2017-12-13 18:14:01 +02:00
|
|
|
package sign
|
|
|
|
|
|
|
|
import (
|
2017-12-13 23:57:24 +02:00
|
|
|
"bytes"
|
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
|
|
|
"os/exec"
|
|
|
|
"path/filepath"
|
2017-12-18 02:18:12 +02:00
|
|
|
"sort"
|
2017-12-13 18:14:01 +02:00
|
|
|
"testing"
|
|
|
|
|
2017-12-18 04:53:48 +02:00
|
|
|
"github.com/goreleaser/goreleaser/internal/artifact"
|
2018-08-15 04:50:20 +02:00
|
|
|
"github.com/goreleaser/goreleaser/pkg/config"
|
|
|
|
"github.com/goreleaser/goreleaser/pkg/context"
|
2017-12-13 18:14:01 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestDescription(t *testing.T) {
|
|
|
|
assert.NotEmpty(t, Pipe{}.String())
|
|
|
|
}
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
func TestSignDefault(t *testing.T) {
|
|
|
|
ctx := &context.Context{}
|
|
|
|
Pipe{}.Default(ctx)
|
|
|
|
assert.Equal(t, ctx.Config.Sign.Cmd, "gpg")
|
|
|
|
assert.Equal(t, ctx.Config.Sign.Signature, "${artifact}.sig")
|
|
|
|
assert.Equal(t, ctx.Config.Sign.Args, []string{"--output", "$signature", "--detach-sig", "$artifact"})
|
|
|
|
assert.Equal(t, ctx.Config.Sign.Artifacts, "none")
|
|
|
|
}
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
func TestSignDisabled(t *testing.T) {
|
|
|
|
ctx := &context.Context{}
|
|
|
|
ctx.Config.Sign.Artifacts = "none"
|
|
|
|
err := Pipe{}.Run(ctx)
|
2018-05-24 10:50:14 +02:00
|
|
|
assert.EqualError(t, err, "artifact signing is disabled")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSignSkipped(t *testing.T) {
|
|
|
|
ctx := &context.Context{}
|
|
|
|
ctx.SkipSign = true
|
|
|
|
err := Pipe{}.Run(ctx)
|
|
|
|
assert.EqualError(t, err, "artifact signing is disabled")
|
2017-12-15 19:51:54 +02:00
|
|
|
}
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
func TestSignInvalidArtifacts(t *testing.T) {
|
|
|
|
ctx := &context.Context{}
|
|
|
|
ctx.Config.Sign.Artifacts = "foo"
|
|
|
|
err := Pipe{}.Run(ctx)
|
|
|
|
assert.EqualError(t, err, "invalid list of artifacts to sign: foo")
|
|
|
|
}
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
func TestSignArtifacts(t *testing.T) {
|
2017-12-13 23:57:24 +02:00
|
|
|
// fix permission on keyring dir to suppress warning about insecure permissions
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, os.Chmod(keyring, 0700))
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
tests := []struct {
|
|
|
|
desc string
|
|
|
|
ctx *context.Context
|
|
|
|
signatures []string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
desc: "sign all artifacts",
|
2017-12-17 23:37:27 +02:00
|
|
|
ctx: context.New(
|
|
|
|
config.Project{
|
2017-12-15 19:51:54 +02:00
|
|
|
Sign: config.Sign{Artifacts: "all"},
|
|
|
|
},
|
2017-12-17 23:37:27 +02:00
|
|
|
),
|
2017-12-15 19:51:54 +02:00
|
|
|
signatures: []string{"artifact1.sig", "artifact2.sig", "checksum.sig"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "sign only checksums",
|
2017-12-17 23:37:27 +02:00
|
|
|
ctx: context.New(
|
|
|
|
config.Project{
|
2017-12-15 19:51:54 +02:00
|
|
|
Sign: config.Sign{Artifacts: "checksum"},
|
|
|
|
},
|
2017-12-17 23:37:27 +02:00
|
|
|
),
|
2017-12-15 19:51:54 +02:00
|
|
|
signatures: []string{"checksum.sig"},
|
2017-12-13 23:57:24 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
|
|
testSign(t, tt.ctx, tt.signatures)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const keyring = "testdata/gnupg"
|
|
|
|
const user = "nopass"
|
|
|
|
|
|
|
|
func testSign(t *testing.T, ctx *context.Context, signatures []string) {
|
|
|
|
// create temp dir for file and signature
|
|
|
|
tmpdir, err := ioutil.TempDir("", "goreleaser")
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, err)
|
2017-12-15 19:51:54 +02:00
|
|
|
defer os.RemoveAll(tmpdir)
|
|
|
|
|
|
|
|
ctx.Config.Dist = tmpdir
|
|
|
|
|
|
|
|
// create some fake artifacts
|
2017-12-18 02:18:12 +02:00
|
|
|
var artifacts = []string{"artifact1", "artifact2", "checksum"}
|
|
|
|
for _, f := range artifacts {
|
2017-12-15 19:51:54 +02:00
|
|
|
file := filepath.Join(tmpdir, f)
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, ioutil.WriteFile(file, []byte("foo"), 0644))
|
2017-12-13 23:57:24 +02:00
|
|
|
}
|
2017-12-17 23:37:27 +02:00
|
|
|
ctx.Artifacts.Add(artifact.Artifact{
|
|
|
|
Name: "artifact1",
|
|
|
|
Path: filepath.Join(tmpdir, "artifact1"),
|
|
|
|
Type: artifact.UploadableArchive,
|
|
|
|
})
|
|
|
|
ctx.Artifacts.Add(artifact.Artifact{
|
|
|
|
Name: "artifact2",
|
|
|
|
Path: filepath.Join(tmpdir, "artifact2"),
|
|
|
|
Type: artifact.UploadableArchive,
|
|
|
|
})
|
|
|
|
ctx.Artifacts.Add(artifact.Artifact{
|
|
|
|
Name: "checksum",
|
|
|
|
Path: filepath.Join(tmpdir, "checksum"),
|
|
|
|
Type: artifact.Checksum,
|
|
|
|
})
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
// configure the pipeline
|
2017-12-13 23:57:24 +02:00
|
|
|
// make sure we are using the test keyring
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, Pipe{}.Default(ctx))
|
2017-12-13 23:57:24 +02:00
|
|
|
ctx.Config.Sign.Args = append([]string{"--homedir", keyring}, ctx.Config.Sign.Args...)
|
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
// run the pipeline
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, Pipe{}.Run(ctx))
|
2017-12-13 23:57:24 +02:00
|
|
|
|
2017-12-15 19:51:54 +02:00
|
|
|
// verify that only the artifacts and the signatures are in the dist dir
|
|
|
|
files, err := ioutil.ReadDir(tmpdir)
|
2017-12-17 23:37:27 +02:00
|
|
|
assert.NoError(t, err)
|
2017-12-15 19:51:54 +02:00
|
|
|
gotFiles := []string{}
|
|
|
|
for _, f := range files {
|
|
|
|
gotFiles = append(gotFiles, f.Name())
|
2017-12-13 23:57:24 +02:00
|
|
|
}
|
2017-12-18 02:18:12 +02:00
|
|
|
wantFiles := append(artifacts, signatures...)
|
|
|
|
sort.Strings(wantFiles)
|
|
|
|
assert.Equal(t, wantFiles, gotFiles)
|
2017-12-15 19:51:54 +02:00
|
|
|
|
|
|
|
// verify the signatures
|
|
|
|
for _, sig := range signatures {
|
2017-12-16 01:30:07 +02:00
|
|
|
verifySignature(t, ctx, sig)
|
2017-12-13 23:57:24 +02:00
|
|
|
}
|
2017-12-18 02:18:12 +02:00
|
|
|
|
|
|
|
var signArtifacts []string
|
|
|
|
for _, sig := range ctx.Artifacts.Filter(artifact.ByType(artifact.Signature)).List() {
|
|
|
|
signArtifacts = append(signArtifacts, sig.Name)
|
|
|
|
}
|
|
|
|
// check signature is an artifact
|
|
|
|
assert.Equal(t, signArtifacts, signatures)
|
2017-12-13 23:57:24 +02:00
|
|
|
}
|
2017-12-16 01:30:07 +02:00
|
|
|
|
|
|
|
func verifySignature(t *testing.T, ctx *context.Context, sig string) {
|
|
|
|
artifact := sig[:len(sig)-len(".sig")]
|
|
|
|
|
|
|
|
// verify signature was made with key for usesr 'nopass'
|
|
|
|
cmd := exec.Command("gpg", "--homedir", keyring, "--verify", filepath.Join(ctx.Config.Dist, sig), filepath.Join(ctx.Config.Dist, artifact))
|
|
|
|
out, err := cmd.CombinedOutput()
|
2017-12-18 02:18:12 +02:00
|
|
|
assert.NoError(t, err)
|
2017-12-16 01:30:07 +02:00
|
|
|
|
|
|
|
// check if the signature matches the user we expect to do this properly we
|
|
|
|
// might need to have either separate keyrings or export the key from the
|
|
|
|
// keyring before we do the verification. For now we punt and look in the
|
|
|
|
// output.
|
|
|
|
if !bytes.Contains(out, []byte(user)) {
|
|
|
|
t.Fatalf("signature is not from %s", user)
|
|
|
|
}
|
|
|
|
}
|