fetchGit and flake: add commit signature verification tests

This adds simple tests of the commit signature verification mechanism of
fetchGit and its flake input wrapper.
OpenSSH is added to the build dependencies since it's needed to create
a key when testing the functionality. It is neither a built- nor a
runtime dependency.
This commit is contained in:
BootRhetoric 2023-10-20 21:18:01 +02:00
parent 098f0615c9
commit 271932782d
No known key found for this signature in database
3 changed files with 78 additions and 0 deletions

View file

@ -185,6 +185,7 @@
buildPackages.git
buildPackages.mercurial # FIXME: remove? only needed for tests
buildPackages.jq # Also for custom mdBook preprocessor.
buildPackages.openssh # only needed for tests (ssh-keygen)
]
++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];

View file

@ -0,0 +1,76 @@
source common.sh
requireGit
[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
enableFeatures "verified-fetches"
clearStore
repo="$TEST_ROOT/git"
# generate signing keys
keysDir=$TEST_ROOT/.ssh
mkdir -p "$keysDir"
ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
key1File="$keysDir/testkey1.pub"
publicKey1=$(awk '{print $2}' "$key1File")
ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
key2File="$keysDir/testkey2.pub"
publicKey2=$(awk '{print $2}' "$key2File")
git init $repo
git -C $repo config user.email "foobar@example.com"
git -C $repo config user.name "Foobar"
git -C $repo config gpg.format ssh
echo 'hello' > $repo/text
git -C $repo add text
git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'No principal matched.' ]]
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
echo 'hello world' > $repo/text
git -C $repo add text
git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
# Flake input test
flakeDir="$TEST_ROOT/flake"
mkdir -p "$flakeDir"
cat > "$flakeDir/flake.nix" <<EOF
{
inputs.test = {
type = "git";
url = "file://$repo";
flake = false;
publicKeys = [
{ type = "ssh-rsa"; key = "$publicKey2"; }
];
};
outputs = { test, ... }: { test = test.outPath; };
}
EOF
nix build --out-link "$flakeDir/result" "$flakeDir#test"
[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
cat > "$flakeDir/flake.nix" <<EOF
{
inputs.test = {
type = "git";
url = "file://$repo";
flake = false;
publicKey= "$publicKey1";
};
outputs = { test, ... }: { test = test.outPath; };
}
EOF
out=$(nix build "$flakeDir#test" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'No principal matched.' ]]

View file

@ -55,6 +55,7 @@ nix_tests = \
secure-drv-outputs.sh \
restricted.sh \
fetchGitSubmodules.sh \
fetchGitVerification.sh \
flakes/search-root.sh \
readfile-context.sh \
nix-channel.sh \