;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2020, 2021 Mathieu Othacehe ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2022 Pavel Shlyak ;;; Copyright © 2022 Denis 'GNUtoo' Carikli ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu system image) #:use-module (gu
aboutsummaryrefslogtreecommitdiff
path: root/tests/guix-authenticate.sh
blob: 0de6da187844bb65a9f249f8386f62b445572571 (about) (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# GNU Guix --- Functional package management for GNU
# Copyright © 2013, 2014, 2020 Ludovic Courtès <ludo@gnu.org>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

#
# Test the 'guix authenticate' command-line utility.
#

guix authenticate --version

sig="t-signature-$$"
hash="t-hash-$$"
rm -f "$sig" "$hash"

trap 'rm -f "$sig" "$hash"' EXIT

key="$abs_top_srcdir/tests/keys/signing-key.sec"
key_len="`echo -n $key | wc -c`"

# A hexadecimal string as long as a sha256 hash.
hash="2749f0ea9f26c6c7be746a9cff8fa4c2f2a02b000070dba78429e9a11f87c6eb"
hash_len="`echo -n $hash | wc -c`"

echo "sign $key_len:$key $hash_len:$hash" | guix authenticate > "$sig"
test -f "$sig"
case "$(cat $sig)" in
    "0 "*) ;;
    *)     echo "broken signature: $(cat $sig)"
	   exit 42;;
esac

# Remove the leading "0".
sed -i "$sig" -e's/^0 //g'

hash2="$(echo verify $(cat "$sig") | guix authenticate)"
test "$(echo $hash2 | cut -d : -f 2)" = "$hash"

# Detect corrupt signatures.
code="$(echo "verify 5:wrong" | guix authenticate | cut -f1 -d ' ')"
test "$code" -ne 0

# Detect invalid signatures.
# The signature has (payload (data ... (hash sha256 #...#))).  We proceed by
# modifying this hash.
sed -i "$sig"											\
    -e's|#[A-Z0-9]\{64\}#|#0000000000000000000000000000000000000000000000000000000000000000#|g'
code="$(echo "verify $(cat $sig)" | guix authenticate | cut -f1 -d ' ')"
test "$code" -ne 0

# Make sure byte strings are correctly encoded.  The hash string below is
# "café" repeated 8 times.  Libgcrypt would normally choose to write it as a
# string rather than a hex sequence.  We want that string to be Latin-1
# encoded independently of the current locale: <https://bugs.gnu.org/43421>.
hash="636166e9636166e9636166e9636166e9636166e9636166e9636166e9636166e9"
latin1_cafe="caf$(printf '\351')"
echo "sign 26:tests/keys/signing-key.sec 64:$hash" | guix authenticate \
    | LC_ALL=C grep "hash sha256 \"$latin1_cafe"

# Test for <http://bugs.gnu.org/17312>: make sure 'guix authenticate' produces
# valid signatures when run in the C locale.
hash="5eff0b55c9c5f5e87b4e34cd60a2d5654ca1eb78c7b3c67c3179fed1cff07b4c"

LC_ALL=C
export LC_ALL

echo "sign $key_len:$key $hash_len:$hash" | guix authenticate > "$sig"

# Remove the leading "0".
sed -i "$sig" -e's/^0 //g'

echo "verify $(cat $sig)" | guix authenticate
hash2="$(echo "verify $(cat $sig)" | guix authenticate | cut -f2 -d ' ')"
test "$(echo $hash2 | cut -d : -f 2)" = "$hash"
generated by cgit
d by IMAGE. Said image can be copied on a USB stick as is. BOOTLOADER is the bootloader that will be installed and configured according to BOOTCFG parameter. Raw images of the IMAGE partitions are first created. Then, genimage is used to assemble the partition images into a disk-image without resorting to a virtual machine. INPUTS is a list of inputs (as for packages). When REGISTER-CLOSURES? is true, register INPUTS in the store database of the image so that Guix can be used in the image." (define genimage-name "image") (define (image->genimage-cfg image) ;; Return as a file-like object, the genimage configuration file ;; describing the given IMAGE. (define (format->image-type format) ;; Return the genimage format corresponding to FORMAT. For now, only ;; the hdimage format (raw disk-image) is supported. (cond ((memq format '(disk-image compressed-qcow2)) "hdimage") (else (raise (condition (&message (message (format #f (G_ "unsupported image type: ~a") format)))))))) (define (partition->dos-type partition) ;; Return the MBR partition type corresponding to the given PARTITION. ;; See: https://en.wikipedia.org/wiki/Partition_type. (let ((flags (partition-flags partition)) (file-system (partition-file-system partition))) (cond ((member 'esp flags) "0xEF") ((string-prefix? "ext" file-system) "0x83") ((or (string=? file-system "vfat") (string=? file-system "fat16")) "0x0E") ((string=? file-system "fat32") "0x0C") (else (raise (condition (&message (message (format #f (G_ "unsupported partition type: ~a") file-system))))))))) (define (partition->gpt-type partition) ;; Return the genimage GPT partition type code corresponding to the ;; given PARTITION. See: ;; https://github.com/pengutronix/genimage/blob/master/README.rst (let ((flags (partition-flags partition)) (file-system (partition-file-system partition))) (cond ((member 'esp flags) "U") ((string-prefix? "ext" file-system) "L") ((or (string=? file-system "vfat") (string=? file-system "fat16") (string=? file-system "fat32")) "F") (else (raise (condition (&message (message (format #f (G_ "unsupported partition type: ~a") file-system))))))))) (define (partition-image partition) ;; Return as a file-like object, an image of the given PARTITION. A ;; directory, filled by calling the PARTITION initializer procedure, is ;; first created within the store. Then, an image of this directory is ;; created using tools such as 'mke2fs' or 'mkdosfs', depending on the ;; partition file-system type. (let* ((os (image-operating-system image)) (schema (local-file (search-path %load-path "guix/store/schema.sql"))) (graph (match inputs (((names . _) ...) names))) (type (partition-file-system partition)) (image-builder (with-imported-modules* (let ((initializer (or #$(partition-initializer partition) initialize-root-partition)) (inputs '#+(list e2fsprogs fakeroot dosfstools mtools)) (image-root "tmp-root")) (sql-schema #$schema) (set-path-environment-variable "PATH" '("bin" "sbin") inputs) ;; Allow non-ASCII file names--e.g., 'nss-certs'--to be ;; decoded. (setenv "GUIX_LOCPATH" #+(file-append glibc-utf8-locales "/lib/locale")) (setlocale LC_ALL "en_US.utf8") (initializer image-root #:references-graphs '#$graph #:deduplicate? #f #:copy-closures? (not #$(image-shared-store? image)) #:system-directory #$os #:grub-efi #+grub-efi #:grub-efi32 #+grub-efi32 #:bootloader-package #+(bootloader-package bootloader) #:bootloader-installer #+(bootloader-installer bootloader) #:bootcfg #$bootcfg #:bootcfg-location #$(bootloader-configuration-file bootloader)) (make-partition-image #$(partition->gexp partition) #$output image-root))))) (computed-file "partition.img" image-builder ;; Allow offloading so that this I/O-intensive process ;; doesn't run on the build farm's head node. #:local-build? #f #:options `(#:references-graphs ,inputs)))) (define (gpt-image? image) (eq? 'gpt (image-partition-table-type image))) (define (partition-type-values image partition) (if (gpt-image? image) (values "partition-type-uuid" (partition->gpt-type partition)) (values "partition-type" (partition->dos-type partition)))) (define (partition->config image partition) ;; Return the genimage partition configuration for PARTITION. (let-values (((partition-type-attribute partition-type-value) (partition-type-values image partition))) (let ((label (partition-label partition)) (image (partition-image partition)) (offset (partition-offset partition)) (bootable (if (memq 'boot (partition-flags partition)) "true" "false" ))) #~(format #f "~/partition ~a { ~/~/~a = ~a ~/~/image = \"~a\" ~/~/offset = \"~a\" ~/~/bootable = \"~a\" ~/}" #$label #$partition-type-attribute #$partition-type-value #$image #$offset #$bootable)))) (define (genimage-type-options image-type image) (cond ((equal? image-type "hdimage") (format #f "~%~/~/partition-table-type = \"~a\"~%~/" (image-partition-table-type image))) (else ""))) (let* ((format (image-format image)) (image-type (format->image-type format)) (image-type-options (genimage-type-options image-type image)) (partitions (image-partitions image)) (partitions-config (map (cut partition->config image <>) partitions)) (builder #~(begin (let ((format (@ (ice-9 format) format))) (call-with-output-file #$output (lambda (port) (format port "\ image ~a { ~/~a {~a} ~{~a~^~%~} }~%" #$genimage-name #$image-type #$image-type-options (list #$@partitions-config)))))))) (computed-file "genimage.cfg" builder))) (let* ((image-name (image-name image)) (name (if image-name (symbol->string image-name) name)) (format (image-format image)) (substitutable? (image-substitutable? image)) (builder (with-imported-modules* (let ((inputs '#+(list genimage coreutils findutils qemu-minimal)) (bootloader-installer #+(bootloader-disk-image-installer bootloader)) (out-image (string-append "images/" #$genimage-name))) (set-path-environment-variable "PATH" '("bin" "sbin") inputs) (genimage #$(image->genimage-cfg image)) ;; Install the bootloader directly on the disk-image. (when bootloader-installer (bootloader-installer #+(bootloader-package bootloader) #$(root-partition-index image) out-image)) (convert-disk-image out-image '#$format #$output))))) (computed-file name builder #:local-build? #f ;too I/O-intensive #:options `(#:substitutable? ,substitutable?)))) ;; ;; ISO9660 image. ;; (define (has-guix-service-type? os) "Return true if OS contains a service of the type GUIX-SERVICE-TYPE." (not (not (srfi-1:find (lambda (service) (eq? (service-kind service) guix-service-type)) (operating-system-services os))))) (define* (system-iso9660-image image #:key (name "image.iso") bootcfg bootloader register-closures? (inputs '()) (grub-mkrescue-environment '())) "Return as a file-like object a bootable, stand-alone iso9660 image. INPUTS is a list of inputs (as for packages). When REGISTER-CLOSURES? is true, register INPUTS in the store database of the image so that Guix can be used in the image. " (define root-label (match (image-partitions image) ((partition) (partition-label partition)))) (define root-uuid (match (image-partitions image) ((partition) (uuid-bytevector (partition-uuid partition))))) (let* ((os (image-operating-system image)) (bootloader (bootloader-package bootloader)) (compression? (image-compression? image)) (substitutable? (image-substitutable? image)) (schema (local-file (search-path %load-path "guix/store/schema.sql"))) (graph (match inputs (((names . _) ...) names))) (builder (with-imported-modules* (let* ((inputs '#$(list parted e2fsprogs dosfstools xorriso sed grep coreutils findutils gawk)) (image-root "tmp-root")) (sql-schema #$schema) ;; Allow non-ASCII file names--e.g., 'nss-certs'--to be decoded. (setenv "GUIX_LOCPATH" #+(file-append glibc-utf8-locales "/lib/locale")) (setlocale LC_ALL "en_US.utf8") (set-path-environment-variable "PATH" '("bin" "sbin") inputs) (initialize-root-partition image-root #:references-graphs '#$graph #:deduplicate? #f #:system-directory #$os) (make-iso9660-image #$xorriso '#$grub-mkrescue-environment #$bootloader #$bootcfg #$os image-root #$output #:references-graphs '#$graph #:register-closures? #$register-closures? #:compression? #$compression? #:volume-id #$root-label #:volume-uuid #$root-uuid))))) (computed-file name builder ;; Allow offloading so that this I/O-intensive process ;; doesn't run on the build farm's head node. #:local-build? #f #:options `(#:references-graphs ,inputs #:substitutable? ,substitutable?)))) (define (image-with-label base-image label) "The volume ID of an ISO is the label of the first partition. This procedure returns an image record where the first partition's label is set to