def test_rebuild_gpg_home_signed(context, trusted_email, tmpdir): gpg = sgpg.GPG(context) for path in glob.glob( os.path.join(GPG_HOME, "keys", "{}.*".format(trusted_email))): shutil.copyfile(path, os.path.join(tmpdir, os.path.basename(path))) sgpg.rebuild_gpg_home_signed( context, context.config['gpg_home'], "{}{}".format(KEYS_AND_FINGERPRINTS[0][2], ".pub"), "{}{}".format(KEYS_AND_FINGERPRINTS[0][2], ".sec"), tmpdir, ) with open(os.path.join(PUBKEY_DIR, "manifest.json")) as fh: manifest = json.load(fh) for fingerprint, info in manifest.items(): with open(os.path.join(PUBKEY_DIR, info['signed_path'])) as fh: sgpg.import_key(gpg, fh.read()) if info['signing_email'] == trusted_email: sgpg.get_list_sigs_output( context, fingerprint, expected={'sig_keyids': [info['signing_keyid']]}) messages = check_sigs(context, manifest, PUBKEY_DIR, trusted_emails=[trusted_email]) assert messages == []
def test_sign_key_twice(context): gpg = sgpg.GPG(context) for suffix in (".sec", ".pub"): with open("{}{}".format(KEYS_AND_FINGERPRINTS[0][2], suffix), "r") as fh: contents = fh.read() fingerprint = sgpg.import_key(gpg, contents)[0] # keys already sign themselves, so this is a second signature that should # be noop. sgpg.sign_key(context, fingerprint, signing_key=fingerprint)
def test_import_single_key(context, suffix, return_type): gpg = sgpg.GPG(context) with open("{}{}".format(KEYS_AND_FINGERPRINTS[0][2], suffix), "r") as fh: contents = fh.read() result = sgpg.import_key(gpg, contents, return_type=return_type) if return_type == 'result': fingerprints = [] for entry in result: fingerprints.append(entry['fingerprint']) else: fingerprints = result # the .sec fingerprints are doubled; use set() for unsorted & uniq assert set(fingerprints) == set([KEYS_AND_FINGERPRINTS[0][1]])
def test_sign_key_exportable(context, exportable): gpg_home2 = os.path.join(context.config['gpg_home'], "two") context.config['gpg_home'] = os.path.join(context.config['gpg_home'], "one") gpg = sgpg.GPG(context) gpg2 = sgpg.GPG(context, gpg_home=gpg_home2) my_fingerprint = KEYS_AND_FINGERPRINTS[0][1] my_keyid = KEYS_AND_FINGERPRINTS[0][0] # import my keys for suffix in (".sec", ".pub"): with open("{}{}".format(KEYS_AND_FINGERPRINTS[0][2], suffix), "r") as fh: contents = fh.read() sgpg.import_key(gpg, contents) # create gpg.conf's sgpg.create_gpg_conf(context.config['gpg_home'], my_fingerprint=my_fingerprint) sgpg.create_gpg_conf(gpg_home2, my_fingerprint=my_fingerprint) sgpg.check_ownertrust(context) sgpg.check_ownertrust(context, gpg_home=gpg_home2) # generate a new key fingerprint = sgpg.generate_key(gpg, "one", "one", "one", key_length=GENERATE_KEY_SMALLER_KEY_SIZE) # sign it, exportable signature is `exportable` sgpg.sign_key(context, fingerprint, signing_key=my_fingerprint, exportable=exportable) # export my privkey and import it in gpg_home2 priv_key = sgpg.export_key(gpg, my_fingerprint, private=True) sgpg.import_key(gpg2, priv_key) # export both pubkeys and import in gpg_home2 for fp in (my_fingerprint, fingerprint): pub_key = sgpg.export_key(gpg, fp) sgpg.import_key(gpg2, pub_key) # check sigs on `fingerprint` key. If exportable, we're good. If not exportable, # it'll throw expected = {'sig_keyids': [my_keyid]} if exportable: sgpg.get_list_sigs_output(context, fingerprint, gpg_home=gpg_home2, expected=expected) else: with pytest.raises(ScriptWorkerGPGException): sgpg.get_list_sigs_output(context, fingerprint, gpg_home=gpg_home2, expected=expected)