commit 2eeb8068d7a343e3a924b0c379de8393e8231fef from: Josh Rickmar date: Mon Jul 04 21:18:01 2022 UTC regress test SSH key revocations ok stsp@ commit - 02a5c5d00338c9549f6a399391841bd8219d91cf commit + 2eeb8068d7a343e3a924b0c379de8393e8231fef blob - 522d1dea0ce53ec2b119b3ef279d22df95d99d1b blob + 217af530810b91c6f6861398bf49b4c6f5403578 --- regress/cmdline/tag.sh +++ regress/cmdline/tag.sh @@ -271,7 +271,10 @@ test_tag_create_ssh_signed() { return 1 fi touch $testroot/allowed_signers - echo "allowed_signers \"$testroot/allowed_signers\"" > \ + touch $testroot/revoked_signers + echo "allowed_signers \"$testroot/allowed_signers\"" >> \ + $testroot/repo/.git/got.conf + echo "revoked_signers \"$testroot/revoked_signers\"" >> \ $testroot/repo/.git/got.conf # Create a signed tag based on repository's HEAD reference @@ -327,6 +330,22 @@ test_tag_create_ssh_signed() { return 1 fi + # Ensure validation fails after revoking the key + ssh-keygen -y -f $testroot/id_ed25519 >> $testroot/revoked_signers + echo "signature: Could not verify signature." > \ + $testroot/stdout.expected + VERIFY_STDOUT=$(got tag -r $testroot/repo -V $tag 2> $testroot/stderr) + ret=$? + echo "$VERIFY_STDOUT" | grep '^signature: ' > $testroot/stdout + if [ $ret -eq 0 ]; then + diff -u $testroot/stdout.expected $testroot/stdout + test_done "$testroot" "1" + return 1 + fi + + # Later tests expect validation to work + echo -n > $testroot/revoked_signers + # Ensure that Git recognizes and verifies the tag Got has created (cd $testroot/repo && git checkout -q $tag) ret=$?