aboutsummaryrefslogtreecommitdiff
# GNU Guix --- Functional package management for GNU
# Copyright © 2013, 2014, 2020 Ludovic Courtès <ludo@gnu.org>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

#
# Test the 'guix authenticate' command-line utility.
#

guix authenticate --version

sig="t-signature-$$"
hash="t-hash-$$"
rm -f "$sig" "$hash"

trap 'rm -f "$sig" "$hash"' EXIT

key="$abs_top_srcdir/tests/keys/signing-key.sec"
key_len="`echo -n $key | wc -c`"

# A hexadecimal string as long as a sha256 hash.
hash="2749f0ea9f26c6c7be746a9cff8fa4c2f2a02b000070dba78429e9a11f87c6eb"
hash_len="`echo -n $hash | wc -c`"

echo "sign $key_len:$key $hash_len:$hash" | guix authenticate > "$sig"
test -f "$sig"
case "$(cat $sig)" in
    "0 "*) ;;
    *)     echo "broken signature: $(cat $sig)"
	   exit 42;;
esac

# Remove the leading "0".
sed -i "$sig" -e's/^0 //g'

hash2="$(echo verify $(cat "$sig") | guix authenticate)"
test "$(echo $hash2 | cut -d : -f 2)" = "$hash"

# Detect corrupt signatures.
code="$(echo "verify 5:wrong" | guix authenticate | cut -f1 -d ' ')"
test "$code" -ne 0

# Detect invalid signatures.
# The signature has (payload (data ... (hash sha256 #...#))).  We proceed by
# modifying this hash.
sed -i "$sig"											\
    -e's|#[A-Z0-9]\{64\}#|#0000000000000000000000000000000000000000000000000000000000000000#|g'
code="$(echo "verify $(cat $sig)" | guix authenticate | cut -f1 -d ' ')"
test "$code" -ne 0

# Make sure byte strings are correctly encoded.  The hash string below is
# "café" repeated 8 times.  Libgcrypt would normally choose to write it as a
# string rather than a hex sequence.  We want that string to be Latin-1
# encoded independently of the current locale: <https://bugs.gnu.org/43421>.
hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9"
latin1_cafe="caf$(printf '\351')"
echo "sign 26:tests/keys/signing-key.sec 64:$hash" | guix authenticate \
    | LC_ALL=C grep "hash sha256 \"$latin1_cafe"

# Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces
# valid signatures when run in the C locale.
hash="5eff0b55c9c5f5e87b4e34cd60a2d5654ca1eb78c7b3c67c3179fed1cff07b4c"

LC_ALL=C
export LC_ALL

echo "sign $key_len:$key $hash_len:$hash" | guix authenticate > "$sig"

# Remove the leading "0".
sed -i "$sig" -e's/^0 //g'

echo "verify $(cat $sig)" | guix authenticate
hash2="$(echo "verify $(cat $sig)" | guix authenticate | cut -f2 -d ' ')"
test "$(echo $hash2 | cut -d : -f 2)" = "$hash"
tory and all its parents, if necessary. Returns the list of created directories, in order of creation. */ Paths createDirs(const Path & path); /* Create a symlink. */ void createSymlink(const Path & target, const Path & link); template<class T, class A> T singleton(const A & a) { T t; t.insert(a); return t; } /* Messages. */ typedef enum { ltPretty, /* nice, nested output */ ltEscapes, /* nesting indicated using escape codes (for log2xml) */ ltFlat /* no nesting */ } LogType; extern LogType logType; extern Verbosity verbosity; /* suppress msgs > this */ class Nest { private: bool nest; public: Nest(); ~Nest(); void open(Verbosity level, const FormatOrString & fs); void close(); }; void printMsg_(Verbosity level, const FormatOrString & fs); #define startNest(varName, level, f) \ Nest varName; \ if (level <= verbosity) { \ varName.open(level, (f)); \ } #define printMsg(level, f) \ do { \ if (level <= nix::verbosity) { \ nix::printMsg_(level, (f)); \ } \ } while (0) #define debug(f) printMsg(lvlDebug, f) void warnOnce(bool & haveWarned, const FormatOrString & fs); void writeToStderr(const string & s); extern void (*_writeToStderr) (const unsigned char * buf, size_t count); /* Wrappers arount read()/write() that read/write exactly the requested number of bytes. */ void readFull(int fd, unsigned char * buf, size_t count); void writeFull(int fd, const unsigned char * buf, size_t count); void writeFull(int fd, const string & s); MakeError(EndOfFile, Error) /* Read a file descriptor until EOF occurs. */ string drainFD(int fd); /* Automatic cleanup of resources. */ template <class T> struct AutoDeleteArray { T * p; AutoDeleteArray(T * p) : p(p) { } ~AutoDeleteArray() { delete [] p; } }; class AutoDelete { Path path; bool del; bool recursive; public: AutoDelete(const Path & p, bool recursive = true); ~AutoDelete(); void cancel(); }; class AutoCloseFD { int fd; public: AutoCloseFD(); AutoCloseFD(int fd); AutoCloseFD(const AutoCloseFD & fd); ~AutoCloseFD(); void operator =(int fd); operator int() const; void close(); bool isOpen(); int borrow(); }; class Pipe { public: AutoCloseFD readSide, writeSide; void create(); }; class AutoCloseDir { DIR * dir; public: AutoCloseDir(); AutoCloseDir(DIR * dir); ~AutoCloseDir(); void operator =(DIR * dir); operator DIR *(); void close(); }; class Pid { pid_t pid; bool separatePG; int killSignal; public: Pid(); Pid(pid_t pid); ~Pid(); void operator =(pid_t pid); operator pid_t(); void kill(bool quiet = false); int wait(bool block); void setSeparatePG(bool separatePG); void setKillSignal(int signal); }; /* An "agent" is a helper program that runs in the background and that we talk to over pipes, such as the "guix offload" program. */ struct Agent { /* Pipes for talking to the agent. */ Pipe toAgent; /* Pipe for the agent's standard output/error. */ Pipe fromAgent; /* Pipe for build standard output/error--e.g., for build processes started by "guix offload". */ Pipe builderOut; /* The process ID of the agent. */ Pid pid; /* The command and arguments passed to the agent along with a list of environment variable name/value pairs. */ Agent(const string &command, const Strings &args, const std::map<string, string> &env = std::map<string, string>()); ~Agent(); }; /* Kill all processes running under the specified uid by sending them a SIGKILL. */ void killUser(uid_t uid); /* Fork a process that runs the given function, and return the child pid to the caller. */ pid_t startProcess(std::function<void()> fun, bool dieWithParent = true, const string & errorPrefix = "error: ", bool runExitHandlers = false); /* Run a program and return its stdout in a string (i.e., like the shell backtick operator). */ string runProgram(Path program, bool searchPath = false, const Strings & args = Strings()); MakeError(ExecError, Error) /* Convert a list of strings to a null-terminated vector of char *'s. The result must not be accessed beyond the lifetime of the list of strings. */ std::vector<char *> stringsToCharPtrs(const Strings & ss); /* Close all file descriptors except stdin, stdout, stderr, and those listed in the given set. Good practice in child processes. */ void closeMostFDs(const set<int> & exceptions); /* Set the close-on-exec flag for the given file descriptor. */ void closeOnExec(int fd); /* Common initialisation performed in child processes. */ void commonChildInit(Pipe & logPipe); /* User interruption. */ extern volatile sig_atomic_t _isInterrupted; void _interrupted(); void inline checkInterrupt() { if (_isInterrupted) _interrupted(); } MakeError(Interrupted, BaseError) /* String tokenizer. */ template<class C> C tokenizeString(const string & s, const string & separators = " \t\n\r"); /* Concatenate the given strings with a separator between the elements. */ string concatStringsSep(const string & sep, const Strings & ss); string concatStringsSep(const string & sep, const StringSet & ss); /* Remove trailing whitespace from a string. */ string chomp(const string & s); /* Convert the exit status of a child as returned by wait() into an error string. */ string statusToString(int status); bool statusOk(int status); /* Parse a string into an integer. */ template<class N> bool string2Int(const string & s, N & n) { std::istringstream str(s); str >> n; return str && str.get() == EOF; } /* Return true iff `s' ends in `suffix'. */ bool hasSuffix(const string & s, const string & suffix); /* Read string `s' from stream `str'. */ void expect(std::istream & str, const string & s); MakeError(FormatError, Error) /* Read a C-style string from stream `str'. */ string parseString(std::istream & str); /* Utility function used to parse legacy ATerms. */ bool endOfList(std::istream & str); /* Exception handling in destructors: print an error message, then ignore the exception. */ void ignoreException(); }