[jackhill/guix/guix.git] / tests / git-authenticate.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2020, 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-git-authenticate)
  #:use-module (git)
  #:use-module (guix git)
  #:use-module (guix git-authenticate)
  #:use-module ((guix channels) #:select (openpgp-fingerprint))
  #:use-module ((guix diagnostics)
                #:select (formatted-message? formatted-message-arguments))
  #:use-module (guix openpgp)
  #:use-module ((guix tests) #:select (random-text))
  #:use-module (guix tests git)
  #:use-module (guix tests gnupg)
  #:use-module (guix build utils)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-34)
  #:use-module (srfi srfi-35)
  #:use-module (srfi srfi-64)
  #:use-module (rnrs bytevectors)
  #:use-module (rnrs io ports))

;; Test the (guix git-authenticate) tools.

(define (gpg+git-available?)
  (and (which (git-command))
       (which (gpg-command)) (which (gpgconf-command))))

\f
(test-begin "git-authenticate")

(unless (which (git-command)) (test-skip 1))
(test-assert "unsigned commits"
  (with-temporary-git-repository directory
      '((add "a.txt" "A")
        (commit "first commit")
        (add "b.txt" "B")
        (commit "second commit"))
    (with-repository directory repository
      (let ((commit1 (find-commit repository "first"))
            (commit2 (find-commit repository "second")))
        (guard (c ((unsigned-commit-error? c)
                   (oid=? (git-authentication-error-commit c)
                          (commit-id commit1))))
          (authenticate-commits repository (list commit1 commit2)
                                #:keyring-reference "master")
          'failed)))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, SHA1 signature"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    ;; Force use of SHA1 for signatures.
    (call-with-output-file (string-append (getenv "GNUPGHOME") "/gpg.conf")
      (lambda (port)
        (display "digest-algo sha1" port)))

    (with-temporary-git-repository directory
        `((add "a.txt" "A")
          (add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                               get-string-all))
          (add ".guix-authorizations"
               ,(object->string
                 `(authorizations (version 0)
                                  ((,(key-fingerprint %ed25519-public-key-file)
                                    (name "Charlie"))))))
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file))))
      (with-repository directory repository
        (let ((commit (find-commit repository "first")))
          (guard (c ((unsigned-commit-error? c)
                     (oid=? (git-authentication-error-commit c)
                            (commit-id commit))))
            (authenticate-commits repository (list commit)
                                  #:keyring-reference "master")
            'failed))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, default authorizations"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (with-temporary-git-repository directory
        `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                               get-string-all))
          (commit "zeroth commit")
          (add "a.txt" "A")
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (add "b.txt" "B")
          (commit "second commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file))))
      (with-repository directory repository
        (let ((commit1 (find-commit repository "first"))
              (commit2 (find-commit repository "second")))
          (authenticate-commits repository (list commit1 commit2)
                                #:default-authorizations
                                (list (openpgp-public-key-fingerprint
                                       (read-openpgp-packet
                                        %ed25519-public-key-file)))
                                #:keyring-reference "master"))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (with-temporary-git-repository directory
        `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                               get-string-all))
          (add ".guix-authorizations"
               ,(object->string
                 `(authorizations (version 0)
                                  ((,(key-fingerprint
                                      %ed25519-public-key-file)
                                    (name "Charlie"))))))
          (commit "zeroth commit")
          (add "a.txt" "A")
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (add ".guix-authorizations"
               ,(object->string `(authorizations (version 0) ()))) ;empty
          (commit "second commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (add "b.txt" "B")
          (commit "third commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file))))
      (with-repository directory repository
        (let ((commit1 (find-commit repository "first"))
              (commit2 (find-commit repository "second"))
              (commit3 (find-commit repository "third")))
          ;; COMMIT1 and COMMIT2 are fine.
          (and (authenticate-commits repository (list commit1 commit2)
                                     #:keyring-reference "master")

               ;; COMMIT3 is signed by an unauthorized key according to its
               ;; parent's '.guix-authorizations' file.
               (guard (c ((unauthorized-commit-error? c)
                          (and (oid=? (git-authentication-error-commit c)
                                      (commit-id commit3))
                               (bytevector=?
                                (openpgp-public-key-fingerprint
                                 (unauthorized-commit-error-signing-key c))
                                (openpgp-public-key-fingerprint
                                 (read-openpgp-packet
                                  %ed25519-public-key-file))))))
                 (authenticate-commits repository
                                       (list commit1 commit2 commit3)
                                       #:keyring-reference "master")
                 'failed)))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations, unauthorized merge"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file
                                %ed25519-2-public-key-file
                                %ed25519-2-secret-key-file)
    (with-temporary-git-repository directory
        `((add "signer1.key"
               ,(call-with-input-file %ed25519-public-key-file
                  get-string-all))
          (add "signer2.key"
               ,(call-with-input-file %ed25519-2-public-key-file
                  get-string-all))
          (add ".guix-authorizations"
               ,(object->string
                 `(authorizations (version 0)
                                  ((,(key-fingerprint
                                      %ed25519-public-key-file)
                                    (name "Alice"))))))
          (commit "zeroth commit")
          (add "a.txt" "A")
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (branch "devel")
          (checkout "devel")
          (add "devel/1.txt" "1")
          (commit "first devel commit"
                  (signer ,(key-fingerprint %ed25519-2-public-key-file)))
          (checkout "master")
          (add "b.txt" "B")
          (commit "second commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (merge "devel" "merge"
                 (signer ,(key-fingerprint %ed25519-public-key-file))))
      (with-repository directory repository
        (let ((master1 (find-commit repository "first commit"))
              (master2 (find-commit repository "second commit"))
              (devel1  (find-commit repository "first devel commit"))
              (merge   (find-commit repository "merge")))
          (define (correct? c commit)
            (and (oid=? (git-authentication-error-commit c)
                        (commit-id commit))
                 (bytevector=?
                  (openpgp-public-key-fingerprint
                   (unauthorized-commit-error-signing-key c))
                  (openpgp-public-key-fingerprint
                   (read-openpgp-packet %ed25519-2-public-key-file)))))

          (and (authenticate-commits repository (list master1 master2)
                                     #:keyring-reference "master")

               ;; DEVEL1 is signed by an unauthorized key according to its
               ;; parent's '.guix-authorizations' file.
               (guard (c ((unauthorized-commit-error? c)
                          (correct? c devel1)))
                 (authenticate-commits repository
                                       (list master1 devel1)
                                       #:keyring-reference "master")
                 #f)

               ;; MERGE is authorized but one of its ancestors is not.
               (guard (c ((unauthorized-commit-error? c)
                          (correct? c devel1)))
                 (authenticate-commits repository
                                       (list master1 master2
                                             devel1 merge)
                                       #:keyring-reference "master")
                 #f)))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations, authorized merge"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file
                                %ed25519-2-public-key-file
                                %ed25519-2-secret-key-file)
    (with-temporary-git-repository directory
        `((add "signer1.key"
               ,(call-with-input-file %ed25519-public-key-file
                  get-string-all))
          (add "signer2.key"
               ,(call-with-input-file %ed25519-2-public-key-file
                  get-string-all))
          (add ".guix-authorizations"
               ,(object->string
                 `(authorizations (version 0)
                                  ((,(key-fingerprint
                                      %ed25519-public-key-file)
                                    (name "Alice"))))))
          (commit "zeroth commit")
          (add "a.txt" "A")
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (branch "devel")
          (checkout "devel")
          (add ".guix-authorizations"
               ,(object->string                   ;add the second signer
                 `(authorizations (version 0)
                                  ((,(key-fingerprint
                                      %ed25519-public-key-file)
                                    (name "Alice"))
                                   (,(key-fingerprint
                                      %ed25519-2-public-key-file))))))
          (commit "first devel commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (add "devel/2.txt" "2")
          (commit "second devel commit"
                  (signer ,(key-fingerprint %ed25519-2-public-key-file)))
          (checkout "master")
          (add "b.txt" "B")
          (commit "second commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (merge "devel" "merge"
                 (signer ,(key-fingerprint %ed25519-public-key-file)))
          ;; After the merge, the second signer is authorized.
          (add "c.txt" "C")
          (commit "third commit"
                  (signer ,(key-fingerprint %ed25519-2-public-key-file))))
      (with-repository directory repository
        (let ((master1 (find-commit repository "first commit"))
              (master2 (find-commit repository "second commit"))
              (devel1  (find-commit repository "first devel commit"))
              (devel2  (find-commit repository "second devel commit"))
              (merge   (find-commit repository "merge"))
              (master3 (find-commit repository "third commit")))
          (authenticate-commits repository
                                (list master1 master2 devel1 devel2
                                      merge master3)
                                #:keyring-reference "master"))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations removed"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (with-temporary-git-repository directory
        `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                               get-string-all))
          (add ".guix-authorizations"
               ,(object->string
                 `(authorizations (version 0)
                                  ((,(key-fingerprint
                                      %ed25519-public-key-file)
                                    (name "Charlie"))))))
          (commit "zeroth commit")
          (add "a.txt" "A")
          (commit "first commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (remove ".guix-authorizations")
          (commit "second commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file)))
          (add "b.txt" "B")
          (commit "third commit"
                  (signer ,(key-fingerprint %ed25519-public-key-file))))
      (with-repository directory repository
        (let ((commit1 (find-commit repository "first"))
              (commit2 (find-commit repository "second"))
              (commit3 (find-commit repository "third")))
          ;; COMMIT1 and COMMIT2 are fine.
          (and (authenticate-commits repository (list commit1 commit2)
                                     #:keyring-reference "master")

               ;; COMMIT3 is rejected because COMMIT2 removes
               ;; '.guix-authorizations'.
               (guard (c ((unauthorized-commit-error? c)
                          (oid=? (git-authentication-error-commit c)
                                 (commit-id commit2))))
                 (authenticate-commits repository
                                       (list commit1 commit2 commit3)
                                       #:keyring-reference "master")
                 'failed)))))))

(unless (gpg+git-available?) (test-skip 1))
(test-assert "introductory commit, valid signature"
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
      (with-temporary-git-repository directory
          `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                                 get-string-all))
            (add ".guix-authorizations"
                 ,(object->string
                   `(authorizations (version 0)
                                    ((,(key-fingerprint
                                        %ed25519-public-key-file)
                                      (name "Charlie"))))))
            (commit "zeroth commit" (signer ,fingerprint))
            (add "a.txt" "A")
            (commit "first commit" (signer ,fingerprint)))
        (with-repository directory repository
          (let ((commit0 (find-commit repository "zero"))
                (commit1 (find-commit repository "first")))
            ;; COMMIT0 is signed with the right key, and COMMIT1 is fine.
            (authenticate-repository repository
                                     (commit-id commit0)
                                     (openpgp-fingerprint fingerprint)
                                     #:keyring-reference "master"
                                     #:cache-key (random-text))))))))

(unless (gpg+git-available?) (test-skip 1))
(test-equal "introductory commit, missing signature"
  'intro-lacks-signature
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
      (with-temporary-git-repository directory
          `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                                 get-string-all))
            (add ".guix-authorizations"
                 ,(object->string
                   `(authorizations (version 0)
                                    ((,(key-fingerprint
                                        %ed25519-public-key-file)
                                      (name "Charlie"))))))
            (commit "zeroth commit")              ;unsigned!
            (add "a.txt" "A")
            (commit "first commit" (signer ,fingerprint)))
        (with-repository directory repository
          (let ((commit0 (find-commit repository "zero")))
            ;; COMMIT0 is not signed.
            (guard (c ((formatted-message? c)
                       ;; Message like "commit ~a lacks a signature".
                       (and (equal? (formatted-message-arguments c)
                                    (list (oid->string (commit-id commit0))))
                            'intro-lacks-signature)))
              (authenticate-repository repository
                                       (commit-id commit0)
                                       (openpgp-fingerprint fingerprint)
                                       #:keyring-reference "master"
                                       #:cache-key (random-text)))))))))

(unless (gpg+git-available?) (test-skip 1))
(test-equal "introductory commit, wrong signature"
  'wrong-intro-signing-key
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file
                                %ed25519-2-public-key-file
                                %ed25519-2-secret-key-file)
    (let ((fingerprint (key-fingerprint %ed25519-public-key-file))
          (wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file)))
      (with-temporary-git-repository directory
          `((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file
                                  get-string-all))
            (add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file
                                  get-string-all))
            (add ".guix-authorizations"
                 ,(object->string
                   `(authorizations (version 0)
                                    ((,(key-fingerprint
                                        %ed25519-public-key-file)
                                      (name "Charlie"))))))
            (commit "zeroth commit" (signer ,wrong-fingerprint))
            (add "a.txt" "A")
            (commit "first commit" (signer ,fingerprint)))
        (with-repository directory repository
          (let ((commit0 (find-commit repository "zero"))
                (commit1 (find-commit repository "first")))
            ;; COMMIT0 is signed with the wrong key--not the one passed as the
            ;; SIGNER argument to 'authenticate-repository'.
            (guard (c ((formatted-message? c)
                       ;; Message like "commit ~a signed by ~a instead of ~a".
                       (and (equal? (formatted-message-arguments c)
                                    (list (oid->string (commit-id commit0))
                                          wrong-fingerprint fingerprint))
                            'wrong-intro-signing-key)))
             (authenticate-repository repository
                                      (commit-id commit0)
                                      (openpgp-fingerprint fingerprint)
                                      #:keyring-reference "master"
                                      #:cache-key (random-text)))))))))

(unless (gpg+git-available?) (test-skip 1))
(test-equal "authenticate-repository, target not a descendant of intro"
  'target-commit-not-a-descendant-of-intro
  (with-fresh-gnupg-setup (list %ed25519-public-key-file
                                %ed25519-secret-key-file)
    (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
      (with-temporary-git-repository directory
          `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
                                 get-string-all))
            (add ".guix-authorizations"
                 ,(object->string
                   `(authorizations (version 0)
                                    ((,(key-fingerprint
                                        %ed25519-public-key-file)
                                      (name "Charlie"))))))
            (commit "zeroth commit" (signer ,fingerprint))
            (branch "pre-intro-branch")
            (checkout "pre-intro-branch")
            (add "b.txt" "B")
            (commit "alternate commit" (signer ,fingerprint))
            (checkout "master")
            (add "a.txt" "A")
            (commit "first commit" (signer ,fingerprint))
            (add "c.txt" "C")
            (commit "second commit" (signer ,fingerprint)))
        (with-repository directory repository
          (let ((commit1 (find-commit repository "first"))
                (commit-alt
                 (commit-lookup repository
                                (reference-target
                                 (branch-lookup repository
                                                "pre-intro-branch")))))
            (guard (c ((formatted-message? c)
                       (and (equal? (formatted-message-arguments c)
                                    (list (oid->string (commit-id commit-alt))
                                          (oid->string (commit-id commit1))))
                            'target-commit-not-a-descendant-of-intro)))
              (authenticate-repository repository
                                       (commit-id commit1)
                                       (openpgp-fingerprint fingerprint)
                                       #:end (commit-id commit-alt)
                                       #:keyring-reference "master"
                                       #:cache-key (random-text)))))))))

(test-end "git-authenticate")
Commit	Line	Data
c83eedba	1	;;; GNU Guix --- Functional package management for GNU
36cb04df	2	;;; Copyright © 2020, 2022 Ludovic Courtès <ludo@gnu.org>
c83eedba LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (test-git-authenticate)
	20	#:use-module (git)
	21	#:use-module (guix git)
	22	#:use-module (guix git-authenticate)
36cb04df LC	23	#:use-module ((guix channels) #:select (openpgp-fingerprint))
	24	#:use-module ((guix diagnostics)
	25	#:select (formatted-message? formatted-message-arguments))
c83eedba	26	#:use-module (guix openpgp)
36cb04df	27	#:use-module ((guix tests) #:select (random-text))
c83eedba LC	28	#:use-module (guix tests git)
	29	#:use-module (guix tests gnupg)
	30	#:use-module (guix build utils)
	31	#:use-module (srfi srfi-1)
	32	#:use-module (srfi srfi-34)
36cb04df	33	#:use-module (srfi srfi-35)
c83eedba LC	34	#:use-module (srfi srfi-64)
	35	#:use-module (rnrs bytevectors)
	36	#:use-module (rnrs io ports))
	37
	38	;; Test the (guix git-authenticate) tools.
	39
c83eedba LC	40	(define (gpg+git-available?)
	41	(and (which (git-command))
	42	(which (gpg-command)) (which (gpgconf-command))))
	43
	44	\f
	45	(test-begin "git-authenticate")
	46
	47	(unless (which (git-command)) (test-skip 1))
	48	(test-assert "unsigned commits"
	49	(with-temporary-git-repository directory
	50	'((add "a.txt" "A")
	51	(commit "first commit")
	52	(add "b.txt" "B")
	53	(commit "second commit"))
	54	(with-repository directory repository
	55	(let ((commit1 (find-commit repository "first"))
	56	(commit2 (find-commit repository "second")))
	57	(guard (c ((unsigned-commit-error? c)
	58	(oid=? (git-authentication-error-commit c)
	59	(commit-id commit1))))
	60	(authenticate-commits repository (list commit1 commit2)
	61	#:keyring-reference "master")
	62	'failed)))))
	63
0a8dd8aa	64	(unless (gpg+git-available?) (test-skip 1))
52c529ff LC	65	(test-assert "signed commits, SHA1 signature"
	66	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	67	%ed25519-secret-key-file)
	68	;; Force use of SHA1 for signatures.
	69	(call-with-output-file (string-append (getenv "GNUPGHOME") "/gpg.conf")
	70	(lambda (port)
	71	(display "digest-algo sha1" port)))
	72
	73	(with-temporary-git-repository directory
	74	`((add "a.txt" "A")
	75	(add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	76	get-string-all))
	77	(add ".guix-authorizations"
	78	,(object->string
	79	`(authorizations (version 0)
	80	((,(key-fingerprint %ed25519-public-key-file)
	81	(name "Charlie"))))))
	82	(commit "first commit"
	83	(signer ,(key-fingerprint %ed25519-public-key-file))))
	84	(with-repository directory repository
	85	(let ((commit (find-commit repository "first")))
	86	(guard (c ((unsigned-commit-error? c)
	87	(oid=? (git-authentication-error-commit c)
	88	(commit-id commit))))
	89	(authenticate-commits repository (list commit)
	90	#:keyring-reference "master")
	91	'failed))))))
	92
c83eedba LC	93	(unless (gpg+git-available?) (test-skip 1))
	94	(test-assert "signed commits, default authorizations"
	95	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	96	%ed25519-secret-key-file)
	97	(with-temporary-git-repository directory
	98	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	99	get-string-all))
	100	(commit "zeroth commit")
	101	(add "a.txt" "A")
	102	(commit "first commit"
	103	(signer ,(key-fingerprint %ed25519-public-key-file)))
	104	(add "b.txt" "B")
	105	(commit "second commit"
	106	(signer ,(key-fingerprint %ed25519-public-key-file))))
	107	(with-repository directory repository
	108	(let ((commit1 (find-commit repository "first"))
	109	(commit2 (find-commit repository "second")))
	110	(authenticate-commits repository (list commit1 commit2)
	111	#:default-authorizations
	112	(list (openpgp-public-key-fingerprint
	113	(read-openpgp-packet
	114	%ed25519-public-key-file)))
	115	#:keyring-reference "master"))))))
	116
	117	(unless (gpg+git-available?) (test-skip 1))
	118	(test-assert "signed commits, .guix-authorizations"
	119	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	120	%ed25519-secret-key-file)
	121	(with-temporary-git-repository directory
	122	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	123	get-string-all))
	124	(add ".guix-authorizations"
	125	,(object->string
	126	`(authorizations (version 0)
	127	((,(key-fingerprint
	128	%ed25519-public-key-file)
	129	(name "Charlie"))))))
	130	(commit "zeroth commit")
	131	(add "a.txt" "A")
	132	(commit "first commit"
	133	(signer ,(key-fingerprint %ed25519-public-key-file)))
	134	(add ".guix-authorizations"
	135	,(object->string `(authorizations (version 0) ()))) ;empty
	136	(commit "second commit"
	137	(signer ,(key-fingerprint %ed25519-public-key-file)))
	138	(add "b.txt" "B")
	139	(commit "third commit"
	140	(signer ,(key-fingerprint %ed25519-public-key-file))))
	141	(with-repository directory repository
	142	(let ((commit1 (find-commit repository "first"))
	143	(commit2 (find-commit repository "second"))
	144	(commit3 (find-commit repository "third")))
	145	;; COMMIT1 and COMMIT2 are fine.
	146	(and (authenticate-commits repository (list commit1 commit2)
	147	#:keyring-reference "master")
	148
	149	;; COMMIT3 is signed by an unauthorized key according to its
	150	;; parent's '.guix-authorizations' file.
	151	(guard (c ((unauthorized-commit-error? c)
	152	(and (oid=? (git-authentication-error-commit c)
	153	(commit-id commit3))
	154	(bytevector=?
	155	(openpgp-public-key-fingerprint
	156	(unauthorized-commit-error-signing-key c))
157	(openpgp-public-key-fingerprint
158	(read-openpgp-packet
159	%ed25519-public-key-file))))))
160	(authenticate-commits repository
161	(list commit1 commit2 commit3)
162	#:keyring-reference "master")
163	'failed)))))))
164
165	(unless (gpg+git-available?) (test-skip 1))
166	(test-assert "signed commits, .guix-authorizations, unauthorized merge"
167	(with-fresh-gnupg-setup (list %ed25519-public-key-file
168	%ed25519-secret-key-file
9ebc9ca0 AL	169	%ed25519-2-public-key-file
9ebc9ca0 AL	170	%ed25519-2-secret-key-file)
c83eedba LC	171	(with-temporary-git-repository directory
	172	`((add "signer1.key"
	173	,(call-with-input-file %ed25519-public-key-file
	174	get-string-all))
	175	(add "signer2.key"
9ebc9ca0	176	,(call-with-input-file %ed25519-2-public-key-file
c83eedba LC	177	get-string-all))
	178	(add ".guix-authorizations"
	179	,(object->string
	180	`(authorizations (version 0)
	181	((,(key-fingerprint
	182	%ed25519-public-key-file)
	183	(name "Alice"))))))
	184	(commit "zeroth commit")
	185	(add "a.txt" "A")
	186	(commit "first commit"
	187	(signer ,(key-fingerprint %ed25519-public-key-file)))
	188	(branch "devel")
	189	(checkout "devel")
	190	(add "devel/1.txt" "1")
	191	(commit "first devel commit"
9ebc9ca0	192	(signer ,(key-fingerprint %ed25519-2-public-key-file)))
c83eedba LC	193	(checkout "master")
	194	(add "b.txt" "B")
	195	(commit "second commit"
	196	(signer ,(key-fingerprint %ed25519-public-key-file)))
	197	(merge "devel" "merge"
	198	(signer ,(key-fingerprint %ed25519-public-key-file))))
	199	(with-repository directory repository
	200	(let ((master1 (find-commit repository "first commit"))
	201	(master2 (find-commit repository "second commit"))
	202	(devel1 (find-commit repository "first devel commit"))
	203	(merge (find-commit repository "merge")))
	204	(define (correct? c commit)
	205	(and (oid=? (git-authentication-error-commit c)
	206	(commit-id commit))
	207	(bytevector=?
	208	(openpgp-public-key-fingerprint
	209	(unauthorized-commit-error-signing-key c))
	210	(openpgp-public-key-fingerprint
9ebc9ca0	211	(read-openpgp-packet %ed25519-2-public-key-file)))))
c83eedba LC	212
	213	(and (authenticate-commits repository (list master1 master2)
	214	#:keyring-reference "master")
	215
	216	;; DEVEL1 is signed by an unauthorized key according to its
	217	;; parent's '.guix-authorizations' file.
	218	(guard (c ((unauthorized-commit-error? c)
	219	(correct? c devel1)))
	220	(authenticate-commits repository
	221	(list master1 devel1)
	222	#:keyring-reference "master")
	223	#f)
	224
	225	;; MERGE is authorized but one of its ancestors is not.
	226	(guard (c ((unauthorized-commit-error? c)
	227	(correct? c devel1)))
	228	(authenticate-commits repository
	229	(list master1 master2
	230	devel1 merge)
	231	#:keyring-reference "master")
	232	#f)))))))
	233
	234	(unless (gpg+git-available?) (test-skip 1))
	235	(test-assert "signed commits, .guix-authorizations, authorized merge"
	236	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	237	%ed25519-secret-key-file
9ebc9ca0 AL	238	%ed25519-2-public-key-file
9ebc9ca0 AL	239	%ed25519-2-secret-key-file)
c83eedba LC	240	(with-temporary-git-repository directory
	241	`((add "signer1.key"
	242	,(call-with-input-file %ed25519-public-key-file
	243	get-string-all))
	244	(add "signer2.key"
9ebc9ca0	245	,(call-with-input-file %ed25519-2-public-key-file
c83eedba LC	246	get-string-all))
	247	(add ".guix-authorizations"
	248	,(object->string
	249	`(authorizations (version 0)
	250	((,(key-fingerprint
	251	%ed25519-public-key-file)
	252	(name "Alice"))))))
	253	(commit "zeroth commit")
	254	(add "a.txt" "A")
	255	(commit "first commit"
	256	(signer ,(key-fingerprint %ed25519-public-key-file)))
	257	(branch "devel")
	258	(checkout "devel")
	259	(add ".guix-authorizations"
	260	,(object->string ;add the second signer
	261	`(authorizations (version 0)
	262	((,(key-fingerprint
	263	%ed25519-public-key-file)
	264	(name "Alice"))
	265	(,(key-fingerprint
9ebc9ca0	266	%ed25519-2-public-key-file))))))
c83eedba LC	267	(commit "first devel commit"
	268	(signer ,(key-fingerprint %ed25519-public-key-file)))
	269	(add "devel/2.txt" "2")
	270	(commit "second devel commit"
9ebc9ca0	271	(signer ,(key-fingerprint %ed25519-2-public-key-file)))
c83eedba LC	272	(checkout "master")
	273	(add "b.txt" "B")
	274	(commit "second commit"
	275	(signer ,(key-fingerprint %ed25519-public-key-file)))
	276	(merge "devel" "merge"
	277	(signer ,(key-fingerprint %ed25519-public-key-file)))
	278	;; After the merge, the second signer is authorized.
	279	(add "c.txt" "C")
	280	(commit "third commit"
9ebc9ca0	281	(signer ,(key-fingerprint %ed25519-2-public-key-file))))
c83eedba LC	282	(with-repository directory repository
	283	(let ((master1 (find-commit repository "first commit"))
	284	(master2 (find-commit repository "second commit"))
	285	(devel1 (find-commit repository "first devel commit"))
	286	(devel2 (find-commit repository "second devel commit"))
	287	(merge (find-commit repository "merge"))
	288	(master3 (find-commit repository "third commit")))
	289	(authenticate-commits repository
	290	(list master1 master2 devel1 devel2
	291	merge master3)
	292	#:keyring-reference "master"))))))
	293
e7827560 LC	294	(unless (gpg+git-available?) (test-skip 1))
	295	(test-assert "signed commits, .guix-authorizations removed"
	296	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	297	%ed25519-secret-key-file)
	298	(with-temporary-git-repository directory
	299	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	300	get-string-all))
	301	(add ".guix-authorizations"
	302	,(object->string
	303	`(authorizations (version 0)
	304	((,(key-fingerprint
	305	%ed25519-public-key-file)
	306	(name "Charlie"))))))
	307	(commit "zeroth commit")
	308	(add "a.txt" "A")
	309	(commit "first commit"
	310	(signer ,(key-fingerprint %ed25519-public-key-file)))
	311	(remove ".guix-authorizations")
	312	(commit "second commit"
	313	(signer ,(key-fingerprint %ed25519-public-key-file)))
	314	(add "b.txt" "B")
	315	(commit "third commit"
	316	(signer ,(key-fingerprint %ed25519-public-key-file))))
	317	(with-repository directory repository
	318	(let ((commit1 (find-commit repository "first"))
	319	(commit2 (find-commit repository "second"))
	320	(commit3 (find-commit repository "third")))
	321	;; COMMIT1 and COMMIT2 are fine.
	322	(and (authenticate-commits repository (list commit1 commit2)
	323	#:keyring-reference "master")
	324
	325	;; COMMIT3 is rejected because COMMIT2 removes
	326	;; '.guix-authorizations'.
	327	(guard (c ((unauthorized-commit-error? c)
	328	(oid=? (git-authentication-error-commit c)
	329	(commit-id commit2))))
	330	(authenticate-commits repository
	331	(list commit1 commit2 commit3)
	332	#:keyring-reference "master")
	333	'failed)))))))
	334
36cb04df LC	335	(unless (gpg+git-available?) (test-skip 1))
	336	(test-assert "introductory commit, valid signature"
	337	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	338	%ed25519-secret-key-file)
	339	(let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
	340	(with-temporary-git-repository directory
	341	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	342	get-string-all))
	343	(add ".guix-authorizations"
	344	,(object->string
	345	`(authorizations (version 0)
	346	((,(key-fingerprint
	347	%ed25519-public-key-file)
	348	(name "Charlie"))))))
	349	(commit "zeroth commit" (signer ,fingerprint))
	350	(add "a.txt" "A")
	351	(commit "first commit" (signer ,fingerprint)))
	352	(with-repository directory repository
	353	(let ((commit0 (find-commit repository "zero"))
	354	(commit1 (find-commit repository "first")))
	355	;; COMMIT0 is signed with the right key, and COMMIT1 is fine.
	356	(authenticate-repository repository
	357	(commit-id commit0)
	358	(openpgp-fingerprint fingerprint)
	359	#:keyring-reference "master"
	360	#:cache-key (random-text))))))))
	361
	362	(unless (gpg+git-available?) (test-skip 1))
	363	(test-equal "introductory commit, missing signature"
	364	'intro-lacks-signature
	365	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	366	%ed25519-secret-key-file)
	367	(let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
	368	(with-temporary-git-repository directory
	369	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	370	get-string-all))
	371	(add ".guix-authorizations"
	372	,(object->string
	373	`(authorizations (version 0)
	374	((,(key-fingerprint
	375	%ed25519-public-key-file)
	376	(name "Charlie"))))))
	377	(commit "zeroth commit") ;unsigned!
	378	(add "a.txt" "A")
	379	(commit "first commit" (signer ,fingerprint)))
	380	(with-repository directory repository
	381	(let ((commit0 (find-commit repository "zero")))
	382	;; COMMIT0 is not signed.
	383	(guard (c ((formatted-message? c)
	384	;; Message like "commit ~a lacks a signature".
	385	(and (equal? (formatted-message-arguments c)
	386	(list (oid->string (commit-id commit0))))
	387	'intro-lacks-signature)))
	388	(authenticate-repository repository
	389	(commit-id commit0)
	390	(openpgp-fingerprint fingerprint)
	391	#:keyring-reference "master"
	392	#:cache-key (random-text)))))))))
	393
	394	(unless (gpg+git-available?) (test-skip 1))
	395	(test-equal "introductory commit, wrong signature"
	396	'wrong-intro-signing-key
	397	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	398	%ed25519-secret-key-file
399	%ed25519-2-public-key-file
400	%ed25519-2-secret-key-file)
401	(let ((fingerprint (key-fingerprint %ed25519-public-key-file))
402	(wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file)))
403	(with-temporary-git-repository directory
404	`((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file
405	get-string-all))
406	(add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file
407	get-string-all))
408	(add ".guix-authorizations"
409	,(object->string
410	`(authorizations (version 0)
411	((,(key-fingerprint
412	%ed25519-public-key-file)
413	(name "Charlie"))))))
414	(commit "zeroth commit" (signer ,wrong-fingerprint))
415	(add "a.txt" "A")
416	(commit "first commit" (signer ,fingerprint)))
417	(with-repository directory repository
418	(let ((commit0 (find-commit repository "zero"))
419	(commit1 (find-commit repository "first")))
420	;; COMMIT0 is signed with the wrong key--not the one passed as the
421	;; SIGNER argument to 'authenticate-repository'.
422	(guard (c ((formatted-message? c)
423	;; Message like "commit ~a signed by ~a instead of ~a".
424	(and (equal? (formatted-message-arguments c)
425	(list (oid->string (commit-id commit0))
426	wrong-fingerprint fingerprint))
427	'wrong-intro-signing-key)))
428	(authenticate-repository repository
429	(commit-id commit0)
430	(openpgp-fingerprint fingerprint)
431	#:keyring-reference "master"
432	#:cache-key (random-text)))))))))
433
ca87601d LC	434	(unless (gpg+git-available?) (test-skip 1))
	435	(test-equal "authenticate-repository, target not a descendant of intro"
	436	'target-commit-not-a-descendant-of-intro
	437	(with-fresh-gnupg-setup (list %ed25519-public-key-file
	438	%ed25519-secret-key-file)
	439	(let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
	440	(with-temporary-git-repository directory
	441	`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
	442	get-string-all))
	443	(add ".guix-authorizations"
	444	,(object->string
	445	`(authorizations (version 0)
	446	((,(key-fingerprint
	447	%ed25519-public-key-file)
	448	(name "Charlie"))))))
	449	(commit "zeroth commit" (signer ,fingerprint))
	450	(branch "pre-intro-branch")
	451	(checkout "pre-intro-branch")
	452	(add "b.txt" "B")
	453	(commit "alternate commit" (signer ,fingerprint))
	454	(checkout "master")
	455	(add "a.txt" "A")
	456	(commit "first commit" (signer ,fingerprint))
	457	(add "c.txt" "C")
	458	(commit "second commit" (signer ,fingerprint)))
	459	(with-repository directory repository
	460	(let ((commit1 (find-commit repository "first"))
	461	(commit-alt
	462	(commit-lookup repository
	463	(reference-target
	464	(branch-lookup repository
	465	"pre-intro-branch")))))
	466	(guard (c ((formatted-message? c)
	467	(and (equal? (formatted-message-arguments c)
	468	(list (oid->string (commit-id commit-alt))
	469	(oid->string (commit-id commit1))))
	470	'target-commit-not-a-descendant-of-intro)))
	471	(authenticate-repository repository
	472	(commit-id commit1)
	473	(openpgp-fingerprint fingerprint)
	474	#:end (commit-id commit-alt)
	475	#:keyring-reference "master"
	476	#:cache-key (random-text)))))))))
	477
c83eedba	478	(test-end "git-authenticate")