def testTroveDisplaySigs(self):
# go through a lot of trouble to sign this trove.
# copied from sigtest.
self.addComponent('foo:runtime', '1.0')
from conary.lib import openpgpfile, openpgpkey
from conary.build import signtrove
fingerprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
keyRing = open(resources.get_archive() + '/pubring.gpg')
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# upload the public key
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
signtrove.signTroves(self.cfg, ["foo:runtime"])
rs, txt = self.captureOutput(queryrep.displayTroves,
self.cfg, ['foo:runtime'],
digSigs=True)
assert (txt.startswith('''\
foo:runtime=1.0-1-1
Digital Signature:
F7440D78FE813C882212C2BF8AC2828190B1E477:'''))
def testTroveDisplaySigs(self):
# go through a lot of trouble to sign this trove.
# copied from sigtest.
self.addComponent('foo:runtime', '1.0')
from conary.lib import openpgpfile, openpgpkey
from conary.build import signtrove
fingerprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
keyRing = open(resources.get_archive() + '/pubring.gpg')
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# upload the public key
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
signtrove.signTroves(self.cfg, [ "foo:runtime"])
rs, txt = self.captureOutput(queryrep.displayTroves, self.cfg,
['foo:runtime'],
digSigs=True)
assert(txt.startswith('''\
foo:runtime=1.0-1-1
Digital Signature:
F7440D78FE813C882212C2BF8AC2828190B1E477:'''))
def testChangeKeyOwner(self):
fingerprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
self.addQuickTestComponent("test:source", "1.0-1-1")
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
repos = self.openRepository()
anotherRepos = self.setupUser(repos, self.cfg.buildLabel, 'another',
'anotherpass', None, None)
# put the public key into the repo
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
repos.changePGPKeyOwner(self.cfg.buildLabel, 'another', fingerprint)
assert (repos.listUsersMainKeys(self.cfg.buildLabel,
'another')[0] == fingerprint)
def testMirror(self):
sourceRepos, targetRepos = self.createRepositories()
mirrorFile = self.createConfigurationFile()
# this is really ugly, but needed to ensure test consistency
db = self.servers.getServer(0).reposDB.connect()
cu = db.cursor()
# test simple trove mirroring
self.createTroves(sourceRepos, 1, 2, "1.0")
self.createTroves(sourceRepos, 1, 2, "2.0")
self.sleep(1.2)
self.createTroves(sourceRepos, 1, 2, "3.0")
# the following is just to get the trigger to fire
cu.execute("update Instances set changed=1")
db.commit()
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# simulate multiple trove versions with the same mark
self.createTroves(sourceRepos, 10, 2, "1.0", "~foo")
self.createTroves(sourceRepos, 10, 2, "1.0", "~!foo")
self.createTroves(sourceRepos, 10, 2, "1.1")
# the following is just to get the trigger to fire
cu.execute("update Instances set changed=1")
db.commit()
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# test mirroring of ascii keys
sourceRepos.addNewAsciiPGPKey(self.cfg.buildLabel, 'test',
sigtest.unexpiredKey)
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# test mirroring of new trove signatures
self.createTroves(sourceRepos, 20, 2)
self.cfg.signatureKey = '7CCD34B5C5D9CD1F637F6743D4F8F127C267B79D'
signtrove.signTroves(self.cfg, ["test10:runtime", "test20:runtime"])
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
fprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fprint, '111111')
self.cfg.signatureKey = fprint
keyRing = open(resources.get_archive() + '/pubring.gpg')
keyData = openpgpfile.exportKey(fprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
sourceRepos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
signtrove.signTroves(self.cfg, ["test11:runtime", "test21:runtime"])
self.createTroves(sourceRepos, 30, 2)
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
def testMirror(self):
sourceRepos, targetRepos = self.createRepositories()
mirrorFile = self.createConfigurationFile()
# this is really ugly, but needed to ensure test consistency
db = self.servers.getServer(0).reposDB.connect()
cu = db.cursor()
# test simple trove mirroring
self.createTroves(sourceRepos, 1, 2, "1.0")
self.createTroves(sourceRepos, 1, 2, "2.0")
self.sleep(1.2)
self.createTroves(sourceRepos, 1, 2, "3.0")
# the following is just to get the trigger to fire
cu.execute("update Instances set changed=1")
db.commit()
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# simulate multiple trove versions with the same mark
self.createTroves(sourceRepos, 10, 2, "1.0", "~foo")
self.createTroves(sourceRepos, 10, 2, "1.0", "~!foo")
self.createTroves(sourceRepos, 10, 2, "1.1")
# the following is just to get the trigger to fire
cu.execute("update Instances set changed=1")
db.commit()
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# test mirroring of ascii keys
sourceRepos.addNewAsciiPGPKey(self.cfg.buildLabel, 'test', sigtest.unexpiredKey)
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
# test mirroring of new trove signatures
self.createTroves(sourceRepos, 20, 2)
self.cfg.signatureKey = '7CCD34B5C5D9CD1F637F6743D4F8F127C267B79D'
signtrove.signTroves(self.cfg, [ "test10:runtime", "test20:runtime" ])
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
fprint='F7440D78FE813C882212C2BF8AC2828190B1E477'
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fprint, '111111')
self.cfg.signatureKey = fprint
keyRing = open(resources.get_archive() + '/pubring.gpg')
keyData = openpgpfile.exportKey(fprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
sourceRepos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
signtrove.signTroves(self.cfg, [ "test11:runtime", "test21:runtime" ])
self.createTroves(sourceRepos, 30, 2)
self.runMirror(mirrorFile)
self.compareRepositories(sourceRepos, targetRepos)
def _setupSignature(self, repos, fingerprint):
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
# get the public key
keyRing = open(resources.get_archive('pubring.gpg'))
if hasattr(openpgpfile, 'readKeyData'):
keyData = openpgpfile.readKeyData(keyRing, fingerprint)
else:
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# upload the public key
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
self.buildCfg.signatureKey = fingerprint
def _setupSignature(self, repos, fingerprint):
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
# get the public key
keyRing = open(resources.get_archive('pubring.gpg'))
if hasattr(openpgpfile, 'readKeyData'):
keyData = openpgpfile.readKeyData(keyRing, fingerprint)
else:
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# upload the public key
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
self.buildCfg.signatureKey = fingerprint
def testAddingSigs(self):
fingerprint = '95B457D16843B21EA3FC73BBC7C32FC1F94E405E'
# get the public key
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# force the repository to be setup before we use a broken password
# to access it
self.openRepository()
repos = self.getRepositoryClient(user='******', password='******')
self.assertRaises(errors.InsufficientPermission, repos.addNewPGPKey,
self.cfg.buildLabel, 'test', keyData)
self.assertRaises(errors.InsufficientPermission,
repos.addNewAsciiPGPKey, self.cfg.buildLabel, 'test',
unexpiredKey)
def testSignedCheckout(self):
fingerprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
self.addQuickTestComponent("test:source", "1.0-1-1")
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
# put the public key into the repo
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
signtrove.signTroves(self.cfg, ["test:source"])
# alter key's trust value and determine that the doUpdate
# code properly verifies trust thresholds
pubKey = keyCache.getPublicKey(fingerprint)
pubKey.trustLevel = openpgpfile.TRUST_UNTRUSTED
keyCache.publicDict[fingerprint] = pubKey
self.cfg.trustThreshold = openpgpfile.TRUST_ULTIMATE
self.logFilter.add()
try:
checkout(repos, self.cfg, self.workDir, ["test"])
self.fail("checkin.checkout did not properly verify trust levels")
except DigitalSignatureVerificationError:
self.logFilter.compare([
'warning: The trove test:source has '
'signatures generated with untrusted keys. You can either '
'resign the trove with a key that you trust, or add one of the '
'keys to the list of trusted keys (the trustedKeys '
'configuration option). The keys that were not trusted are: '
'90B1E477'
])
def _getKey(self, fingerprint, armored=False):
return openpgpfile.exportKey(fingerprint, self.pubringfn, armored=True)
def _getKey(self, fingerprint, armored=False):
return openpgpfile.exportKey(fingerprint, self.pubringfn, armored=True)
def testSignedUpdate(self):
fingerprint = '95B457D16843B21EA3FC73BBC7C32FC1F94E405E'
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
self.addQuickTestComponent("test:doc", "1.0-1-1")
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
# put the public key into the repo
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
signtrove.signTroves(self.cfg, ["test:doc"])
# alter key's trust value and determine that the doUpdate
# code properly verifies trust thresholds
pubKey = keyCache.getPublicKey(fingerprint)
pubKey.trustLevel = openpgpfile.TRUST_UNTRUSTED
keyCache.publicDict[fingerprint] = pubKey
self.cfg.trustThreshold = openpgpfile.TRUST_ULTIMATE
self.logFilter.add()
try:
self.discardOutput(doUpdate, self.cfg, 'test:doc')
self.fail("updatecmd.doUpdate did not properly check trust levels")
except DigitalSignatureVerificationError:
self.logFilter.compare([
'warning: The trove test:doc has '
'signatures generated with untrusted keys. You can either '
'resign the trove with a key that you trust, or add one of the '
'keys to the list of trusted keys (the trustedKeys '
'configuration option). The keys that were not trusted are: '
'F94E405E'
])
# An example how one can catch the digital signature verification
# error for each unsigned trove (and display some message in a GUI
# maybe). In this case we just raise a different exception.
class MyException(Exception):
errorIsUncatchable = True
class C_(callbacks.UpdateCallback):
def verifyTroveSignatures(self, trv):
try:
return callbacks.UpdateCallback.verifyTroveSignatures(
self, trv)
except DigitalSignatureVerificationError:
raise MyException("Error in trove %s" % trv.getName())
callback = C_(trustThreshold=self.cfg.trustThreshold)
# We should catch our own exception now
self.discardOutput(self.assertRaises,
MyException,
doUpdate,
self.cfg,
"test:doc",
callback=callback)
def testSignTrove(self):
fingerprint = 'F7440D78FE813C882212C2BF8AC2828190B1E477'
# supply the pass phrase for our private key
keyCache = openpgpkey.getKeyCache()
keyCache.getPrivateKey(fingerprint, '111111')
self.addQuickTestComponent("test:doc", "1.0-1-1")
self.cfg.signatureKey = fingerprint
self.cfg.quiet = True
self.assertRaises(errors.DigitalSignatureError, signtrove.signTroves,
self.cfg, ["test:doc"])
# get the public key
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint, keyRing)
keyData.seek(0)
keyData = keyData.read()
# upload the public key
repos = self.openRepository()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
signtrove.signTroves(self.cfg, ["test:doc"])
# get the signed trove from the repository, verify that
# everything is correct
v = versions.VersionFromString('/localhost@rpl:linux/1.0-1-1')
f = deps.parseFlavor('')
t = repos.getTrove('test:doc', v, f)
self._checkDigitalSig(t, fingerprint)
self.assertEqual(t.verifyDigitalSignatures(),
(openpgpfile.TRUST_TRUSTED, [], set()))
# add another signature. This exercises code such as the
# change set cache invalidation
fingerprint2 = '95B457D16843B21EA3FC73BBC7C32FC1F94E405E'
keyCache.getPrivateKey(fingerprint2, '111111')
# upload the public key
keyRing = open(
resources.get_path('conary_test', 'archive', 'pubring.gpg'))
keyData = openpgpfile.exportKey(fingerprint2, keyRing)
keyData.seek(0)
keyData = keyData.read()
repos.addNewPGPKey(self.cfg.buildLabel, 'test', keyData)
# sign with the second private key
self.cfg.signatureKey = fingerprint2
self.cfg.quiet = True
signtrove.signTroves(self.cfg, ["test:doc"])
# iterate over the signatures, making sure each signature version has
# two sigs associated with it
t = repos.getTrove('test:doc', v, f)
self._checkDigitalSig(t, fingerprint)
self._checkDigitalSig(t, fingerprint2)
self.assertEqual(t.verifyDigitalSignatures(),
(openpgpfile.TRUST_TRUSTED, [], set()))
# attempt signing again with a key that already signed the trove
self.assertRaises(errors.DigitalSignatureError, signtrove.signTroves,
self.cfg, ["test:doc"])
