mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 05:56:15 +02:00
fetchGit and flake: add commit signature verification tests
This adds simple tests of the commit signature verification mechanism of fetchGit and its flake input wrapper. OpenSSH is added to the build dependencies since it's needed to create a key when testing the functionality. It is neither a built- nor a runtime dependency.
This commit is contained in:
parent
098f0615c9
commit
271932782d
3 changed files with 78 additions and 0 deletions
|
@ -185,6 +185,7 @@
|
|||
buildPackages.git
|
||||
buildPackages.mercurial # FIXME: remove? only needed for tests
|
||||
buildPackages.jq # Also for custom mdBook preprocessor.
|
||||
buildPackages.openssh # only needed for tests (ssh-keygen)
|
||||
]
|
||||
++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];
|
||||
|
||||
|
|
76
tests/functional/fetchGitVerification.sh
Normal file
76
tests/functional/fetchGitVerification.sh
Normal file
|
@ -0,0 +1,76 @@
|
|||
source common.sh
|
||||
|
||||
requireGit
|
||||
[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
|
||||
|
||||
enableFeatures "verified-fetches"
|
||||
|
||||
clearStore
|
||||
|
||||
repo="$TEST_ROOT/git"
|
||||
|
||||
# generate signing keys
|
||||
keysDir=$TEST_ROOT/.ssh
|
||||
mkdir -p "$keysDir"
|
||||
ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
|
||||
key1File="$keysDir/testkey1.pub"
|
||||
publicKey1=$(awk '{print $2}' "$key1File")
|
||||
ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
|
||||
key2File="$keysDir/testkey2.pub"
|
||||
publicKey2=$(awk '{print $2}' "$key2File")
|
||||
|
||||
git init $repo
|
||||
git -C $repo config user.email "foobar@example.com"
|
||||
git -C $repo config user.name "Foobar"
|
||||
git -C $repo config gpg.format ssh
|
||||
|
||||
echo 'hello' > $repo/text
|
||||
git -C $repo add text
|
||||
git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
|
||||
|
||||
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
|
||||
[[ $status == 1 ]]
|
||||
[[ $out =~ 'No principal matched.' ]]
|
||||
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
|
||||
|
||||
echo 'hello world' > $repo/text
|
||||
git -C $repo add text
|
||||
git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
|
||||
|
||||
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
|
||||
|
||||
# Flake input test
|
||||
flakeDir="$TEST_ROOT/flake"
|
||||
mkdir -p "$flakeDir"
|
||||
cat > "$flakeDir/flake.nix" <<EOF
|
||||
{
|
||||
inputs.test = {
|
||||
type = "git";
|
||||
url = "file://$repo";
|
||||
flake = false;
|
||||
publicKeys = [
|
||||
{ type = "ssh-rsa"; key = "$publicKey2"; }
|
||||
];
|
||||
};
|
||||
|
||||
outputs = { test, ... }: { test = test.outPath; };
|
||||
}
|
||||
EOF
|
||||
nix build --out-link "$flakeDir/result" "$flakeDir#test"
|
||||
[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
|
||||
|
||||
cat > "$flakeDir/flake.nix" <<EOF
|
||||
{
|
||||
inputs.test = {
|
||||
type = "git";
|
||||
url = "file://$repo";
|
||||
flake = false;
|
||||
publicKey= "$publicKey1";
|
||||
};
|
||||
|
||||
outputs = { test, ... }: { test = test.outPath; };
|
||||
}
|
||||
EOF
|
||||
out=$(nix build "$flakeDir#test" 2>&1) || status=$?
|
||||
[[ $status == 1 ]]
|
||||
[[ $out =~ 'No principal matched.' ]]
|
|
@ -55,6 +55,7 @@ nix_tests = \
|
|||
secure-drv-outputs.sh \
|
||||
restricted.sh \
|
||||
fetchGitSubmodules.sh \
|
||||
fetchGitVerification.sh \
|
||||
flakes/search-root.sh \
|
||||
readfile-context.sh \
|
||||
nix-channel.sh \
|
||||
|
|
Loading…
Reference in a new issue