mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-30 09:36:15 +02:00
271932782d
This adds simple tests of the commit signature verification mechanism of fetchGit and its flake input wrapper. OpenSSH is added to the build dependencies since it's needed to create a key when testing the functionality. It is neither a built- nor a runtime dependency.
76 lines
No EOL
2.2 KiB
Bash
76 lines
No EOL
2.2 KiB
Bash
source common.sh
|
|
|
|
requireGit
|
|
[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
|
|
|
|
enableFeatures "verified-fetches"
|
|
|
|
clearStore
|
|
|
|
repo="$TEST_ROOT/git"
|
|
|
|
# generate signing keys
|
|
keysDir=$TEST_ROOT/.ssh
|
|
mkdir -p "$keysDir"
|
|
ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
|
|
key1File="$keysDir/testkey1.pub"
|
|
publicKey1=$(awk '{print $2}' "$key1File")
|
|
ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
|
|
key2File="$keysDir/testkey2.pub"
|
|
publicKey2=$(awk '{print $2}' "$key2File")
|
|
|
|
git init $repo
|
|
git -C $repo config user.email "foobar@example.com"
|
|
git -C $repo config user.name "Foobar"
|
|
git -C $repo config gpg.format ssh
|
|
|
|
echo 'hello' > $repo/text
|
|
git -C $repo add text
|
|
git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
|
|
|
|
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
|
|
[[ $status == 1 ]]
|
|
[[ $out =~ 'No principal matched.' ]]
|
|
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
|
|
|
|
echo 'hello world' > $repo/text
|
|
git -C $repo add text
|
|
git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
|
|
|
|
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
|
|
|
|
# Flake input test
|
|
flakeDir="$TEST_ROOT/flake"
|
|
mkdir -p "$flakeDir"
|
|
cat > "$flakeDir/flake.nix" <<EOF
|
|
{
|
|
inputs.test = {
|
|
type = "git";
|
|
url = "file://$repo";
|
|
flake = false;
|
|
publicKeys = [
|
|
{ type = "ssh-rsa"; key = "$publicKey2"; }
|
|
];
|
|
};
|
|
|
|
outputs = { test, ... }: { test = test.outPath; };
|
|
}
|
|
EOF
|
|
nix build --out-link "$flakeDir/result" "$flakeDir#test"
|
|
[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
|
|
|
|
cat > "$flakeDir/flake.nix" <<EOF
|
|
{
|
|
inputs.test = {
|
|
type = "git";
|
|
url = "file://$repo";
|
|
flake = false;
|
|
publicKey= "$publicKey1";
|
|
};
|
|
|
|
outputs = { test, ... }: { test = test.outPath; };
|
|
}
|
|
EOF
|
|
out=$(nix build "$flakeDir#test" 2>&1) || status=$?
|
|
[[ $status == 1 ]]
|
|
[[ $out =~ 'No principal matched.' ]] |