generic-poky/meta/lib/oeqa/selftest/signing.py

from oeqa.selftest.base import oeSelfTest
from oeqa.utils.commands import runCmd, bitbake, get_bb_var
import os
import glob
import re
from oeqa.utils.decorators import testcase


class Signing(oeSelfTest):

    gpg_dir = ""
    pub_key_name = 'key.pub'
    secret_key_name = 'key.secret'

    @classmethod
    def setUpClass(cls):
        # Import the gpg keys

        cls.gpg_dir = os.path.join(cls.testlayer_path, 'files/signing/')

        # key.secret key.pub are located in gpg_dir
        pub_key_location = cls.gpg_dir + cls.pub_key_name
        secret_key_location = cls.gpg_dir + cls.secret_key_name
        runCmd('gpg --homedir %s --import %s %s' % (cls.gpg_dir, pub_key_location, secret_key_location))

    @classmethod
    def tearDownClass(cls):
        # Delete the files generated by 'gpg --import'

        gpg_files = glob.glob(cls.gpg_dir + '*.gpg*')
        random_seed_file = cls.gpg_dir + 'random_seed'
        gpg_files.append(random_seed_file)

        for gpg_file in gpg_files:
            runCmd('rm -f ' + gpg_file)

    @testcase(1362)
    def test_signing_packages(self):
        """
        Summary:     Test that packages can be signed in the package feed
        Expected:    Package should be signed with the correct key
        Product:     oe-core
        Author:      Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        """

        package_classes = get_bb_var('PACKAGE_CLASSES')
        if 'package_rpm' not in package_classes:
            self.skipTest('This test requires RPM Packaging.')

        test_recipe = 'ed'

        feature = 'INHERIT += "sign_rpm"\n'
        feature += 'RPM_GPG_PASSPHRASE_FILE = "%ssecret.txt"\n' % self.gpg_dir
        feature += 'RPM_GPG_NAME = "testuser"\n'
        feature += 'RPM_GPG_PUBKEY = "%s%s"\n' % (self.gpg_dir, self.pub_key_name)
        feature += 'GPG_PATH = "%s"\n' % self.gpg_dir

        self.write_config(feature)

        bitbake('-c cleansstate %s' % test_recipe)
        bitbake(test_recipe)
        self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)

        pf = get_bb_var('PF', test_recipe)
        deploy_dir_rpm = get_bb_var('DEPLOY_DIR_RPM', test_recipe)
        package_arch = get_bb_var('PACKAGE_ARCH', test_recipe).replace('-', '_')
        staging_bindir_native = get_bb_var('STAGING_BINDIR_NATIVE')

        pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))

        runCmd('%s/rpm --import %s%s' % (staging_bindir_native, self.gpg_dir, self.pub_key_name))

        ret = runCmd('%s/rpm --checksig %s' % (staging_bindir_native, pkg_deploy))
        # tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK
        self.assertIn('rsa sha1 md5 OK', ret.output, 'Package signed incorrectly.')

    @testcase(1382)
    def test_signing_sstate_archive(self):
        """
        Summary:     Test that sstate archives can be signed
        Expected:    Package should be signed with the correct key
        Product:     oe-core
        Author:      Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
        """

        test_recipe = 'ed'

        builddir = os.environ.get('BUILDDIR')
        sstatedir = os.path.join(builddir, 'test-sstate')

        self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
        self.add_command_to_tearDown('bitbake -c cleansstate %s' % test_recipe)
        self.add_command_to_tearDown('rm -rf %s' % sstatedir)

        # Determine the pub key signature
        ret = runCmd('gpg --homedir %s --list-keys' % self.gpg_dir)
        pub_key = re.search(r'^pub\s+\S+/(\S+)\s+', ret.output, re.M)
        self.assertIsNotNone(pub_key, 'Failed to determine the public key signature.')
        pub_key = pub_key.group(1)

        feature = 'SSTATE_SIG_KEY ?= "%s"\n' % pub_key
        feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'
        feature += 'SSTATE_VERIFY_SIG ?= "1"\n'
        feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
        feature += 'SSTATE_DIR = "%s"\n' % sstatedir

        self.write_config(feature)

        bitbake('-c cleansstate %s' % test_recipe)
        bitbake(test_recipe)

        recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_package.tgz.sig')
        recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_package.tgz')

        self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')
        self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')

        ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))
        # gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30
        # gpg: Good signature from "testuser (nocomment) <testuser@email.com>"
        self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')
oeqa/selftest/signing: New test for Signing packages in the package feeds. [YOCTO # 8134] This test verifies features introduced in bug 8134. It requires as resources the files from meta-selftest/files/signing: For 'gpg --gen-key' the used input was: key: RSA key-size: 2048 key-valid: 0 realname: testuser email: testuser@email.com comment: nocomment passphrase: test123 (From OE-Core rev: 6b9d22bfd5414b517a1f0468e1229dfa2294b5fd) Signed-off-by: Daniel Istrate <daniel.alexandrux.istrate@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-10 14:38:38 +00:00			`from oeqa.selftest.base import oeSelfTest`
			`from oeqa.utils.commands import runCmd, bitbake, get_bb_var`
			`import os`
			`import glob`
oeqa/selftest/signing: Added new test for signing sstate. [YOCTO #8182] Optional signing sstate archives and signature verification [YOCTO #8559] Signing sstate archives with custom dir for gpg keys (From OE-Core rev: 6a462fbb11db2085e4b6763a601c7fc4ac0025c8) Signed-off-by: Daniel Istrate <daniel.alexandrux.istrate@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-10 14:38:39 +00:00			`import re`
oeqa/selftest/signing: New test for Signing packages in the package feeds. [YOCTO # 8134] This test verifies features introduced in bug 8134. It requires as resources the files from meta-selftest/files/signing: For 'gpg --gen-key' the used input was: key: RSA key-size: 2048 key-valid: 0 realname: testuser email: testuser@email.com comment: nocomment passphrase: test123 (From OE-Core rev: 6b9d22bfd5414b517a1f0468e1229dfa2294b5fd) Signed-off-by: Daniel Istrate <daniel.alexandrux.istrate@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-10 14:38:38 +00:00			`from oeqa.utils.decorators import testcase`


			`class Signing(oeSelfTest):`

			`gpg_dir = ""`
			`pub_key_name = 'key.pub'`
			`secret_key_name = 'key.secret'`

			`@classmethod`
			`def setUpClass(cls):`
			`# Import the gpg keys`

			`cls.gpg_dir = os.path.join(cls.testlayer_path, 'files/signing/')`

			`# key.secret key.pub are located in gpg_dir`
			`pub_key_location = cls.gpg_dir + cls.pub_key_name`
			`secret_key_location = cls.gpg_dir + cls.secret_key_name`
			`runCmd('gpg --homedir %s --import %s %s' % (cls.gpg_dir, pub_key_location, secret_key_location))`

			`@classmethod`
			`def tearDownClass(cls):`
			`# Delete the files generated by 'gpg --import'`

			`gpg_files = glob.glob(cls.gpg_dir + '.gpg')`
			`random_seed_file = cls.gpg_dir + 'random_seed'`
			`gpg_files.append(random_seed_file)`

			`for gpg_file in gpg_files:`
			`runCmd('rm -f ' + gpg_file)`

			`@testcase(1362)`
			`def test_signing_packages(self):`
			`"""`
			`Summary: Test that packages can be signed in the package feed`
			`Expected: Package should be signed with the correct key`
			`Product: oe-core`
			`Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>`
			`AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>`
			`"""`

			`package_classes = get_bb_var('PACKAGE_CLASSES')`
			`if 'package_rpm' not in package_classes:`
			`self.skipTest('This test requires RPM Packaging.')`

			`test_recipe = 'ed'`

			`feature = 'INHERIT += "sign_rpm"\n'`
			`feature += 'RPM_GPG_PASSPHRASE_FILE = "%ssecret.txt"\n' % self.gpg_dir`
			`feature += 'RPM_GPG_NAME = "testuser"\n'`
			`feature += 'RPM_GPG_PUBKEY = "%s%s"\n' % (self.gpg_dir, self.pub_key_name)`
			`feature += 'GPG_PATH = "%s"\n' % self.gpg_dir`

			`self.write_config(feature)`

			`bitbake('-c cleansstate %s' % test_recipe)`
			`bitbake(test_recipe)`
			`self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)`

			`pf = get_bb_var('PF', test_recipe)`
			`deploy_dir_rpm = get_bb_var('DEPLOY_DIR_RPM', test_recipe)`
			`package_arch = get_bb_var('PACKAGE_ARCH', test_recipe).replace('-', '_')`
			`staging_bindir_native = get_bb_var('STAGING_BINDIR_NATIVE')`

			`pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))`

			`runCmd('%s/rpm --import %s%s' % (staging_bindir_native, self.gpg_dir, self.pub_key_name))`

			`ret = runCmd('%s/rpm --checksig %s' % (staging_bindir_native, pkg_deploy))`
			`# tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK`
			`self.assertIn('rsa sha1 md5 OK', ret.output, 'Package signed incorrectly.')`

oeqa/selftest/signing: Added new test for signing sstate. [YOCTO #8182] Optional signing sstate archives and signature verification [YOCTO #8559] Signing sstate archives with custom dir for gpg keys (From OE-Core rev: 6a462fbb11db2085e4b6763a601c7fc4ac0025c8) Signed-off-by: Daniel Istrate <daniel.alexandrux.istrate@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-10 14:38:39 +00:00			`@testcase(1382)`
			`def test_signing_sstate_archive(self):`
			`"""`
			`Summary: Test that sstate archives can be signed`
			`Expected: Package should be signed with the correct key`
			`Product: oe-core`
			`Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>`
			`AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>`
			`"""`

			`test_recipe = 'ed'`

			`builddir = os.environ.get('BUILDDIR')`
			`sstatedir = os.path.join(builddir, 'test-sstate')`

			`self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)`
			`self.add_command_to_tearDown('bitbake -c cleansstate %s' % test_recipe)`
			`self.add_command_to_tearDown('rm -rf %s' % sstatedir)`

			`# Determine the pub key signature`
			`ret = runCmd('gpg --homedir %s --list-keys' % self.gpg_dir)`
			`pub_key = re.search(r'^pub\s+\S+/(\S+)\s+', ret.output, re.M)`
			`self.assertIsNotNone(pub_key, 'Failed to determine the public key signature.')`
			`pub_key = pub_key.group(1)`

			`feature = 'SSTATE_SIG_KEY ?= "%s"\n' % pub_key`
			`feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'`
			`feature += 'SSTATE_VERIFY_SIG ?= "1"\n'`
			`feature += 'GPG_PATH = "%s"\n' % self.gpg_dir`
			`feature += 'SSTATE_DIR = "%s"\n' % sstatedir`

			`self.write_config(feature)`

			`bitbake('-c cleansstate %s' % test_recipe)`
			`bitbake(test_recipe)`

			`recipe_sig = glob.glob(sstatedir + '//:ed:*_package.tgz.sig')`
			`recipe_tgz = glob.glob(sstatedir + '//:ed:*_package.tgz')`

			`self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')`
			`self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')`

			`ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))`
			`# gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30`
			`# gpg: Good signature from "testuser (nocomment) <testuser@email.com>"`
			`self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')`