def test_ownertrust(context, trusted_names):
"""This is a fairly complex test.
Create a new gnupg_home, update ownertrust with just my fingerprint.
The original update will run its own verify; we then make sure to get full
code coverage by testing that extra and missing fingerprints raise a
ScriptWorkerGPGException.
"""
gpg = sgpg.GPG(context)
my_fingerprint = sgpg.generate_key(gpg, "one", "one", "one")
sgpg.create_gpg_conf(context.config['gpg_home'],
my_fingerprint=my_fingerprint)
trusted_fingerprints = []
for name in trusted_names:
trusted_fingerprints.append(sgpg.generate_key(gpg, name, name, name))
# append my fingerprint to get more coverage
if trusted_fingerprints:
trusted_fingerprints.append(my_fingerprint)
unsigned_fingerprint = sgpg.generate_key(gpg, "four", "four", "four")
sgpg.update_ownertrust(context,
my_fingerprint,
trusted_fingerprints=trusted_fingerprints)
with pytest.raises(ScriptWorkerGPGException):
sgpg.verify_ownertrust(context, my_fingerprint,
trusted_fingerprints + [unsigned_fingerprint])
if trusted_fingerprints:
with pytest.raises(ScriptWorkerGPGException):
sgpg.verify_ownertrust(context, my_fingerprint,
[trusted_fingerprints[0]])
def test_sign_key_exportable(context, exportable):
gpg_home2 = os.path.join(context.config['gpg_home'], "two")
context.config['gpg_home'] = os.path.join(context.config['gpg_home'],
"one")
gpg = sgpg.GPG(context)
gpg2 = sgpg.GPG(context, gpg_home=gpg_home2)
my_fingerprint = KEYS_AND_FINGERPRINTS[0][1]
my_keyid = KEYS_AND_FINGERPRINTS[0][0]
# import my keys
for suffix in (".sec", ".pub"):
with open("{}{}".format(KEYS_AND_FINGERPRINTS[0][2], suffix),
"r") as fh:
contents = fh.read()
sgpg.import_key(gpg, contents)
# create gpg.conf's
sgpg.create_gpg_conf(context.config['gpg_home'],
my_fingerprint=my_fingerprint)
sgpg.create_gpg_conf(gpg_home2, my_fingerprint=my_fingerprint)
sgpg.check_ownertrust(context)
sgpg.check_ownertrust(context, gpg_home=gpg_home2)
# generate a new key
fingerprint = sgpg.generate_key(gpg,
"one",
"one",
"one",
key_length=GENERATE_KEY_SMALLER_KEY_SIZE)
# sign it, exportable signature is `exportable`
sgpg.sign_key(context,
fingerprint,
signing_key=my_fingerprint,
exportable=exportable)
# export my privkey and import it in gpg_home2
priv_key = sgpg.export_key(gpg, my_fingerprint, private=True)
sgpg.import_key(gpg2, priv_key)
# export both pubkeys and import in gpg_home2
for fp in (my_fingerprint, fingerprint):
pub_key = sgpg.export_key(gpg, fp)
sgpg.import_key(gpg2, pub_key)
# check sigs on `fingerprint` key. If exportable, we're good. If not exportable,
# it'll throw
expected = {'sig_keyids': [my_keyid]}
if exportable:
sgpg.get_list_sigs_output(context,
fingerprint,
gpg_home=gpg_home2,
expected=expected)
else:
with pytest.raises(ScriptWorkerGPGException):
sgpg.get_list_sigs_output(context,
fingerprint,
gpg_home=gpg_home2,
expected=expected)
def test_create_second_gpg_conf(mocker, tmpdir):
now = arrow.utcnow()
with mock.patch.object(arrow, 'utcnow') as p:
p.return_value = now
sgpg.create_gpg_conf(tmpdir,
keyserver=GPG_CONF_PARAMS[0][0],
my_fingerprint=GPG_CONF_PARAMS[0][1])
sgpg.create_gpg_conf(tmpdir,
keyserver=GPG_CONF_PARAMS[1][0],
my_fingerprint=GPG_CONF_PARAMS[1][1])
with open(os.path.join(tmpdir, "gpg.conf"), "r") as fh:
assert fh.read() == GPG_CONF_PARAMS[1][2]
with open(os.path.join(tmpdir, "gpg.conf.{}".format(now.timestamp)),
"r") as fh:
assert fh.read() == GPG_CONF_PARAMS[0][2]
def test_sign_key(context):
"""This test calls get_list_sigs_output in several different ways. Each
is valid; the main thing is more code coverage.
tru:o:1:1472876459:1:3:1:5
pub:u:4096:1:EA608995918B2DF9:1472876455:::u:::escaESCA:
fpr:::::::::A9F598A3179551CC664C15DEEA608995918B2DF9:
uid:u::::1472876455::6477C0BAC30FB3E244C8F1907D78C6B243AFD516::two (two) <two>:
sig:::1:EA608995918B2DF9:1472876455::::two (two) <two>:13x:::::8:
sig:::1:9633F5F38B9BD3C5:1472876459::::one (one) <one>:10l:::::8:
tru::1:1472876460:0:3:1:5
pub:u:4096:1:BC76BF8F77D1B3F5:1472876457:::u:::escaESCA:
fpr:::::::::7CFAD9E699D8559F1D3A50CCBC76BF8F77D1B3F5:
uid:u::::1472876457::91AC286E48FDA7378B86F63FA6DDC2A46B54808F::three (three) <three>:
sig:::1:BC76BF8F77D1B3F5:1472876457::::three (three) <three>:13x:::::8:
"""
gpg = sgpg.GPG(context)
# create my key, get fingerprint + keyid
my_fingerprint = sgpg.generate_key(
gpg, "one", "one", "one", key_length=GENERATE_KEY_SMALLER_KEY_SIZE)
my_keyid = sgpg.fingerprint_to_keyid(gpg, my_fingerprint)
# create signed key, get fingerprint + keyid
signed_fingerprint = sgpg.generate_key(
gpg, "two", "two", "two", key_length=GENERATE_KEY_SMALLER_KEY_SIZE)
signed_keyid = sgpg.fingerprint_to_keyid(gpg, signed_fingerprint)
# create unsigned key, get fingerprint + keyid
unsigned_fingerprint = sgpg.generate_key(
gpg,
"three",
"three",
"three",
key_length=GENERATE_KEY_SMALLER_KEY_SIZE)
unsigned_keyid = sgpg.fingerprint_to_keyid(gpg, unsigned_fingerprint)
# update gpg configs, sign signed key
sgpg.create_gpg_conf(context.config['gpg_home'],
my_fingerprint=my_fingerprint)
sgpg.check_ownertrust(context)
sgpg.sign_key(context, signed_fingerprint)
# signed key get_list_sigs_output
signed_output = sgpg.get_list_sigs_output(context, signed_fingerprint)
# unsigned key get_list_sigs_output
# Call get_list_sigs_output with validate=False, then parse it, for more code coverage
unsigned_output1 = sgpg.get_list_sigs_output(context,
unsigned_fingerprint,
validate=False)
unsigned_output = sgpg.parse_list_sigs_output(unsigned_output1, "unsigned")
# signed key has my signature + self-signed
assert sorted([signed_keyid,
my_keyid]) == sorted(signed_output['sig_keyids'])
assert ["one (one) <one>",
"two (two) <two>"] == sorted(signed_output['sig_uids'])
# unsigned key is only self-signed
assert [unsigned_keyid] == unsigned_output['sig_keyids']
assert ["three (three) <three>"] == unsigned_output['sig_uids']
# sign the unsigned key and test
sgpg.sign_key(context,
unsigned_fingerprint,
signing_key=signed_fingerprint)
# Call get_list_sigs_output with expected, for more code coverage
new_output = sgpg.get_list_sigs_output(
context,
unsigned_fingerprint,
expected={
"keyid": unsigned_keyid,
"fingerprint": unsigned_fingerprint,
"uid": "three (three) <three>",
"sig_keyids": [signed_keyid, unsigned_keyid],
"sig_uids": ["three (three) <three>", "two (two) <two>"]
})
# sig_uids goes unchecked; sig_keyids only checks that it's a subset.
# let's do another check.
assert ["three (three) <three>",
"two (two) <two>"] == sorted(new_output['sig_uids'])
def test_create_gpg_conf(keyserver, fingerprint, expected, tmpdir):
sgpg.create_gpg_conf(tmpdir,
keyserver=keyserver,
my_fingerprint=fingerprint)
with open(os.path.join(tmpdir, "gpg.conf"), "r") as fh:
assert fh.read() == expected
