meta/lib/oeqa/selftest/signing.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

from oeqa.selftest.base import oeSelfTest
from oeqa.utils.commands import runCmd, bitbake, get_bb_var
import os
import glob
import re
from oeqa.utils.decorators import testcase


class Signing(oeSelfTest):

    gpg_dir = ""
    pub_key_name = 'key.pub'
    secret_key_name = 'key.secret'

    @classmethod
    def setUpClass(cls):
        # Import the gpg keys

        cls.gpg_dir = os.path.join(cls.testlayer_path, 'files/signing/')

        # key.secret key.pub are located in gpg_dir
        pub_key_location = cls.gpg_dir + cls.pub_key_name
        secret_key_location = cls.gpg_dir + cls.secret_key_name
        runCmd('gpg --homedir %s --import %s %s' % (cls.gpg_dir, pub_key_location, secret_key_location))

    @classmethod
    def tearDownClass(cls):
        # Delete the files generated by 'gpg --import'

        gpg_files = glob.glob(cls.gpg_dir + '*.gpg*')
        random_seed_file = cls.gpg_dir + 'random_seed'
        gpg_files.append(random_seed_file)

        for gpg_file in gpg_files:
            runCmd('rm -f ' + gpg_file)

    @testcase(1362)
    def test_signing_packages(self):
        """
        Summary:     Test that packages can be signed in the package feed
        Expected:    Package should be signed with the correct key
        Product:     oe-core
        Author:      Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        """

        package_classes = get_bb_var('PACKAGE_CLASSES')
        if 'package_rpm' not in package_classes:
            self.skipTest('This test requires RPM Packaging.')

        test_recipe = 'ed'

        feature = 'INHERIT += "sign_rpm"\n'
        feature += 'RPM_GPG_PASSPHRASE_FILE = "%ssecret.txt"\n' % self.gpg_dir
        feature += 'RPM_GPG_NAME = "testuser"\n'
        feature += 'RPM_GPG_PUBKEY = "%s%s"\n' % (self.gpg_dir, self.pub_key_name)
        feature += 'GPG_PATH = "%s"\n' % self.gpg_dir

        self.write_config(feature)

        bitbake('-c cleansstate %s' % test_recipe)
        bitbake(test_recipe)
        self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)

        pf = get_bb_var('PF', test_recipe)
        deploy_dir_rpm = get_bb_var('DEPLOY_DIR_RPM', test_recipe)
        package_arch = get_bb_var('PACKAGE_ARCH', test_recipe).replace('-', '_')
        staging_bindir_native = get_bb_var('STAGING_BINDIR_NATIVE')

        pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))

        runCmd('%s/rpm --import %s%s' % (staging_bindir_native, self.gpg_dir, self.pub_key_name))

        ret = runCmd('%s/rpm --checksig %s' % (staging_bindir_native, pkg_deploy))
        # tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK
        self.assertIn('rsa sha1 md5 OK', ret.output, 'Package signed incorrectly.')

    @testcase(1382)
    def test_signing_sstate_archive(self):
        """
        Summary:     Test that sstate archives can be signed
        Expected:    Package should be signed with the correct key
        Product:     oe-core
        Author:      Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        """

        test_recipe = 'ed'

        builddir = os.environ.get('BUILDDIR')
        sstatedir = os.path.join(builddir, 'test-sstate')

        self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
        self.add_command_to_tearDown('bitbake -c cleansstate %s' % test_recipe)
        self.add_command_to_tearDown('rm -rf %s' % sstatedir)

        # Determine the pub key signature
        ret = runCmd('gpg --homedir %s --list-keys' % self.gpg_dir)
        pub_key = re.search(r'^pub\s+\S+/(\S+)\s+', ret.output, re.M)
        self.assertIsNotNone(pub_key, 'Failed to determine the public key signature.')
        pub_key = pub_key.group(1)

        feature = 'SSTATE_SIG_KEY ?= "%s"\n' % pub_key
        feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'
        feature += 'SSTATE_VERIFY_SIG ?= "1"\n'
        feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
        feature += 'SSTATE_DIR = "%s"\n' % sstatedir

        self.write_config(feature)

        bitbake('-c cleansstate %s' % test_recipe)
        bitbake(test_recipe)

        recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_package.tgz.sig')
        recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_package.tgz')

        self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')
        self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')

        ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))
        # gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30
        # gpg: Good signature from "testuser (nocomment) <testuser@email.com>"
        self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')