From unknown Tue Sep 23 01:07:23 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#53607 <53607@debbugs.gnu.org> To: bug#53607 <53607@debbugs.gnu.org> Subject: Status: [PATCH] git-authenticate: Test introductory commit signature verification. Reply-To: bug#53607 <53607@debbugs.gnu.org> Date: Tue, 23 Sep 2025 08:07:23 +0000 retitle 53607 [PATCH] git-authenticate: Test introductory commit signature = verification. reassign 53607 guix-patches submitter 53607 Ludovic Court=C3=A8s severity 53607 normal tag 53607 patch security thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 28 12:10:50 2022 Received: (at submit) by debbugs.gnu.org; 28 Jan 2022 17:10:50 +0000 Received: from localhost ([127.0.0.1]:60405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDUlt-0000M2-Ur for submit@debbugs.gnu.org; Fri, 28 Jan 2022 12:10:50 -0500 Received: from lists.gnu.org ([209.51.188.17]:37552) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDUls-0000Lu-CW for submit@debbugs.gnu.org; Fri, 28 Jan 2022 12:10:48 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54634) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nDUlr-0005Xn-Uz for guix-patches@gnu.org; Fri, 28 Jan 2022 12:10:48 -0500 Received: from [2001:470:142:3::e] (port=60272 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nDUlp-0004dh-Ou; Fri, 28 Jan 2022 12:10:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=8ankfDvwqU83dTgItIob6yA+CfNt67T+eWdMdPBO2aM=; b=LEbVaGRAjVOAvo 5/n9bNHm9cZ5Rr9XbqTeNERCeiqGK2uzrVqnL1XknGWPbvt5BmvAqjc+p0VovTaiCxc3p4HO9IBvt mCfMgjM7+K7wfAse0X+/gUI1MLPFYLVD4qcJf8xuQeFh9n6+Y1cR9hAWz+FN/cE2250V/3ZztCA+8 Ufn0+ZrgoxS6PqGu5FJyVXbXx+JcQAxjOjTRZAnQEsalGlJyRDL59//+X1vl+AaXPaj9pAqX3fOMK Bs4EkFvvSie5yYtesA75Qh7rMvLDvY8rKIqPUeQ8GltMxg9PVXvCjIfU43Lvc6gFib80SXJBTgXf5 g8QuWjIBS8p7HqKSYWVA==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=33806 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nDUll-0001eN-5O; Fri, 28 Jan 2022 12:10:44 -0500 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH] git-authenticate: Test introductory commit signature verification. Date: Fri, 28 Jan 2022 18:10:20 +0100 Message-Id: <20220128171020.5778-1-ludo@gnu.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 X-Debbugs-Cc: Maxime Devos , Attila Lendvai Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) These tests mimic similar tests already in 'tests/channels.scm', but without using the higher-level 'authenticate-channel'. * tests/git-authenticate.scm ("introductory commit, valid signature") ("introductory commit, missing signature") ("introductory commit, wrong signature"): New tests. --- tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 1 deletion(-) Hello! (Cc: Maxime + Attila since you’ve already looked into this code.) This patch adds tests to ensure that an invalidate introductory commit signature and lack of a signature on the introductory commit both lead to an error. These tests do not uncover any problem. In fact, this behavior was already tested in ‘tests/channels.scm’, but using the higher-level ‘authenticate-channel’ procedure. They were prompted by Attila’s comments in and by investigations that led to the bug fix I’m about to send (separately). Thoughts? Thanks, Ludo’. diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm index f66ef191b0..6ec55fb2e5 100644 --- a/tests/git-authenticate.scm +++ b/tests/git-authenticate.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2020 Ludovic Courtès +;;; Copyright © 2020, 2022 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -20,12 +20,17 @@ (define-module (test-git-authenticate) #:use-module (git) #:use-module (guix git) #:use-module (guix git-authenticate) + #:use-module ((guix channels) #:select (openpgp-fingerprint)) + #:use-module ((guix diagnostics) + #:select (formatted-message? formatted-message-arguments)) #:use-module (guix openpgp) + #:use-module ((guix tests) #:select (random-text)) #:use-module (guix tests git) #:use-module (guix tests gnupg) #:use-module (guix build utils) #:use-module (srfi srfi-1) #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) #:use-module (srfi srfi-64) #:use-module (rnrs bytevectors) #:use-module (rnrs io ports)) @@ -327,4 +332,103 @@ (define (correct? c commit) #:keyring-reference "master") 'failed))))))) +(unless (gpg+git-available?) (test-skip 1)) +(test-assert "introductory commit, valid signature" + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file))) + (with-temporary-git-repository directory + `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit" (signer ,fingerprint)) + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero")) + (commit1 (find-commit repository "first"))) + ;; COMMIT0 is signed with the right key, and COMMIT1 is fine. + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text)))))))) + +(unless (gpg+git-available?) (test-skip 1)) +(test-equal "introductory commit, missing signature" + 'intro-lacks-signature + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file))) + (with-temporary-git-repository directory + `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit") ;unsigned! + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero"))) + ;; COMMIT0 is not signed. + (guard (c ((formatted-message? c) + ;; Message like "commit ~a lacks a signature". + (and (equal? (formatted-message-arguments c) + (list (oid->string (commit-id commit0)))) + 'intro-lacks-signature))) + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text))))))))) + +(unless (gpg+git-available?) (test-skip 1)) +(test-equal "introductory commit, wrong signature" + 'wrong-intro-signing-key + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file + %ed25519-2-public-key-file + %ed25519-2-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file)) + (wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file))) + (with-temporary-git-repository directory + `((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit" (signer ,wrong-fingerprint)) + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero")) + (commit1 (find-commit repository "first"))) + ;; COMMIT0 is signed with the wrong key--not the one passed as the + ;; SIGNER argument to 'authenticate-repository'. + (guard (c ((formatted-message? c) + ;; Message like "commit ~a signed by ~a instead of ~a". + (and (equal? (formatted-message-arguments c) + (list (oid->string (commit-id commit0)) + wrong-fingerprint fingerprint)) + 'wrong-intro-signing-key))) + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text))))))))) + (test-end "git-authenticate") base-commit: e778910bdfc68c60a5be59aac93049d32feae904 -- 2.34.0 From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 29 05:38:10 2022 Received: (at control) by debbugs.gnu.org; 29 Jan 2022 10:38:10 +0000 Received: from localhost ([127.0.0.1]:32791 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDl7R-0003eb-Qv for submit@debbugs.gnu.org; Sat, 29 Jan 2022 05:38:09 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:49864) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDl7P-0003dz-3a for control@debbugs.gnu.org; Sat, 29 Jan 2022 05:38:07 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 9CEB846F for ; Sat, 29 Jan 2022 11:38:01 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkdE5KUP40yi for ; Sat, 29 Jan 2022 11:38:01 +0100 (CET) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 2F50C123 for ; Sat, 29 Jan 2022 11:38:01 +0100 (CET) Date: Sat, 29 Jan 2022 11:38:00 +0100 Message-Id: <87a6febzef.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #53607 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Server: hera X-Rspamd-Queue-Id: 9CEB846F X-Spamd-Result: default: False [0.61 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[control@debbugs.gnu.org]; RCPT_COUNT_ONE(0.00)[1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_MIXED_CHARSET(0.71)[subject]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) tags 53607 + security quit From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 14 05:30:15 2022 Received: (at 53607-done) by debbugs.gnu.org; 14 Feb 2022 10:30:16 +0000 Received: from localhost ([127.0.0.1]:39915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nJYcZ-0001sB-JM for submit@debbugs.gnu.org; Mon, 14 Feb 2022 05:30:15 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:34730) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nJYcY-0001rr-GT for 53607-done@debbugs.gnu.org; Mon, 14 Feb 2022 05:30:14 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 1623FB12; Mon, 14 Feb 2022 11:30:09 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id igqEPTiOfo_n; Mon, 14 Feb 2022 11:30:08 +0100 (CET) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 5401F2D0; Mon, 14 Feb 2022 11:30:08 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 53607-done@debbugs.gnu.org Subject: Re: bug#53607: [PATCH] git-authenticate: Test introductory commit signature verification. References: <20220128171020.5778-1-ludo@gnu.org> Date: Mon, 14 Feb 2022 11:30:07 +0100 In-Reply-To: <20220128171020.5778-1-ludo@gnu.org> ("Ludovic =?utf-8?Q?Cour?= =?utf-8?Q?t=C3=A8s=22's?= message of "Fri, 28 Jan 2022 18:10:20 +0100") Message-ID: <87y22dyc40.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Server: hera X-Rspamd-Queue-Id: 1623FB12 X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 53607-done Cc: Attila Lendvai , Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Ludovic Court=C3=A8s skribis: > These tests mimic similar tests already in 'tests/channels.scm', but > without using the higher-level 'authenticate-channel'. > > * tests/git-authenticate.scm ("introductory commit, valid signature") > ("introductory commit, missing signature") > ("introductory commit, wrong signature"): New tests. > --- > tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 105 insertions(+), 1 deletion(-) > > Hello! > > (Cc: Maxime + Attila since you=E2=80=99ve already looked into this code.) > > This patch adds tests to ensure that an invalidate introductory commit > signature and lack of a signature on the introductory commit both lead > to an error. > > These tests do not uncover any problem. In fact, this behavior was > already tested in =E2=80=98tests/channels.scm=E2=80=99, but using the hig= her-level > =E2=80=98authenticate-channel=E2=80=99 procedure. > > They were prompted by Attila=E2=80=99s comments in > and by investigations that led to the bug fix I=E2=80=99m about to send (= separately). I went ahead and pushed it as 36cb04df96623ffe8f1074172a4ed9e51bcf6e3a. Ludo=E2=80=99. From unknown Tue Sep 23 01:07:23 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 14 Mar 2022 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator