Tests for signing metadata

tests/xbps/xbps-rindex/Kyuafile

@@ -4,3 +4,4 @@ test_suite("xbps-rindex")
 atf_test_program{name="add_test"}
 atf_test_program{name="clean_test"}
 atf_test_program{name="remove_test"}
+atf_test_program{name="sign_test"}

tests/xbps/xbps-rindex/Makefile

@@ -1,7 +1,7 @@
 TOPDIR = ../../..
 -include $(TOPDIR)/config.mk
 
-TESTSHELL = add_test clean_test remove_test
+TESTSHELL = add_test clean_test remove_test sign_test
 TESTSSUBDIR = xbps/xbps-rindex
 EXTRA_FILES = Kyuafile
 

tests/xbps/xbps-rindex/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>public-key</key>
+	<data>LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF0WlRZM3ZpT1k2a1JLRTlXVnROdwpVTFVpTmV1ZSs3M1doS2hENGtDRFo3aDdLUkxGbGdvZ2p3dHdRbWN5UDRieHVXVDZjSkcyRVRDSE1tSEFFaHZqCmlaNks4d3gwSXRiZ1cxMjEvcllpbkdTTjJQbXRmUWJLV1QyeUF2aEJVUU1SRm52YjNWT1BkRitKSW45ckVWSFUKMVJMREdHNnh1SzBSZjBiazQ1Rkp4TUV1YUVNTEQ0OHJGYUlMU0JYRmI0QjBWV01vNjVhemxldkJ6QjZMdkpibwpMOUo2MERIQzdja3BRTTB1OXRkWGs3clRUMEJ4N2RTY0R5aVhGQXJhZ2cxNkE5Nm5yMjE1NDN2TFZnNTQxQTJBCkhheGJkZ1FENjM0ZzdlWXNQOFRsK1c1OXdPS09CTUt1Z2ZrYjB0ZEIwbnI2MXgwdUt3OXh0ak05YTFwS0VTZkYKeHhMZFR6bkdvWDRWYlU2Z2JLVStIb1AyVWRJZFZwUDZOZit4dHhtSkdMY2J4MWtNSEFaTmQvMUxBa0c5ZG1EMgpVdWRDcjlBWEhEQTFiUGFLN3k5bE85bCtkN29CZGtJTU5UZW4za0VLS2ZEQVpaT1NONmhHU2tzOU5JN3ZrOUM5CmFoZVhFemFNZWoxZHRsQ0EzM1Y3dlh3KzZsaUdscDVYY1M0bnJoZjg3MG9WOFcyS0VIbVozeTZqYzBGMDBRMHcKVXRaREM3RGpOWlJwSStCWFRJdkYvWEFxWlB6UVViR3A0cVltbFdsRW1qQWJKOXYrQUZIMTJDZU9aTE1KSWVIVApJeWM1NTRLTGVmK3N3bDR4K1BFWVFvSFFEKzUxWnpaaDdOdW9ad0hDZFZzcm5QTHc0VnZwR1F0SW55Qll0Q0luCm1vRUNhaFg4ZTgvMndmNGZFVUdCUVBrQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=</data>
+	<key>public-key-size</key>
+	<integer>4096</integer>
+	<key>signature-by</key>
+	<string>Void Linux</string>
+</dict>
+</plist>

tests/xbps/xbps-rindex/data/id_xbps

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAtZTY3viOY6kRKE9WVtNwULUiNeue+73WhKhD4kCDZ7h7KRLF
+lgogjwtwQmcyP4bxuWT6cJG2ETCHMmHAEhvjiZ6K8wx0ItbgW121/rYinGSN2Pmt
+fQbKWT2yAvhBUQMRFnvb3VOPdF+JIn9rEVHU1RLDGG6xuK0Rf0bk45FJxMEuaEML
+D48rFaILSBXFb4B0VWMo65azlevBzB6LvJboL9J60DHC7ckpQM0u9tdXk7rTT0Bx
+7dScDyiXFAragg16A96nr21543vLVg541A2AHaxbdgQD634g7eYsP8Tl+W59wOKO
+BMKugfkb0tdB0nr61x0uKw9xtjM9a1pKESfFxxLdTznGoX4VbU6gbKU+HoP2UdId
+VpP6Nf+xtxmJGLcbx1kMHAZNd/1LAkG9dmD2UudCr9AXHDA1bPaK7y9lO9l+d7oB
+dkIMNTen3kEKKfDAZZOSN6hGSks9NI7vk9C9aheXEzaMej1dtlCA33V7vXw+6liG
+lp5XcS4nrhf870oV8W2KEHmZ3y6jc0F00Q0wUtZDC7DjNZRpI+BXTIvF/XAqZPzQ
+UbGp4qYmlWlEmjAbJ9v+AFH12CeOZLMJIeHTIyc554KLef+swl4x+PEYQoHQD+51
+ZzZh7NuoZwHCdVsrnPLw4VvpGQtInyBYtCInmoECahX8e8/2wf4fEUGBQPkCAwEA
+AQKCAgBMXBP3cD8w2eBFO1frm28YAZQpaLSq2OJlVv11H/wimgnw89vzhL68aOsE
+gbE31d/BPx2ySRRvliDEpybGdsPxE6MLIqmUHRisU3Q9cQqNChw8qoKymTBu5ur9
+JLkTAF8nPV7wbDtfjO12fG7iEa+XCxTQKXzDVMSO6ZlHuclz3GlPnyH/oQ1VQ5fK
+8Jzejv5dCh4jNHTBDyuoUxAgdrWdpr3O355BsN6QSbj+RQCnN2G1ajx+73HRThh6
+bTYGivRMvE14EGm5qE2SGvPk+OhvkhPERVwApEHkyW7CQmMTyctIWf2vMs+ACOoS
+eENN6DmkTLklkpEXNeUWSBntrPQWVfN2vRJJ6qxxl7Ma8Au16BZycauq4iSVp1BC
+ZFk99qTbi77qNW+ryP/RKSn07k8l2oN4NyF185pCAPrwTYHdXRS6O0bC1ysTT7zI
+Md1eshoyl7uFI5AaVxOntA+5f8Uw9ZT3y9gz5ZU9k+mDhhw4+MJb3yilN++Y1saT
+ZywWf9e8vMTpJ72r22ha60g4W3yLrKgtM1QMvsrlonJe9NZXIJIXruzMwabWPAP6
+UeSVU8aVR9PAVWcy4eDdRsMYPRUoVhxQyGfWuOxLSd2SyiyWHWa5jUq4woNQvdS5
+n5TGsJmHs0MLxBJUxvS6J3juWvxrYHLFNKp6zcztNWbyFJfegQKCAQEA4J6r0M3w
+RfxWOYCLlCLEICVB/GKXlu9dZhaE0nmvMIYCjpUPyLRBxgCdHvhxQ8sva6tOVAUF
+lqmmVCw8ugUhCfB7NP1i3BB6hnsafFml9Wf36Ie2IuivcG1ij2q8tErC88cz3Mhh
+WjubXQLXhRua7Gr6Wj6AO1LO3JsLOVw3nRHtFEXEVkNoodyO3k7ljKfttXapEXRi
+RGIxlfTStYOQXYC5RF6gQsryK7sZpHHi8atGJpH00hWkbLmTSgxctv/qZvTHlo7D
+NlSYMBGj+tHWS4+kWjRkGpowQwKsBk9MHO1wwgJX+pL0wlQsCY2WA0bsi0ocUzE+
+/lVAOou+5gOMNQKCAQEAzvLyUqsyGhd9cawBI8V4FDCHBynfVXoXSC5jzMkXyP4U
+mEhTUMDO1/2vvAsc0Qlc6NDMK6apigNdKE5WPCLYnBy+UlOuDtYa5e88dhduNrYX
+JxU8WKgCYIPi3ofC1DrpxU7kxIzjCFouL9dIhLOrLDiC0SIS9o3g5zdhuFzRuOv4
+3O4Kxpvo+muUeDkh7/QBK1CRCMsxXQjpZeEplr/AT5YM6MdWyd4yg4odagaXgosk
+028XFMxuy/ZXBiadx/EeVybQ9cpW6zO2pPDg5CYrUf+0ltCsMNi5Pd0FxeMDvZvz
+JoC28NkRsgQeaQbPKpfLyZi+WMFu+dXeL0mJPXOSNQKCAQEAzHI/ys8XSmwyAyao
+ZM38G5It7E3E0mHObjRC8txFA/KF80dj1XeUgmdem6jgVydiYyrKIZlsi8Sgmu6k
+21/9wXE8g2+6grkQ/MShx9tFPghC0khsFHwb60X0trsdRTDjH0YKQ4OzcJDeiZsj
+lYkZyuRYOLm4t8ZYeN06KxxvliyR0Kjr2uSCIQmClH/VWeAjcc6udi+rnbiOj4IG
+I6a7SQ/4EW3bis/z+q/S2CW8veD5+fNRlcKTJU8H7BcycHKg5NMZs0UAE7yNxPrZ
+eVtzJNV6b4xOLRR4pxWQhDG7An1v63Z8o5sM4rAAYTWY/CSa+vEatPIW9yGbU26M
+9Aj4nQKCAQEAgI7big9faGX/P4Yijx40ohYjS4fvfSIDJIvs42JorCtqj88eMqQT
+2ol1idM9a33tgZNzwgoed+XvEQLY/zKGbTRN5sak8gJ/Yydi39leVg54A4dlnY2B
+LIPBg4vCtCSE5FVGN/NtddrPpliObCFQzH+uhEwui4tHk1sMEYNXpRCx4Ezf1NE1
+wZri+GxFcNKbh1TdRCE14R2QIAHn3AXyaX5FNrXebDjkGGLMMvk1VZsqnU39gKYe
+jgXRubhze6mFt44dcRLpO+M8KuqYSiKL9rxqauXmkdGQAaYz1+JWiItAWULMYoH2
+RCfa3FOmjkcOCYYhePFxBzKce7Oq1cndoQKCAQAT4a/uLfmVvZwPOf4vYhm+tqEk
+dwibC7bHT/gEtZEAcIvDuNEeRp62dCQlqs4g9pXU/Cj7BTIS7QtQ2WM+dBhcf9Mm
+3UX5msEVwaGuSBvLf6aZ/FZAqT6mnX+JYN7Er+zWbMVYkS2So0XVf+LRcKhJYR/b
+NJ29CPY8hvSS5IoCeoxiUBIWRWETv4dLSxM0ND012+PxsY0eYV/4jM5T0JpCrvZi
+ugb+FxtJgO5IdVg4faWCRcUYrODh1aqrS0et+LkuccvEqsw1gWbeQUMGtMN0FNs4
+cYAo45EPUFXEGwzeJlqjeXt6aX7t9hm/BxJ9hzW0EP2fkYokSmu2ohVqb8XF
+-----END RSA PRIVATE KEY-----

tests/xbps/xbps-rindex/sign_test.sh

@@ -0,0 +1,85 @@
+#! /usr/bin/env atf-sh
+# Test that xbps-rindex(1) signing repo metadata works as expected.
+
+get_resources() {
+	mkdir -p root/var/db/xbps/keys
+	mkdir -p /var/db/xbps/keys
+	cp $(atf_get_srcdir)/data/id_xbps .
+	cp $(atf_get_srcdir)/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist root/var/db/xbps/keys
+	cp $(atf_get_srcdir)/data/bd:75:21:4e:40:06:97:5e:72:31:40:6e:9e:08:a8:ae.plist /var/db/xbps/keys
+}
+
+atf_test_case sign
+
+sign_head() {
+	atf_set "descr" "xbps-rindex(1) signing test"
+}
+
+sign_body() {
+	get_resources
+	# make pkg
+	mkdir -p some_repo pkg_A
+	touch pkg_A/file00
+	cd some_repo
+	xbps-create -A noarch -n foo-1.0_1 -s "foo pkg" ../pkg_A
+	atf_check_equal $? 0
+	# make repodata
+	xbps-rindex -a $PWD/*.xbps
+	atf_check_equal $? 0
+	repodata=$(ls *-repodata)
+	atf_check_equal $(tar tf $repodata | wc -l) 2
+	# sign repodata
+	xbps-rindex -s $PWD --signedby test --privkey ../id_xbps
+	atf_check_equal $? 0
+	atf_check_equal $(tar tf $repodata | wc -l) 3
+	# update pkg
+	xbps-create -A noarch -n foo-1.1_1 -s "foo pkg" ../pkg_A
+	atf_check_equal $? 0
+	# update repodata
+	xbps-rindex -a $PWD/*.xbps --privkey ../id_xbps
+	atf_check_equal $? 0
+	atf_check_equal $(tar tf $repodata | wc -l) 3
+}
+
+atf_test_case verify
+
+verify_head() {
+	atf_set "descr" "xbps-rindex(1) verifying test"
+}
+
+verify_body() {
+	get_resources
+	# make pkg
+	mkdir -p some_repo pkg_A
+	touch pkg_A/file00
+	cd some_repo
+	xbps-create -A noarch -n foo-1.0_1 -s "foo pkg" ../pkg_A
+	atf_check_equal $? 0
+	# make repodata
+	xbps-rindex -a $PWD/*.xbps
+	atf_check_equal $? 0
+	repodata=$(ls *-repodata)
+	# sign repodata
+	xbps-rindex -s $PWD --signedby test --privkey ../id_xbps
+	atf_check_equal $? 0
+	# verify signature
+	xbps-install -nid --repository=$PWD foo 2>&1 | grep -q "some_repo/$repodata' signature passed."
+	atf_check_equal $? 0
+	# modify what is signed
+	tar tf $repodata
+	mkdir repodata
+	cd repodata
+	tar xf ../$repodata
+	sed -i -e 's:string>test<:string>stranger<:' index-meta.plist
+	tar cf ../$repodata index.plist index-meta.plist index-meta.plist.sig
+	atf_check_equal $? 0
+	cd ..
+	# verify wrong signature
+	xbps-install -nid --repository=$PWD foo 2>&1 | grep -q "some_repo/$repodata' signature failed. Taking safe part."
+	atf_check_equal $? 0
+}
+
+atf_init_test_cases() {
+	atf_add_test_case sign
+	atf_add_test_case verify
+}