1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
|
#[cfg(unix)]
use std::fs::Permissions;
use std::io::Write as _;
#[cfg(unix)]
use std::os::unix::prelude::PermissionsExt as _;
use std::process::Stdio;
use assert_matches::assert_matches;
use insta::assert_debug_snapshot;
use jj_lib::gpg_signing::GpgBackend;
use jj_lib::gpg_signing::GpgsmBackend;
use jj_lib::signing::SigStatus;
use jj_lib::signing::SignError;
use jj_lib::signing::SigningBackend as _;
use testutils::ensure_running_outside_ci;
use testutils::is_external_tool_installed;
static GPG_PRIVATE_KEY: &str = r#"-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEZWI3pBYJKwYBBAHaRw8BAQdAaPLTNADvDWapjAPlxaUnx3HXQNIlwSz4EZrW
3Z7hxSwAAP9liwHZWJCGI2xW+XNqMT36qpIvoRcd5YPaKYwvnlkG1w+UtDNTb21l
b25lIChqaiB0ZXN0IHNpZ25pbmcga2V5KSA8c29tZW9uZUBleGFtcGxlLmNvbT6I
kwQTFgoAOxYhBKWOXukGcVPI9eXp6WOHhcsW/qBhBQJlYjekAhsDBQsJCAcCAiIC
BhUKCQgLAgQWAgMBAh4HAheAAAoJEGOHhcsW/qBhyBgBAMph1HkBkKlrZmsun+3i
kTEaOsWmaW/D6NEdMFiw0S/jAP9G3jOYGiZbUN3dWWB2246Oi7SaMTX8Xb2BrLP2
axCbC5RYBGVjxv8WCSsGAQQB2kcPAQEHQE8Oa4ahtVG29gIRssPxjqF4utn8iHPz
m5z/8lX/nl3eAAD5AZ6H2pNhiy2gnGkbPLHw3ZyY4d0NXzCa7qc9EXqOj+sRrLQ9
U29tZW9uZSBFbHNlIChqaiB0ZXN0IHNpZ25pbmcga2V5KSA8c29tZW9uZS1lbHNl
QGV4YW1wbGUuY29tPoiTBBMWCgA7FiEER1BAaEpU3TKUiUvFTtVW6XKeAA8FAmVj
xv8CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQTtVW6XKeAA/6TQEA
2DkPm3LmH8uG6qLirtf62kbG7T+qljIsarQKFw3CGakA/AveCtrL7wVSpINiu1Rz
lBqJFFP2PqzT0CRfh94HSIMM
=6JC8
-----END PGP PRIVATE KEY BLOCK-----
"#;
static GPGSM_FINGERPRINT: &str = "4C625C10FF7180164F19C6571D513E4E0BEA555C";
static GPGSM_PRIVATE_KEY: &str = r#"-----BEGIN PKCS12-----
MIIEjAIBAzCCBEIGCSqGSIb3DQEHAaCCBDMEggQvMIIEKzCCAuIGCSqGSIb3DQEHBqCCAtMwggLP
AgEAMIICyAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhW4TA5N5aE
qAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEDyELdhdBjhSJgPcPmmdJQWAggJgR3zZ
ZHJQj2aoCDuPQrxBkklgnDmTF91bDStMX9J6B7ucFS2V7YEO1YcwfdphRRYRCkTO0L4/qLO5l/xg
R0CwchpOUbo9Xl6MHiRZW7nTEU2bO1oq45lTzIQfJtWK9R/Nujvx3KyTIm+2ZGBrVHZ301rmCepU
YtSBmtoo+9rlp+lkkvGh+E9+gWjvDhXUkaxkUjRvx/cdOeEKDM8SmfhX6nZ7lzbnI9xQ4d7g4Sn2
9Y3F0HHe5+qBwd97i4xL1fFQs9vKVe2Iqr46B6T++GuClR+66yjGHxeQ6qjMSAEk4kPP8/LPI5i0
xC15U38J8dOyXX1jNP9W44nu1CpiX7MEuEyeEel4mDq5HzbQp2AOeS6Zg4VSf8nz8uSES48DrPMw
lDFH/YCAWHEPgcTBqMKO0+EnVL4297WNKA8aJiD/tKZZEyS1SGqoXX5eHazZQHD9PReZBv0gTFSz
Aq/K+Gcrsh7I5/lhyuQ6gwbi2uluCdwJirRzc85RrO5GsBxDHdcngy9ez0duLsOf7UVgIku21PmD
d4ureqfT1rQZkE+hGXUc+NNF7ZTvCDHETCJwVgqqZttZ43ILT2yBAG7dV+X7AUNLn/LpZmZ6adIH
gyviuhleTMGoSnPJXCMkEnU00QoROo7yceSikjuaLV33HXEpcepOBRXW91r7DLQWLHT+mX2W8/oA
UX0UKQ2al0R9JrWsQOdGwNcbNHfRldAmRBW7ktOUyXlN71BE90TPjqA2Xu5Ta1yIs+XuU5BUAWzb
v9agzbfU4ZOa9FgSxExE6iQ+NkCuJ+05bHeVVqtbBgqurwswggFBBgkqhkiG9w0BBwGgggEyBIIB
LjCCASowggEmBgsqhkiG9w0BDAoBAqCB7zCB7DBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQww
HAQIjo1upovnkrcCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBF0GsMP3O/uZs3/OHS
Fdl/BIGQmrK7oxltgZa0TihDJ7OVmCnbLawSB5E38Wjo7gSwPa2/1ofg8yU9ZBjdlYQRFevZcj1I
rU307BQIPmjqxIMSV8K/F1OfvWWrfRDXwvvn1CHNM4VuqfoJzwfYsD2jEedXAHN7a90sjtZeDqMs
ibOEeIIN2hOh6FBnaO2f4QVXTUoe4k0BJ2WTMtjoIJod0LKiMSUwIwYJKoZIhvcNAQkVMRYEFExi
XBD/cYAWTxnGVx1RPk4L6lVcMEEwMTANBglghkgBZQMEAgEFAAQgj7Jjd7XJ3icDiNTp080RDoUw
J+57G8w4qtRQPRTuOvcECGz+PguPT+pLAgIIAA==
-----END PKCS12-----
"#;
struct GpgEnvironment {
homedir: tempfile::TempDir,
}
impl GpgEnvironment {
fn new() -> Result<Self, std::process::Output> {
let dir = tempfile::Builder::new()
.prefix("gpg-test-")
.tempdir()
.unwrap();
let path = dir.path();
#[cfg(unix)]
std::fs::set_permissions(path, Permissions::from_mode(0o700)).unwrap();
let mut gpg = std::process::Command::new("gpg")
.arg("--homedir")
.arg(path)
.arg("--import")
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()
.unwrap();
gpg.stdin
.as_mut()
.unwrap()
.write_all(GPG_PRIVATE_KEY.as_bytes())
.unwrap();
gpg.stdin.as_mut().unwrap().flush().unwrap();
let res = gpg.wait_with_output().unwrap();
if !res.status.success() {
eprintln!("Failed to add private key to gpg-agent. Make sure it is running!");
eprintln!("{}", String::from_utf8_lossy(&res.stderr));
return Err(res);
}
Ok(GpgEnvironment { homedir: dir })
}
}
struct GpgsmEnvironment {
homedir: tempfile::TempDir,
}
impl GpgsmEnvironment {
fn new() -> Result<Self, std::process::Output> {
let dir = tempfile::Builder::new()
.prefix("gpgsm-test-")
.tempdir()
.unwrap();
let path = dir.path();
#[cfg(unix)]
std::fs::set_permissions(path, Permissions::from_mode(0o700)).unwrap();
std::fs::write(
path.join("trustlist.txt"),
format!("{GPGSM_FINGERPRINT} S\n"),
)
.unwrap();
let mut gpgsm = std::process::Command::new("gpgsm")
.arg("--homedir")
.arg(path)
.arg("--batch")
.arg("--pinentry-mode")
.arg("loopback")
.arg("--import")
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()
.unwrap();
gpgsm
.stdin
.as_mut()
.unwrap()
.write_all(GPGSM_PRIVATE_KEY.as_bytes())
.unwrap();
gpgsm.stdin.as_mut().unwrap().flush().unwrap();
let res = gpgsm.wait_with_output().unwrap();
if !res.status.success() && res.status.code() != Some(2) {
eprintln!("Failed to add certificate.");
eprintln!("{}", String::from_utf8_lossy(&res.stderr));
return Err(res);
}
Ok(GpgsmEnvironment { homedir: dir })
}
}
macro_rules! gpg_guard {
() => {
if !is_external_tool_installed("gpg") {
ensure_running_outside_ci("`gpg` must be in the PATH");
eprintln!("Skipping test because gpg is not installed on the system");
return;
}
};
}
macro_rules! gpgsm_guard {
() => {
if !is_external_tool_installed("gpgsm") {
ensure_running_outside_ci("`gpgsm` must be in the PATH");
eprintln!("Skipping test because gpgsm is not installed on the system");
return;
}
};
}
fn gpg_backend(env: &GpgEnvironment) -> GpgBackend {
// don't really need faked time for current tests,
// but probably will need it for end-to-end cli tests
GpgBackend::new("gpg".into(), false, "someone@example.com".to_owned()).with_extra_args(&[
"--homedir".into(),
env.homedir.path().as_os_str().into(),
"--faked-system-time=1701042000!".into(),
])
}
fn gpgsm_backend(env: &GpgsmEnvironment) -> GpgsmBackend {
// don't really need faked time for current tests,
// but probably will need it for end-to-end cli tests
GpgsmBackend::new("gpgsm".into(), false, "someone@example.com".to_owned()).with_extra_args(&[
"--homedir".into(),
env.homedir.path().as_os_str().into(),
"--faked-system-time=1742477110!".into(),
])
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpg_signing_roundtrip() {
gpg_guard!();
let env = GpgEnvironment::new().unwrap();
let backend = gpg_backend(&env);
let data = b"hello world";
let signature = backend.sign(data, None).unwrap();
let check = backend.verify(data, &signature).unwrap();
assert_eq!(check.status, SigStatus::Good);
assert_eq!(check.key.unwrap(), "638785CB16FEA061");
assert_eq!(
check.display.unwrap(),
"Someone (jj test signing key) <someone@example.com>"
);
let check = backend.verify(b"so so bad", &signature).unwrap();
assert_eq!(check.status, SigStatus::Bad);
assert_eq!(check.key.unwrap(), "638785CB16FEA061");
assert_eq!(
check.display.unwrap(),
"Someone (jj test signing key) <someone@example.com>"
);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpg_signing_roundtrip_explicit_key() {
gpg_guard!();
let env = GpgEnvironment::new().unwrap();
let backend = gpg_backend(&env);
let data = b"hello world";
let signature = backend.sign(data, Some("Someone Else")).unwrap();
assert_debug_snapshot!(backend.verify(data, &signature).unwrap(), @r#"
Verification {
status: Good,
key: Some(
"4ED556E9729E000F",
),
display: Some(
"Someone Else (jj test signing key) <someone-else@example.com>",
),
}
"#);
assert_debug_snapshot!(backend.verify(b"so so bad", &signature).unwrap(), @r#"
Verification {
status: Bad,
key: Some(
"4ED556E9729E000F",
),
display: Some(
"Someone Else (jj test signing key) <someone-else@example.com>",
),
}
"#);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpg_unknown_key() {
gpg_guard!();
let env = GpgEnvironment::new().unwrap();
let backend = gpg_backend(&env);
let signature = br"-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQs238pU7eC/ROoPJ0HH+PjJN1zMwUCZWPa5AAKCRAHH+PjJN1z
MyylAP9WQ3sZdbC4b1C+/nxs+Wl+rfwzeQWGbdcsBMyDABcpmgD/U+4KdO7eZj/I
e+U6bvqw3pOBoI53Th35drQ0qPI+jAE=
=kwsk
-----END PGP SIGNATURE-----";
assert_debug_snapshot!(backend.verify(b"hello world", signature).unwrap(), @r#"
Verification {
status: Unknown,
key: Some(
"071FE3E324DD7333",
),
display: None,
}
"#);
assert_debug_snapshot!(backend.verify(b"so bad", signature).unwrap(), @r#"
Verification {
status: Unknown,
key: Some(
"071FE3E324DD7333",
),
display: None,
}
"#);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpg_invalid_signature() {
gpg_guard!();
let env = GpgEnvironment::new().unwrap();
let backend = gpg_backend(&env);
let signature = br"-----BEGIN PGP SIGNATURE-----
super duper invalid
-----END PGP SIGNATURE-----";
// Small data: gpg command will exit late.
assert_matches!(
backend.verify(b"a", signature),
Err(SignError::InvalidSignatureFormat)
);
// Large data: gpg command will exit early because the signature is invalid.
assert_matches!(
backend.verify(&b"a".repeat(100 * 1024), signature),
Err(SignError::InvalidSignatureFormat)
);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpgsm_signing_roundtrip() {
gpgsm_guard!();
let env = GpgsmEnvironment::new().unwrap();
let backend = gpgsm_backend(&env);
let data = b"hello world";
let signature = backend.sign(data, None);
let signature = signature.unwrap();
let check = backend.verify(data, &signature).unwrap();
assert_eq!(check.status, SigStatus::Good);
assert_eq!(check.key.unwrap(), GPGSM_FINGERPRINT);
assert_eq!(
check.display.unwrap(),
"/CN=JJ Cert/O=GPGSM Signing Test/EMail=someone@example.com"
);
let check = backend.verify(b"so so bad", &signature).unwrap();
assert_eq!(check.status, SigStatus::Bad);
assert_eq!(check.key.unwrap(), GPGSM_FINGERPRINT);
assert_eq!(
check.display.unwrap(),
"/CN=JJ Cert/O=GPGSM Signing Test/EMail=someone@example.com"
);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpgsm_signing_roundtrip_explicit_key() {
gpgsm_guard!();
let env = GpgsmEnvironment::new().unwrap();
let backend = gpgsm_backend(&env);
let data = b"hello world";
let signature = backend.sign(data, Some("someone@example.com")).unwrap();
assert_debug_snapshot!(backend.verify(data, &signature).unwrap(), @r#"
Verification {
status: Good,
key: Some(
"4C625C10FF7180164F19C6571D513E4E0BEA555C",
),
display: Some(
"/CN=JJ Cert/O=GPGSM Signing Test/EMail=someone@example.com",
),
}
"#);
assert_debug_snapshot!(backend.verify(b"so so bad", &signature).unwrap(), @r#"
Verification {
status: Bad,
key: Some(
"4C625C10FF7180164F19C6571D513E4E0BEA555C",
),
display: Some(
"/CN=JJ Cert/O=GPGSM Signing Test/EMail=someone@example.com",
),
}
"#);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpgsm_unknown_key() {
gpgsm_guard!();
let env = GpgsmEnvironment::new().unwrap();
let backend = gpgsm_backend(&env);
let signature = br"-----BEGIN SIGNED MESSAGE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0B
BwEAADGCAnYwggJyAgEBMDUwKTEaMBgGA1UEChMRWDUwOSBTaWduaW5nIFRlc3Qx
CzAJBgNVBAMTAkpKAgh8bds9GXiZmzANBglghkgBZQMEAgEFAKCBkzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNTAzMTgyMDAzNDBa
MCgGCSqGSIb3DQEJDzEbMBkwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMC8GCSqG
SIb3DQEJBDEiBCCpSJBPLw9Hm4+Bl2lLMBhLDS7Rwc0qHsD7hdKZoZKkRzANBgkq
hkiG9w0BAQEFAASCAYANOvWCJuOKn018s731TWFHq5wS13xB7L83/2q8Mi9cQ3YT
kq8CQlyJV0spIW7dwztjsllX8X2szE4N0l83ghf3ol6B6n9Vyb844oKgb6cwc9uX
S8D1yiaj1Mfft3PDp+THH+ESezw1Djzj7E53Yx5j3kna/ylJhheg3raWit2MUxI0
V42Svm4PLcpOf+ywzstlSSx9p6Y8woctdkMkpyivNCsfwlRARFGSTP3G9DXZNv03
WZ51zlMT8lsYbT9EJUxzXuEpcJZJL0TYcbJ3n7uSopivHk843onIc71gbH/ByuMp
qokJ7jYzEMrk0YowzsD7wrtwhF5OgpW5ane8vuyquLOrRNX9H/TooE4+8OCM6nvQ
w7jgv1/hsdtDnZCkVaM0plhb2btE7Awgol5M8f9IDz1Z+b0t4ydc/iqHtE9yaqvZ
+aT9XXKKcj9XBhi1S790B4r8YoDyeiyzBs0gwvMuWjWMS7wixTbgx+IkQUrkgTLY
xiNbRmGtEonl9d8JS/IAAAAAAAA=
-----END SIGNED MESSAGE-----
";
assert_debug_snapshot!(backend.verify(b"hello world", signature).unwrap(), @r#"
Verification {
status: Unknown,
key: None,
display: None,
}
"#);
assert_debug_snapshot!(backend.verify(b"so bad", signature).unwrap(), @r#"
Verification {
status: Unknown,
key: None,
display: None,
}
"#);
}
#[test]
#[cfg_attr(windows, ignore = "stuck randomly on Windows CI #3140")] // FIXME
fn gpgsm_invalid_signature() {
gpgsm_guard!();
let env = GpgsmEnvironment::new().unwrap();
let backend = gpgsm_backend(&env);
let signature = br"-----BEGIN SIGNED MESSAGE-----
super duper invalid
-----END SIGNED MESSAGE-----";
// Small data: gpgsm command will exit late.
assert_matches!(
backend.verify(b"a", signature),
Err(SignError::InvalidSignatureFormat)
);
// Large data: gpgsm command will exit early because the signature is invalid.
assert_matches!(
backend.verify(&b"a".repeat(100 * 1024), signature),
Err(SignError::InvalidSignatureFormat)
);
}
|
