def test_generate_cot(artifacts, context):
path = os.path.join(context.config['work_dir'], "foo")
signed_body = cot.generate_cot(context, path=path)
with open(path, "r") as fh:
assert fh.read() == signed_body
body = sgpg.get_body(sgpg.GPG(context), signed_body)
log.info(body)
assert body.rstrip() == cot.format_json(cot.generate_cot_body(context))
def verify_cot_signatures(chain):
"""Verify the signatures of the chain of trust artifacts populated in ``download_cot``.
Populate each link.cot with the chain of trust json body.
Args:
chain (ChainOfTrust): the chain of trust to add to.
Raises:
CoTError: on failure.
"""
for link in chain.links:
path = link.get_artifact_full_path('public/chainOfTrust.json.asc')
gpg_home = os.path.join(chain.context.config['base_gpg_home_dir'],
link.worker_impl)
gpg = GPG(chain.context, gpg_home=gpg_home)
log.debug(
"Verifying the {} {} chain of trust signature against {}".format(
link.name, link.task_id, gpg_home))
try:
with open(path, "r") as fh:
contents = fh.read()
except OSError as exc:
raise CoTError("Can't read {}: {}!".format(path, str(exc)))
try:
# TODO remove verify_sig pref and kwarg when git repo pubkey
# verification works reliably!
body = get_body(
gpg,
contents,
verify_sig=chain.context.config['verify_cot_signature'])
except ScriptWorkerGPGException as exc:
raise CoTError(
"GPG Error verifying chain of trust for {}: {}!".format(
path, str(exc)))
link.cot = load_json(
body,
exception=CoTError,
message="{} {}: Invalid cot json body! %(exc)s".format(
link.name, link.task_id))
unsigned_path = link.get_artifact_full_path('chainOfTrust.json')
log.debug("Good. Writing json contents to {}".format(unsigned_path))
with open(unsigned_path, "w") as fh:
fh.write(format_json(link.cot))
def check_sigs(context, manifest, pubkey_dir, trusted_emails=None):
messages = []
gpg = sgpg.GPG(context)
for fingerprint, info in manifest.items():
try:
with open(
os.path.join(pubkey_dir, "data",
"{}.asc".format(fingerprint))) as fh:
message = sgpg.get_body(gpg, fh.read())
if message != info['message'] + '\n':
messages.append(
"Unexpected message '{}', expected '{}'".format(
message, info['message']))
except ScriptWorkerGPGException as exc:
if trusted_emails and info['signing_email'] not in trusted_emails:
pass
else:
messages.append("{} {} error: {}".format(
fingerprint, info['signing_email'], str(exc)))
return messages
def check_body(gpg):
body = sgpg.get_body(gpg, dstr, verify_sig=False)
assert json.loads(body) == d
def test_get_body(base_context, text, params, verify_sig):
gpg = sgpg.GPG(base_context)
data = sgpg.sign(gpg, text, keyid=params[1]["fingerprint"])
if not text.endswith('\n'):
text = "{}\n".format(text)
assert sgpg.get_body(gpg, data, verify_sig=verify_sig) == text
