Unverified Commit aef5a548 authored by Umberto Baldi's avatar Umberto Baldi Committed by GitHub

make `verifySignature` public, enhanced tests, remove `board` word (#1308)

parent b8d8a9ca
...@@ -19,16 +19,17 @@ import ( ...@@ -19,16 +19,17 @@ import (
"testing" "testing"
"github.com/arduino/go-paths-helper" "github.com/arduino/go-paths-helper"
rice "github.com/cmaglie/go.rice"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
var ( var (
PackageIndexPath = paths.New("testdata/package_index.json") PackageIndexPath = paths.New("testdata/package_index.json")
PackageSignaturePath = paths.New("testdata/package_index.json.sig") PackageSignaturePath = paths.New("testdata/package_index.json.sig")
BoardIndexPath = paths.New("testdata/module_firmware_index.json") ModuleFWIndexPath = paths.New("testdata/module_firmware_index.json")
BoardSignaturePath = paths.New("testdata/module_firmware_index.json.sig") ModuleFWSignaturePath = paths.New("testdata/module_firmware_index.json.sig")
BoardKey = paths.New("testdata/module_firmware_index_public.gpg.key") ModuleFWIndexKey = paths.New("testdata/module_firmware_index_public.gpg.key")
InvalidIndexPath = paths.New("testdata/invalid_file.json") InvalidIndexPath = paths.New("testdata/invalid_file.json")
) )
func TestVerifyArduinoDetachedSignature(t *testing.T) { func TestVerifyArduinoDetachedSignature(t *testing.T) {
...@@ -45,13 +46,34 @@ func TestVerifyArduinoDetachedSignature(t *testing.T) { ...@@ -45,13 +46,34 @@ func TestVerifyArduinoDetachedSignature(t *testing.T) {
} }
func TestVerifyDetachedSignature(t *testing.T) { func TestVerifyDetachedSignature(t *testing.T) {
res, signer, err := VerifyDetachedSignature(BoardIndexPath, BoardSignaturePath, BoardKey) res, signer, err := VerifyDetachedSignature(ModuleFWIndexPath, ModuleFWSignaturePath, ModuleFWIndexKey)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, signer) require.NotNil(t, signer)
require.True(t, res) require.True(t, res)
require.Equal(t, uint64(0x82f2d7c7c5a22a73), signer.PrimaryKey.KeyId) require.Equal(t, uint64(0x82f2d7c7c5a22a73), signer.PrimaryKey.KeyId)
res, signer, err = VerifyDetachedSignature(InvalidIndexPath, PackageSignaturePath, BoardKey) res, signer, err = VerifyDetachedSignature(InvalidIndexPath, PackageSignaturePath, ModuleFWIndexKey)
require.False(t, res)
require.Nil(t, signer)
require.Error(t, err)
}
func TestVerifySignature(t *testing.T) {
keysBox, err := rice.FindBox("keys")
if err != nil {
panic("could not find bundled signature keys")
}
arduinoKeyringFile, err := keysBox.Open("arduino_public.gpg.key")
if err != nil {
panic("could not find bundled signature keys")
}
res, signer, err := VerifySignature(PackageIndexPath, PackageSignaturePath, arduinoKeyringFile)
require.NoError(t, err)
require.NotNil(t, signer)
require.True(t, res)
require.Equal(t, uint64(0x7baf404c2dfab4ae), signer.PrimaryKey.KeyId)
res, signer, err = VerifySignature(InvalidIndexPath, PackageSignaturePath, arduinoKeyringFile)
require.False(t, res) require.False(t, res)
require.Nil(t, signer) require.Nil(t, signer)
require.Error(t, err) require.Error(t, err)
......
...@@ -29,7 +29,8 @@ import ( ...@@ -29,7 +29,8 @@ import (
// signaturePath file) matches the given targetPath file and is an authentic // signaturePath file) matches the given targetPath file and is an authentic
// signature from the bundled trusted keychain. If any of the above conditions // signature from the bundled trusted keychain. If any of the above conditions
// fails this function returns false. The PGP entity in the trusted keychain that // fails this function returns false. The PGP entity in the trusted keychain that
// produced the signature is returned too. // produced the signature is returned too. This function use the default and bundled
// arduino_public.gpg.key
func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path) (bool, *openpgp.Entity, error) { func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path) (bool, *openpgp.Entity, error) {
keysBox, err := rice.FindBox("keys") keysBox, err := rice.FindBox("keys")
if err != nil { if err != nil {
...@@ -39,7 +40,7 @@ func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths ...@@ -39,7 +40,7 @@ func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths
if err != nil { if err != nil {
panic("could not find bundled signature keys") panic("could not find bundled signature keys")
} }
return verifySignature(targetPath, signaturePath, arduinoKeyringFile) return VerifySignature(targetPath, signaturePath, arduinoKeyringFile)
} }
// VerifyDetachedSignature checks that the detached GPG signature (in the // VerifyDetachedSignature checks that the detached GPG signature (in the
...@@ -54,14 +55,15 @@ func VerifyDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path, ...@@ -54,14 +55,15 @@ func VerifyDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path,
panic("could not open signature keys") panic("could not open signature keys")
} }
defer arduinoKeyringFile.Close() defer arduinoKeyringFile.Close()
return verifySignature(targetPath, signaturePath, arduinoKeyringFile) return VerifySignature(targetPath, signaturePath, arduinoKeyringFile)
} }
//verifySignature is an helper function that checks that the detached GPG signature (in the // VerifySignature checks that the detached GPG signature (in the
// signaturePath file) matches the given targetPath file and is an authentic // signaturePath file) matches the given targetPath file and is an authentic
// signature. If any of the above conditions fails this function returns false. // signature. This function allows to pass an io.Reader to read the custom key.
// If any of the above conditions fails this function returns false.
// The PGP entity in the trusted keychain that produced the signature is returned too. // The PGP entity in the trusted keychain that produced the signature is returned too.
func verifySignature(targetPath *paths.Path, signaturePath *paths.Path, arduinoKeyringFile io.Reader) (bool, *openpgp.Entity, error) { func VerifySignature(targetPath *paths.Path, signaturePath *paths.Path, arduinoKeyringFile io.Reader) (bool, *openpgp.Entity, error) {
keyRing, err := openpgp.ReadKeyRing(arduinoKeyringFile) keyRing, err := openpgp.ReadKeyRing(arduinoKeyringFile)
if err != nil { if err != nil {
return false, nil, fmt.Errorf("retrieving Arduino public keys: %s", err) return false, nil, fmt.Errorf("retrieving Arduino public keys: %s", err)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment