GPG signing logic

2025-07-03 06:23:45 +00:00 · 2023-05-26 13:03:49 +02:00 · 2023-05-26 13:03:49 +02:00 · f886973249
commit f886973249
parent 358b55efd4
6 changed files with 281 additions and 20 deletions
--- a/testdata/forgejo-release-test.sh
+++ b/testdata/forgejo-release-test.sh
@ -1,12 +1,8 @@
-#!/bin/sh
+#!/bin/bash
 # SPDX-License-Identifier: MIT

 set -ex

-DIR=$(mktemp -d)
-
-trap "rm -fr $DIR" EXIT
-
 test_teardown() {
    setup_api
    api DELETE repos/$REPO/releases/tags/$TAG || true
@ -20,8 +16,8 @@ test_reset_repo() {
    local project="$1"
    api DELETE repos/$REPO || true
    api POST user/repos --data-raw '{"name":"'$project'", "auto_init":true}'
-    git clone $FORGEJO/$REPO $DIR/repo
-    SHA=$(git -C $DIR/repo rev-parse HEAD)
+    git clone $FORGEJO/$REPO $TMP_DIR/repo
+    SHA=$(git -C $TMP_DIR/repo rev-parse HEAD)
 }

 test_setup() {
@ -48,10 +44,10 @@ test_ensure_tag() {
    # idempotent
    #
    ensure_tag
-    api GET repos/$REPO/tags/$TAG > $DIR/tag1.json
+    api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag1.json
    ensure_tag
-    api GET repos/$REPO/tags/$TAG > $DIR/tag2.json
-    diff -u $DIR/tag[12].json
+    api GET repos/$REPO/tags/$TAG > $TMP_DIR/tag2.json
+    diff -u $TMP_DIR/tag[12].json
    #
    # sanity check on the SHA of an existing tag
    #
@ -62,12 +58,73 @@ test_ensure_tag() {
    api DELETE repos/$REPO/tags/$TAG
 }

+test_maybe_sign_release_no_gpg() {
+    test_maybe_sign_release_setup no_gpg
+
+    GPG_PRIVATE_KEY=
+    maybe_sign_release
+
+    ! test -f $RELEASE_DIR/file-one.txt.asc
+}
+
+test_maybe_sign_release_gpg_no_passphrase() {
+    test_maybe_sign_release_setup gpg_no_passphrase
+
+    GPG_PRIVATE_KEY=testdata/gpg-private-no-passphrase.asc
+    maybe_sign_release
+
+    test_maybe_sign_release_skipped
+    test_maybe_sign_release_verify
+}
+
+test_maybe_sign_release_gpg() {
+    test_maybe_sign_release_setup gpg
+
+    GPG_PRIVATE_KEY=testdata/gpg-private.asc
+    GPG_PASSPHRASE=testdata/gpg-private.passphrase
+    maybe_sign_release
+
+    test_maybe_sign_release_skipped
+    test_maybe_sign_release_verify
+}
+
+test_maybe_sign_release_skipped() {
+    ! test -f $RELEASE_DIR/file-one.txt.sha256.asc
+    ! test -f $RELEASE_DIR/file-two.txt.sha256.asc
+}
+
+test_maybe_sign_release_verify() {
+    for file in  $RELEASE_DIR/file-one.txt  $RELEASE_DIR/file-two.txt; do
+	gpg --verify $file.asc $file
+    done
+}
+
+test_maybe_sign_release_setup() {
+    local name="$1"
+
+    echo "========= maybe_sign_release $name ========="
+    RELEASE_DIR=$TMP_DIR/$name
+    mkdir -p $RELEASE_DIR
+    GNUPGHOME=$TMP_DIR/$name/.gnupg
+    mkdir -p $GNUPGHOME
+    touch $RELEASE_DIR/file-one.txt
+    touch $RELEASE_DIR/file-one.txt.sha256
+    touch $RELEASE_DIR/file-two.txt
+    touch $RELEASE_DIR/file-two.txt.sha256
+}
+
+test_maybe_sign_release() {
+    test_maybe_sign_release_no_gpg
+    test_maybe_sign_release_gpg_no_passphrase
+    test_maybe_sign_release_gpg
+}
+
 test_run() {
    local user="$1"
    local project="$2"
    test_teardown
-    to_push=$DIR/binaries-releases-to-push
-    pulled=$DIR/binaries-releases-pulled
+    to_push=$TMP_DIR/binaries-releases-to-push
+    pulled=$TMP_DIR/binaries-releases-pulled
    RELEASE_DIR=$to_push
    REPO=$user/$project
    test_setup $project
@ -83,6 +140,10 @@ test_run() {
    test_wait_release
 }

+TMP_DIR=$(mktemp -d)
+
+trap "rm -fr $TMP_DIR" EXIT
+
 : ${TAG:=v17.8.20-1}

 . $(dirname $0)/../forgejo-release.sh