From: Josh Rickamr Subject: regress testing the revoked_signers option To: gameoftrees@openbsd.org Date: Mon, 4 Jul 2022 16:21:26 -0400 ok? diff refs/heads/main refs/heads/revoking_regress commit - ea2c9c36aa409c447e37aed9c75777adb9e36274 commit + 55dd6981d16dcd7a3d69014b1f3859f6a72b4de2 blob - 522d1dea0ce53ec2b119b3ef279d22df95d99d1b blob + 217af530810b91c6f6861398bf49b4c6f5403578 --- regress/cmdline/tag.sh +++ regress/cmdline/tag.sh @@ -271,8 +271,11 @@ test_tag_create_ssh_signed() { return 1 fi touch $testroot/allowed_signers - echo "allowed_signers \"$testroot/allowed_signers\"" > \ + touch $testroot/revoked_signers + echo "allowed_signers \"$testroot/allowed_signers\"" >> \ $testroot/repo/.git/got.conf + echo "revoked_signers \"$testroot/revoked_signers\"" >> \ + $testroot/repo/.git/got.conf # Create a signed tag based on repository's HEAD reference got tag -s $testroot/id_ed25519 -m 'test' -r $testroot/repo -c HEAD \ @@ -327,6 +330,22 @@ test_tag_create_ssh_signed() { return 1 fi + # Ensure validation fails after revoking the key + ssh-keygen -y -f $testroot/id_ed25519 >> $testroot/revoked_signers + echo "signature: Could not verify signature." > \ + $testroot/stdout.expected + VERIFY_STDOUT=$(got tag -r $testroot/repo -V $tag 2> $testroot/stderr) + ret=$? + echo "$VERIFY_STDOUT" | grep '^signature: ' > $testroot/stdout + if [ $ret -eq 0 ]; then + diff -u $testroot/stdout.expected $testroot/stdout + test_done "$testroot" "1" + return 1 + fi + + # Later tests expect validation to work + echo -n > $testroot/revoked_signers + # Ensure that Git recognizes and verifies the tag Got has created (cd $testroot/repo && git checkout -q $tag) ret=$?