diff options
author | Ludovic Courtès <ludo@gnu.org> | 2020-06-10 14:54:13 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-06-12 18:56:11 +0200 |
commit | 52c529ff20b389eb64ac033586e6b1a5c5d82cb5 (patch) | |
tree | a7ebdb0c7a019a4062508a58168d7c9a35500879 /tests | |
parent | 7def5056b631978e246211fabe81e0754c795ebe (diff) | |
download | guix-52c529ff20b389eb64ac033586e6b1a5c5d82cb5.tar.gz |
git-authenticate: Disallow SHA1 (and MD5) signatures.
* guix/git-authenticate.scm (commit-signing-key): Add #:disallowed-hash-algorithms and honor it. (authenticate-commit)[recent-commit?]: New variable. Pass #:disallowed-hash-algorithms to 'commit-signing-key'. * tests/git-authenticate.scm ("signed commits, SHA1 signature"): New test.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/git-authenticate.scm | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm index 84689d628e..97990acaea 100644 --- a/tests/git-authenticate.scm +++ b/tests/git-authenticate.scm @@ -81,6 +81,35 @@ #:keyring-reference "master") 'failed))))) +(unless (which (git-command)) (test-skip 1)) +(test-assert "signed commits, SHA1 signature" + (with-fresh-gnupg-setup (list %ed25519-public-key-file + %ed25519-secret-key-file) + ;; Force use of SHA1 for signatures. + (call-with-output-file (string-append (getenv "GNUPGHOME") "/gpg.conf") + (lambda (port) + (display "digest-algo sha1" port))) + + (with-temporary-git-repository directory + `((add "a.txt" "A") + (add "signer.key" ,(call-with-input-file %ed25519-public-key-file + get-string-all)) + (add ".guix-authorizations" + ,(object->string + `(authorizations (version 0) + ((,(key-fingerprint %ed25519-public-key-file) + (name "Charlie")))))) + (commit "first commit" + (signer ,(key-fingerprint %ed25519-public-key-file)))) + (with-repository directory repository + (let ((commit (find-commit repository "first"))) + (guard (c ((unsigned-commit-error? c) + (oid=? (git-authentication-error-commit c) + (commit-id commit)))) + (authenticate-commits repository (list commit) + #:keyring-reference "master") + 'failed)))))) + (unless (gpg+git-available?) (test-skip 1)) (test-assert "signed commits, default authorizations" (with-fresh-gnupg-setup (list %ed25519-public-key-file |