async_main(context)
mar_pub_key_path = os.path.join(TEST_DATA_DIR, 'autograph_mar.pub')
signed_paths = [os.path.join(context.config['artifact_dir'], file_name) for file_name in file_names]
for signed_path in signed_paths:
assert do_verify(signed_path, keyfiles=[mar_pub_key_path]), "Mar signature doesn't match expected key"
def test_verify_malformed(mar_sha384, tmpdir):
tmpmar = tmpdir.join('test.mar')
mar_sha384.copy(tmpmar)
with tmpmar.open('r+b') as f:
# Mess with the mar's file offsets
with MarReader(f) as m:
offset = m.mardata.header.index_offset
offset += 8
f.seek(offset)
f.write(b'\x12\x34\x56\x78')
f.seek(0)
with raises(SystemExit):
assert not cli.do_verify(str(tmpmar))
def test_verify(tmpdir):
assert cli.do_verify(TEST_MAR, [':mozilla-release'])
assert not cli.do_verify(TEST_MAR, [':mozilla-nightly'])
assert not cli.do_verify(TEST_MAR, [':mozilla-dep'])
with raises(ValueError):
cli.do_verify(TEST_MAR, [':mozilla-foo'])
keyfile = tmpdir.join('release.pem')
keyfile.write(mozilla.release1_sha1)
assert cli.do_verify(TEST_MAR, [str(keyfile)])
async def test_integration_autograph_mar_sign_hash(context, tmpdir, mocker):
file_names = ["partial1.mar", "partial2.mar"]
for file_name in file_names:
_copy_files_to_work_dir(file_name, context)
mocker.patch("signingscript.sign.verify_mar_signature", new=lambda *args: None)
context.config["signing_server_config"] = _write_server_config(tmpdir)
context.task = _craft_task(file_names, signing_format="autograph_hash_only_mar384")
await async_main(context)
mar_pub_key_path = os.path.join(TEST_DATA_DIR, "autograph_mar.pub")
signed_paths = [
os.path.join(context.config["artifact_dir"], file_name)
for file_name in file_names
]
for signed_path in signed_paths:
assert do_verify(
signed_path, keyfiles=[mar_pub_key_path]
), "Mar signature doesn't match expected key"
def test_add_signature_sha1(tmpdir, test_keys):
with MarReader(open(TEST_MAR_BZ2, 'rb')) as m:
hashes = m.calculate_hashes()
assert hashes == [(1, b'\xcd%\x0e\x82z%7\xdb\x96\xb4^\x063ZFV8\xfa\xe8k')]
h = hashes[0][1]
priv, pub = test_keys[2048]
sig = sign_hash(priv, h, 'sha1')
sigfile = tmpdir.join('signature')
with sigfile.open('wb') as f:
f.write(sig)
tmpmar = tmpdir.join('output.mar')
cli.do_add_signature(TEST_MAR_BZ2, str(tmpmar), str(sigfile))
pubkey = tmpdir.join('pubkey')
with pubkey.open('wb') as f:
f.write(pub)
assert cli.do_verify(str(tmpmar), [str(pubkey)])
