Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport 3.0: Improve signing script handling for the tests #974

Closed
wants to merge 1 commit into from
Closed

Backport 3.0: Improve signing script handling for the tests #974

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 24 additions & 22 deletions pulp_deb/tests/functional/conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,15 @@
from uuid import uuid4
import pytest
import os
import re
import stat
import subprocess

from pulp_deb.tests.functional.utils import gen_deb_remote, gen_distribution, gen_repo
from pulp_deb.tests.functional.constants import DEB_FIXTURE_STANDARD_REPOSITORY_NAME
from pulp_deb.tests.functional.constants import (
DEB_FIXTURE_STANDARD_REPOSITORY_NAME,
DEB_SIGNING_SCRIPT_STRING,
)

from pulpcore.client.pulp_deb import (
ApiClient,
Expand Down Expand Up @@ -489,24 +493,24 @@ def _deb_copy_content(source_repo_version, dest_repo, content=None, structured=T


@pytest.fixture(scope="session")
def deb_signing_script_path(signing_gpg_homedir_path):
"""A fixture for a script that is suited for signing packages."""
dir_path = os.path.dirname(__file__)
file_path = os.path.join(dir_path, "sign_deb_release.sh")

with open(file_path) as fp:
lines = [line.rstrip() for line in fp]
# For the test environment the GNUPGHOME environment variable
# needs to be part of the script. Otherwise the test containers
# will not find the right gpg key.
lines = lines[0:3] + [f'export GNUPGHOME="{signing_gpg_homedir_path}"'] + lines[3:]

raw_script = tuple(line for line in lines)
def deb_signing_script_path(
signing_script_temp_dir, signing_gpg_homedir_path, signing_gpg_metadata
):
_, _, keyid = signing_gpg_metadata
"""A fixture that provides a signing script path for signing debian packages."""
signing_script_filename = signing_script_temp_dir / "sign_deb_release.sh"
rep = {"HOMEDIRHERE": str(signing_gpg_homedir_path), "GPGKEYIDHERE": str(keyid)}
rep = dict((re.escape(k), v) for k, v in rep.items())
pattern = re.compile("|".join(rep.keys()))
with open(signing_script_filename, "w", 0o770) as sign_metadata_file:
sign_metadata_file.write(
pattern.sub(lambda m: rep[re.escape(m.group(0))], DEB_SIGNING_SCRIPT_STRING)
)

with open(os.path.join(signing_gpg_homedir_path, "bash-script.sh"), "w") as f:
f.write("\n".join(raw_script))
st = os.stat(signing_script_filename)
os.chmod(signing_script_filename, st.st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)

return f.name
return signing_script_filename


@pytest.fixture(scope="class")
Expand All @@ -516,20 +520,18 @@ def deb_signing_service_factory(
signing_service_api_client,
):
"""A fixture for the debian signing service."""
st = os.stat(deb_signing_script_path)
os.chmod(deb_signing_script_path, st.st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
gpg, fingerprint, keyid = signing_gpg_metadata
service_name = str(uuid4())
cmd = (
"pulpcore-manager",
"add-signing-service",
service_name,
deb_signing_script_path,
keyid,
str(deb_signing_script_path),
fingerprint,
"--class",
"deb:AptReleaseSigningService",
"--gnupghome",
gpg.gnupghome,
str(gpg.gnupghome),
)
process = subprocess.run(cmd, capture_output=True)

Expand Down
34 changes: 34 additions & 0 deletions pulp_deb/tests/functional/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,3 +324,37 @@ def _clean_dict(d):
uUBsbCg=
=8Is3
-----END PGP PUBLIC KEY BLOCK-----"""

DEB_SIGNING_SCRIPT_STRING = r"""#!/bin/bash

set -e

export GNUPGHOME="HOMEDIRHERE"
RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="GPGKEYIDHERE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"

# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--detach-sign \
--output "${DETACHED_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"

# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
--clearsign \
--output "${INLINE_SIGNATURE_PATH}" \
--local-user "${GPG_KEY_ID}" \
"${RELEASE_FILE}"

echo { \
\"signatures\": { \
\"inline\": \"${INLINE_SIGNATURE_PATH}\", \
\"detached\": \"${DETACHED_SIGNATURE_PATH}\" \
} \
}
"""
Loading