Package: guix-patches;
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri, 28 Jan 2022 17:11:02 UTC
Severity: normal
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Ludovic Courtès <ludo <at> gnu.org> Cc: tracker <at> debbugs.gnu.org Subject: bug#53607: closed ([PATCH] git-authenticate: Test introductory commit signature verification.) Date: Mon, 14 Feb 2022 10:31:01 +0000
[Message part 1 (text/plain, inline)]
Your message dated Mon, 14 Feb 2022 11:30:07 +0100 with message-id <87y22dyc40.fsf <at> gnu.org> and subject line Re: bug#53607: [PATCH] git-authenticate: Test introductory commit signature verification. has caused the debbugs.gnu.org bug report #53607, regarding [PATCH] git-authenticate: Test introductory commit signature verification. to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 53607: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=53607 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org> To: guix-patches <at> gnu.org Cc: Ludovic Courtès <ludo <at> gnu.org> Subject: [PATCH] git-authenticate: Test introductory commit signature verification. Date: Fri, 28 Jan 2022 18:10:20 +0100These tests mimic similar tests already in 'tests/channels.scm', but without using the higher-level 'authenticate-channel'. * tests/git-authenticate.scm ("introductory commit, valid signature") ("introductory commit, missing signature") ("introductory commit, wrong signature"): New tests. --- tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 1 deletion(-) Hello! (Cc: Maxime + Attila since you’ve already looked into this code.) This patch adds tests to ensure that an invalidate introductory commit signature and lack of a signature on the introductory commit both lead to an error. These tests do not uncover any problem. In fact, this behavior was already tested in ‘tests/channels.scm’, but using the higher-level ‘authenticate-channel’ procedure. They were prompted by Attila’s comments in <https://issues.guix.gnu.org/50814> and by investigations that led to the bug fix I’m about to send (separately). Thoughts? Thanks, Ludo’. diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm index f66ef191b0..6ec55fb2e5 100644 --- a/tests/git-authenticate.scm +++ b/tests/git-authenticate.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2020 Ludovic Courtès <ludo <at> gnu.org> +;;; Copyright © 2020, 2022 Ludovic Courtès <ludo <at> gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -20,12 +20,17 @@ (define-module (test-git-authenticate) #:use-module (git) #:use-module (guix git) #:use-module (guix git-authenticate) + #:use-module ((guix channels) #:select (openpgp-fingerprint)) + #:use-module ((guix diagnostics) + #:select (formatted-message? formatted-message-arguments)) #:use-module (guix openpgp) + #:use-module ((guix tests) #:select (random-text)) #:use-module (guix tests git) #:use-module (guix tests gnupg) #:use-module (guix build utils) #:use-module (srfi srfi-1) #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) #:use-module (srfi srfi-64) #:use-module (rnrs bytevectors) #:use-module (rnrs io ports)) @@ -327,4 +332,103 @@ (define (correct? c commit) #:keyring-reference "master") 'failed))))))) +(unless (gpg+git-available?) (test-skip 1)) +(test-assert "introductory commit, valid signature" + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file))) + (with-temporary-git-repository directory + `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit" (signer ,fingerprint)) + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero")) + (commit1 (find-commit repository "first"))) + ;; COMMIT0 is signed with the right key, and COMMIT1 is fine. + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text)))))))) + +(unless (gpg+git-available?) (test-skip 1)) +(test-equal "introductory commit, missing signature" + 'intro-lacks-signature + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file))) + (with-temporary-git-repository directory + `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit") ;unsigned! + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero"))) + ;; COMMIT0 is not signed. + (guard (c ((formatted-message? c) + ;; Message like "commit ~a lacks a signature". + (and (equal? (formatted-message-arguments c) + (list (oid->string (commit-id commit0)))) + 'intro-lacks-signature))) + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text))))))))) + +(unless (gpg+git-available?) (test-skip 1)) +(test-equal "introductory commit, wrong signature" + 'wrong-intro-signing-key + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file + %ed25519-2-public-key-file + %ed25519-2-secret-key-file) + (let ((fingerprint (key-fingerprint %ed25519-public-key-file)) + (wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file))) + (with-temporary-git-repository directory + `((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint + %ed25519-public-key-file) + (name "Charlie")))))) + (commit "zeroth commit" (signer ,wrong-fingerprint)) + (add "a.txt" "A") + (commit "first commit" (signer ,fingerprint))) + (with-repository directory repository + (let ((commit0 (find-commit repository "zero")) + (commit1 (find-commit repository "first"))) + ;; COMMIT0 is signed with the wrong key--not the one passed as the + ;; SIGNER argument to 'authenticate-repository'. + (guard (c ((formatted-message? c) + ;; Message like "commit ~a signed by ~a instead of ~a". + (and (equal? (formatted-message-arguments c) + (list (oid->string (commit-id commit0)) + wrong-fingerprint fingerprint)) + 'wrong-intro-signing-key))) + (authenticate-repository repository + (commit-id commit0) + (openpgp-fingerprint fingerprint) + #:keyring-reference "master" + #:cache-key (random-text))))))))) + (test-end "git-authenticate") base-commit: e778910bdfc68c60a5be59aac93049d32feae904 -- 2.34.0
[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org> To: 53607-done <at> debbugs.gnu.org Cc: Attila Lendvai <attila <at> lendvai.name>, Maxime Devos <maximedevos <at> telenet.be> Subject: Re: bug#53607: [PATCH] git-authenticate: Test introductory commit signature verification. Date: Mon, 14 Feb 2022 11:30:07 +0100Ludovic Courtès <ludo <at> gnu.org> skribis: > These tests mimic similar tests already in 'tests/channels.scm', but > without using the higher-level 'authenticate-channel'. > > * tests/git-authenticate.scm ("introductory commit, valid signature") > ("introductory commit, missing signature") > ("introductory commit, wrong signature"): New tests. > --- > tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 105 insertions(+), 1 deletion(-) > > Hello! > > (Cc: Maxime + Attila since you’ve already looked into this code.) > > This patch adds tests to ensure that an invalidate introductory commit > signature and lack of a signature on the introductory commit both lead > to an error. > > These tests do not uncover any problem. In fact, this behavior was > already tested in ‘tests/channels.scm’, but using the higher-level > ‘authenticate-channel’ procedure. > > They were prompted by Attila’s comments in <https://issues.guix.gnu.org/50814> > and by investigations that led to the bug fix I’m about to send (separately). I went ahead and pushed it as 36cb04df96623ffe8f1074172a4ed9e51bcf6e3a. Ludo’.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.