1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
summary: Ensure `snap validate` commands work with local assertions.
details: |
A validation set is an assertion that lists specific snaps that are either
required to be installed together or are permitted to be installed together
on a device or system.
The validate command lists or applies validation sets that state which snaps
are required or permitted to be installed together, optionally constrained to
fixed revisions.
This test uses a local assertion to acknowledge a validation set and verifies
the following points:
. `snap validate` command required arguments are required
. monitor mode is supported with a pinned sequence and local validation-set
. a validation set is valid or invalid depending on presence of the snap
. the presence of an optional snap (validation set remains valid)
. a validation set can be forgotten
. monitor mode is supported with a local validation-set (non-pinned)
. monitor mode report valid status when enabled
# This test uses a local validation set assertion (vs1.json) signed upfront
# with my (stolowski) private store key (account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f,
# public-key-sha3: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy);
# the resulting assertion provided with the test is vs1.assert.
#
# If this needs to be redone with another developer account, the steps are:
# 1. update account-id and authority-id in vs1.json for the developer to use.
# 2. snap sign vs1.json -k <gpg key name> > vs1.assert (replace the assert file)
# 3. change account-ids and sha3 checksum used below in the test with
# the desired developer key.
systems:
# go-flags panics when showing --help for a hidden command on Fedora 32/33
- -fedora-*
environment:
ACCOUNT_ID: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f
PUBKEY_SHA: o_x83A3wpIvJznIHBJIK7jRmRZKLlqx5jOr30HUsloFfBseXNF0ztoj18EvNualy
prepare : |
echo "Acknowledging account and account-key assertions required by local validation set"
snap known --remote account account-id="$ACCOUNT_ID" > account.assert
snap known --remote account-key public-key-sha3-384="$PUBKEY_SHA" > key.assert
snap ack account.assert
snap ack key.assert
# validation-set assertion ack'ed locally (but not available in the store)
snap ack vs1.assert
# precondition check
snap known validation-set | MATCH "name: hello-world"
execute: |
snap validate --help | MATCH "The validate command lists or applies validation sets"
snap validate 2>&1 | MATCH "No validations are available"
snap validate --monitor 2>&1 | MATCH "missing validation set argument"
snap validate --monitor --enforce foo/bar 2>&1 | MATCH "cannot use --monitor and --enforce together"
snap validate foo 2>&1 | MATCH "cannot parse validation set \"foo\""
echo "Checking enforce mode error"
snap validate --enforce "$ACCOUNT_ID"/bar=1 2>&1 | MATCH "error: cannot apply validation set: cannot enforce validation set: validation sets assertions are not met:"
echo "Tracking not set up yet, but validation is possible with local assertion"
snap validate "$ACCOUNT_ID"/bar=1 2>&1 | MATCH "^invalid"
echo "Checking that monitor mode is supported with a pinned sequence and local validation-set"
snap validate --monitor "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"
echo "Checking that validation-set is valid or invalid depending on presence of the snap"
snap install hello-world
snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +valid"
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
# presence of bare snap is optional (validation set was valid
# already and optional snap doesn't change that).
snap install bare
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
# presence of test-snapd-base-bare is invalid
snap install test-snapd-base-bare
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
snap remove --purge test-snapd-base-bare
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
snap remove --purge hello-world
snap validate | MATCH "$ACCOUNT_ID/bar=1 +monitor +1 +invalid"
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
echo "Checking that validation sets can be forgotten"
snap validate --forget "$ACCOUNT_ID"/bar
snap validate 2>&1 | MATCH "No validations are available"
echo "Checking that monitor mode is supported with a local validation-set (non-pinned)"
snap validate --monitor "$ACCOUNT_ID"/bar | MATCH "^invalid"
snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +invalid"
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^invalid"
snap validate "$ACCOUNT_ID"/bar | MATCH "^invalid"
snap install hello-world
snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +valid"
snap validate "$ACCOUNT_ID"/bar=1 | MATCH "^valid"
snap validate "$ACCOUNT_ID"/bar | MATCH "^valid"
echo "Check that --monitor mode report valid status when enabled"
snap validate --monitor "$ACCOUNT_ID"/bar | MATCH "^valid"
snap validate | MATCH "$ACCOUNT_ID/bar +monitor +1 +valid"
|
