def generateKey(self, archive): """Generate a signing key for the given archive.""" self.logger.info("Generating signing key for %s (%s)" % (archive.reference, archive.displayname)) archive_signing_key = IArchiveSigningKey(archive) archive_signing_key.generateSigningKey() self.logger.info("Key %s" % archive.signing_key.fingerprint)
def testForPrivatePPA(self): """Run publish-distro in private PPA mode. It should only publish private PPAs. """ # First, we'll make a private PPA and populate it with a # publishing record. ubuntutest = getUtility(IDistributionSet)['ubuntutest'] private_ppa = self.factory.makeArchive(private=True, distribution=ubuntutest) # Publish something to the private PPA: pub_source = self.getPubSource(sourcename='baz', filecontent='baz', archive=private_ppa) self.layer.txn.commit() self.setUpRequireSigningKeys() yield self.useFixture(InProcessKeyServerFixture()).start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(private_ppa).setSigningKey( key_path, async_keyserver=True) # Try a plain PPA run, to ensure the private one is NOT published. self.runPublishDistro(['--ppa']) pub_source.sync() self.assertEqual(pub_source.status, PackagePublishingStatus.PENDING) # Now publish the private PPAs and make sure they are really # published. self.runPublishDistro(['--private-ppa']) pub_source.sync() self.assertEqual(pub_source.status, PackagePublishingStatus.PUBLISHED)
def testForPPA(self): """Try to run publish-distro in PPA mode. It should deal only with PPA publications. """ pub_source = self.getPubSource(filecontent='foo') cprov = getUtility(IPersonSet).getByName('cprov') pub_source2 = self.getPubSource(sourcename='baz', filecontent='baz', archive=cprov.archive) ubuntutest = getUtility(IDistributionSet)['ubuntutest'] name16 = getUtility(IPersonSet).getByName('name16') getUtility(IArchiveSet).new(purpose=ArchivePurpose.PPA, owner=name16, distribution=ubuntutest) pub_source3 = self.getPubSource(sourcename='bar', filecontent='bar', archive=name16.archive) # Override PPAs distributions naked_archive = removeSecurityProxy(cprov.archive) naked_archive.distribution = self.ubuntutest naked_archive = removeSecurityProxy(name16.archive) naked_archive.distribution = self.ubuntutest self.setUpRequireSigningKeys() yield self.useFixture(InProcessKeyServerFixture()).start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(cprov.archive).setSigningKey( key_path, async_keyserver=True) name16.archive.signing_key_owner = cprov.archive.signing_key_owner name16.archive.signing_key_fingerprint = ( cprov.archive.signing_key_fingerprint) self.layer.txn.commit() self.runPublishDistro(['--ppa']) pub_source.sync() pub_source2.sync() pub_source3.sync() self.assertEqual(pub_source.status, PackagePublishingStatus.PENDING) self.assertEqual(pub_source2.status, PackagePublishingStatus.PUBLISHED) self.assertEqual(pub_source3.status, PackagePublishingStatus.PUBLISHED) foo_path = "%s/main/f/foo/foo_666.dsc" % self.pool_dir self.assertEqual(False, os.path.exists(foo_path)) baz_path = os.path.join(config.personalpackagearchive.root, cprov.name, 'ppa/ubuntutest/pool/main/b/baz/baz_666.dsc') self.assertEqual('baz', open(baz_path).read().strip()) bar_path = os.path.join(config.personalpackagearchive.root, name16.name, 'ppa/ubuntutest/pool/main/b/bar/bar_666.dsc') self.assertEqual('bar', open(bar_path).read().strip())
def makeArchive(self, signing_key_name="*****@*****.**", publish_binary=False, **kwargs): try: getattr(config, "in-process-key-server-fixture") except AttributeError: yield self.useFixture(InProcessKeyServerFixture()).start() archive = self.factory.makeArchive(distribution=self.ubuntu, **kwargs) if signing_key_name is not None: key_path = os.path.join(gpgkeysdir, "%s.sec" % signing_key_name) yield IArchiveSigningKey(archive).setSigningKey( key_path, async_keyserver=True) if publish_binary: self.publisher.getPubBinaries( archive=archive, status=PackagePublishingStatus.PUBLISHED) defer.returnValue(archive)
def test_extraBuildArgs_archive_trusted_keys(self): # If the archive has a signing key, extraBuildArgs sends it. yield self.useFixture(InProcessKeyServerFixture()).start() archive = self.factory.makeArchive() key_path = os.path.join(gpgkeysdir, "*****@*****.**") yield IArchiveSigningKey(archive).setSigningKey( key_path, async_keyserver=True) job = self.makeJob(archive=archive, with_builder=True) distroarchseries = job.build.distroseries.architectures[0] self.factory.makeBinaryPackagePublishingHistory( distroarchseries=distroarchseries, pocket=job.build.pocket, archive=archive, status=PackagePublishingStatus.PUBLISHED) args = yield job.extraBuildArgs() self.assertThat(args["trusted_keys"], MatchesListwise([ Base64KeyMatches("0D57E99656BEFB0897606EE9A022DD1F5001B46D"), ]))
def setUp(self): super(TestSignableArchiveWithSigningKey, self).setUp() self.temp_dir = self.makeTemporaryDirectory() self.distro = self.factory.makeDistribution() db_pubconf = getUtility(IPublisherConfigSet).getByDistribution( self.distro) db_pubconf.root_dir = unicode(self.temp_dir) self.archive = self.factory.makeArchive(distribution=self.distro, purpose=ArchivePurpose.PRIMARY) self.archive_root = getPubConfig(self.archive).archiveroot self.suite = "distroseries" with InProcessKeyServerFixture() as keyserver: yield keyserver.start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(self.archive).setSigningKey( key_path, async_keyserver=True)
def test_sign_with_signing_key(self): filename = os.path.join(getPubConfig(self.archive).archiveroot, "file") write_file(filename, "contents") self.assertIsNone(self.archive.signing_key) self.useFixture(InProcessKeyServerFixture()).start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(self.archive).setSigningKey( key_path, async_keyserver=True) self.assertIsNotNone(self.archive.signing_key) custom_processor = CustomUpload() custom_processor.sign(self.archive, "suite", filename) with open(filename) as cleartext_file: cleartext = cleartext_file.read() with open("%s.gpg" % filename) as signature_file: signature = getUtility(IGPGHandler).getVerifiedSignature( cleartext, signature_file.read()) self.assertEqual(self.archive.signing_key.fingerprint, signature.fingerprint)
def generateSigningKey(self): """See `IArchiveSigningKey`.""" assert self.archive.signing_key is None, ( "Cannot override signing_keys.") # Always generate signing keys for the default PPA, even if it # was not expecifically requested. The default PPA signing key # is then propagated to the context named-ppa. default_ppa = self.archive.owner.archive if self.archive != default_ppa: if default_ppa.signing_key is None: IArchiveSigningKey(default_ppa).generateSigningKey() self.archive.signing_key = default_ppa.signing_key return key_displayname = ( "Launchpad PPA for %s" % self.archive.owner.displayname) secret_key = getUtility(IGPGHandler).generateKey(key_displayname) self._setupSigningKey(secret_key)
def testCarefulRelease(self): """publish-distro can be asked to just rewrite Release files.""" archive = self.factory.makeArchive(distribution=self.ubuntutest) pub_source = self.getPubSource(filecontent='foo', archive=archive) self.setUpRequireSigningKeys() yield self.useFixture(InProcessKeyServerFixture()).start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(archive).setSigningKey(key_path, async_keyserver=True) self.layer.txn.commit() self.runPublishDistro(['--ppa']) pub_source.sync() self.assertEqual(PackagePublishingStatus.PUBLISHED, pub_source.status) dists_path = getPubConfig(archive).distsroot hoary_inrelease_path = os.path.join(dists_path, 'hoary-test', 'InRelease') breezy_inrelease_path = os.path.join(dists_path, 'breezy-autotest', 'InRelease') self.assertThat(hoary_inrelease_path, Not(PathExists())) os.unlink(breezy_inrelease_path) self.runPublishDistro(['--ppa', '--careful-release']) self.assertThat(hoary_inrelease_path, Not(PathExists())) self.assertThat(breezy_inrelease_path, Not(PathExists())) self.runPublishDistro([ '--ppa', '--careful-release', '--include-non-pending', '--disable-publishing', '--disable-domination', '--disable-apt', ]) # hoary-test never had indexes created, so is untouched. self.assertThat(hoary_inrelease_path, Not(PathExists())) # breezy-autotest has its Release files rewritten. self.assertThat(breezy_inrelease_path, PathExists())
def test_extraBuildArgs_archive_trusted_keys(self): # If the archive has a signing key, extraBuildArgs sends it. yield self.useFixture(InProcessKeyServerFixture()).start() archive = self.factory.makeArchive() builder = self.factory.makeBuilder() key_path = os.path.join(gpgkeysdir, "*****@*****.**") yield IArchiveSigningKey(archive).setSigningKey(key_path, async_keyserver=True) build = self.factory.makeBinaryPackageBuild(archive=archive) self.factory.makeBinaryPackagePublishingHistory( distroarchseries=build.distro_arch_series, pocket=build.pocket, archive=archive, status=PackagePublishingStatus.PUBLISHED) behaviour = IBuildFarmJobBehaviour(build) behaviour.setBuilder(builder, None) args = yield behaviour.extraBuildArgs() self.assertThat( args["trusted_keys"], MatchesListwise([ Base64KeyMatches("0D57E99656BEFB0897606EE9A022DD1F5001B46D"), ]))
def _writeSuite(self, distroseries, pocket): """Write out the Release files for the provided suite.""" # XXX: kiko 2006-08-24: Untested method. # As we generate file lists for apt-ftparchive we record which # distroseriess and so on we need to generate Release files for. # We store this in release_files_needed and consume the information # when writeReleaseFiles is called. if (distroseries.name, pocket) not in self.release_files_needed: # If we don't need to generate a release for this release # and pocket, don't! return all_components = [ comp.name for comp in self.archive.getComponentsForSeries(distroseries)] all_architectures = [ a.architecturetag for a in distroseries.enabled_architectures] all_files = set() for component in all_components: self._writeSuiteSource( distroseries, pocket, component, all_files) for architecture in all_architectures: self._writeSuiteArch( distroseries, pocket, component, architecture, all_files) self._writeSuiteI18n( distroseries, pocket, component, all_files) drsummary = "%s %s " % (self.distro.displayname, distroseries.displayname) if pocket == PackagePublishingPocket.RELEASE: drsummary += distroseries.version else: drsummary += pocket.name.capitalize() suite = distroseries.getSuite(pocket) release_file = Release() release_file["Origin"] = self._getOrigin() release_file["Label"] = self._getLabel() release_file["Suite"] = suite release_file["Version"] = distroseries.version release_file["Codename"] = distroseries.name release_file["Date"] = datetime.utcnow().strftime( "%a, %d %b %Y %k:%M:%S UTC") release_file["Architectures"] = " ".join(sorted(all_architectures)) release_file["Components"] = " ".join( reorder_components(all_components)) release_file["Description"] = drsummary if (pocket == PackagePublishingPocket.BACKPORTS and distroseries.backports_not_automatic): release_file["NotAutomatic"] = "yes" release_file["ButAutomaticUpgrades"] = "yes" for filename in sorted(all_files, key=os.path.dirname): entry = self._readIndexFileContents(suite, filename) if entry is None: continue release_file.setdefault("MD5Sum", []).append({ "md5sum": hashlib.md5(entry).hexdigest(), "name": filename, "size": len(entry)}) release_file.setdefault("SHA1", []).append({ "sha1": hashlib.sha1(entry).hexdigest(), "name": filename, "size": len(entry)}) release_file.setdefault("SHA256", []).append({ "sha256": hashlib.sha256(entry).hexdigest(), "name": filename, "size": len(entry)}) self._writeReleaseFile(suite, release_file) all_files.add("Release") # Skip signature if the archive signing key is undefined. if self.archive.signing_key is None: self.log.debug("No signing key available, skipping signature.") return # Sign the repository. archive_signer = IArchiveSigningKey(self.archive) archive_signer.signRepository(suite) all_files.add("Release.gpg") # Make sure all the timestamps match, to make it easier to insert # caching headers on mirrors. self._syncTimestamps(suite, all_files)
def setUpArchiveKey(self): with InProcessKeyServerFixture() as keyserver: yield keyserver.start() key_path = os.path.join(gpgkeysdir, '*****@*****.**') yield IArchiveSigningKey(self.archive).setSigningKey( key_path, async_keyserver=True)