|
|
|
|
@ -24,7 +24,8 @@ import (
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
pgperrors "golang.org/x/crypto/openpgp/errors" //nolint
|
|
|
|
|
pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors" //nolint
|
|
|
|
|
"github.com/ProtonMail/go-crypto/openpgp/packet" //nolint
|
|
|
|
|
"sigs.k8s.io/yaml"
|
|
|
|
|
|
|
|
|
|
"helm.sh/helm/v4/pkg/chart/v2/loader"
|
|
|
|
|
@ -59,6 +60,9 @@ const (
|
|
|
|
|
// testTamperedSigBlock is a tampered copy of msgblock.yaml.asc
|
|
|
|
|
testTamperedSigBlock = "testdata/msgblock.yaml.tampered"
|
|
|
|
|
|
|
|
|
|
// testMixedKeyring points to a keyring containing RSA and ed25519 keys.
|
|
|
|
|
testMixedKeyring = "testdata/helm-mixed-keyring.pub"
|
|
|
|
|
|
|
|
|
|
// testSumfile points to a SHA256 sum generated by an external tool.
|
|
|
|
|
// We always want to validate against an external tool's representation to
|
|
|
|
|
// verify that we haven't done something stupid. This file was generated
|
|
|
|
|
@ -266,6 +270,58 @@ func TestClearSign(t *testing.T) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestMixedKeyringRSASigningAndVerification(t *testing.T) {
|
|
|
|
|
signer, err := NewFromFiles(testKeyfile, testMixedKeyring)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if signer.Entity == nil {
|
|
|
|
|
t.Fatal("expected signer entity to be loaded")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if signer.Entity.PrivateKey == nil {
|
|
|
|
|
t.Fatal("expected signer private key to be loaded")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if signer.Entity.PrivateKey.PubKeyAlgo != packet.PubKeyAlgoRSA {
|
|
|
|
|
t.Fatalf("expected RSA key but got %v", signer.Entity.PrivateKey.PubKeyAlgo)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
metadataBytes := loadChartMetadataForSigning(t, testChartfile)
|
|
|
|
|
|
|
|
|
|
archiveData, err := os.ReadFile(testChartfile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sig, err := signer.ClearSign(archiveData, filepath.Base(testChartfile), metadataBytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("failed to sign chart: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
verification, err := signer.Verify(archiveData, []byte(sig), filepath.Base(testChartfile))
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("failed to verify chart signature: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if verification.SignedBy == nil {
|
|
|
|
|
t.Fatal("expected verification to include signer")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if verification.SignedBy.PrimaryKey == nil {
|
|
|
|
|
t.Fatal("expected verification to include signer primary key")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if verification.SignedBy.PrimaryKey.PubKeyAlgo != packet.PubKeyAlgoRSA {
|
|
|
|
|
t.Fatalf("expected verification to report RSA key but got %v", verification.SignedBy.PrimaryKey.PubKeyAlgo)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, ok := verification.SignedBy.Identities[testKeyName]; !ok {
|
|
|
|
|
t.Fatalf("expected verification to be signed by %q", testKeyName)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// failSigner always fails to sign and returns an error
|
|
|
|
|
type failSigner struct{}
|
|
|
|
|
|
|
|
|
|
|
Siew Kam Onn
7 days ago