Project

General

Profile

Feature #9402

Feature #8543: Write regression tests and tests for new features

Generalize automated tests for OpenPGP keys expiration

Added by intrigeri over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Test suite
Target version:
Start date:
05/14/2015
Due date:
% Done:

100%

Feature Branch:
kytv:test/9402-check-all-tails-openpgp-keys
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

In config/chroot_local-includes/lib/live/config/2000-import-gnupg-key we import /usr/share/doc/tails/website/*.key into the desktop user's keyring. Since #9112 was resolved, that now means more keys than it used to. We already have automated tests to ensure that some of these keys are up-to-date and won't expire any time soon. This should be generalized to all keys we import at boot time.

Associated revisions

Revision 0fc81796 (diff)
Added by kytv over 4 years ago

Test all OpenPGP keys shipped with Tails

Will-fix: #9402

Revision 1fe8b0d2
Added by anonym over 4 years ago

Merge remote-tracking branch 'kytv/test/9402-check-all-tails-openpgp-keys' into stable

Fix-committed: #9402

History

#2 Updated by kytv over 4 years ago

intrigeri wrote:

This should be generalized to all keys we import at boot time.

As mentioned at #9405, the new key is not included, but the old expired key is.

pub   4096R/0xC436090F4BB47C6F 2014-07-11
pub   4096R/0xEC57B56EF0C43132 2013-07-24 [expires: 2018-07-23]
pub   4096R/0x1D2975EDF93E735F 2009-08-14 [expires: 2016-12-27]
pub   4096R/0x457080B5A072CBE3 2014-07-11
pub   4096R/0x1202821CBE2CD9C1 2010-10-07 [expired: 2015-04-30]

Edit: I'm mistaken. A persistence volume confused me.

#3 Updated by kytv over 4 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from kytv to anonym
  • % Done changed from 0 to 30
  • QA Check set to Ready for QA
  • Feature Branch set to kytv:test/9402-check-all-tails-openpgp-keys

With an ISO built near the Tails 1.2.3 release:

  Scenario: The shipped Tails OpenPGP keys are up-to-date                        # features/checks.feature:25
    Then the OpenPGP keys shipped with Tails will be valid for the next 3 months # features/step_definitions/checks.rb:7
      The following key(s) will not be valid in 3 months: 0D24B36AA9A2A651787876451202821CBE2CD9C1.
      <false> is not true. (Test::Unit::AssertionFailedError)
      ./features/step_definitions/checks.rb:18:in `/^the OpenPGP keys shipped with Tails will be valid for the next (\d+) months$/'
      features/checks.feature:26:in `Then the OpenPGP keys shipped with Tails will be valid for the next 3 months'
Scenario failed at time 00:00:44
Took screenshot "/home/kytv/git/tails/tmp/checks-2015-05-14T17:45:21+00:00.png" 

  Scenario: The Tails Debian repository key is up-to-date                            # features/checks.feature:28
    Then the shipped Tails Debian repository key will be valid for the next 3 months # features/step_definitions/checks.rb:21
      The shipped key 221F9A3C6FA3E09E182E060BC7988EA7A358D82E will not be valid 3 months from now.
      <false> is not true. (Test::Unit::AssertionFailedError)
      ./features/step_definitions/checks.rb:37:in `/^the shipped Tails( Debian repository)? key( [A-Z0-9]+)? will be valid for the next (\d+) months$/'
      features/checks.feature:29:in `Then the shipped Tails Debian repository key will be valid for the next 3 months'
Scenario failed at time 00:00:52
Took screenshot "/home/kytv/git/tails/tmp/checks-2015-05-14T17:45:30+00:00.png" 

Run against an ISO built from the devel branch:

Scenario: The shipped Tails OpenPGP keys are up-to-date                        # features/checks.feature:25
    Then the OpenPGP keys shipped with Tails will be valid for the next 3 months # features/step_definitions/checks.rb:7

  Scenario: The Tails Debian repository key is up-to-date                            # features/checks.feature:28
    Then the shipped Tails Debian repository key will be valid for the next 3 months # features/step_definitions/checks.rb:21

#4 Updated by anonym over 4 years ago

  • Assignee changed from anonym to kytv
  • QA Check changed from Ready for QA to Dev Needed

All looks very nice; I like the error reporting in particular! :)

I have a few minor nitpicks, though:

Then /^the shipped Tails( Debian repository)? key( [A-Z0-9]+)? will be valid for the next (\d+) months$/ do |debian, fingerprint, max_months|
  next if @skip_steps_while_restoring_background
  if fingerprint
    sig_key_fingerprint = fingerprint
    cmd = 'gpg'
    user = LIVE_USER
  end
  if debian
    sig_key_fingerprint = TAILS_DEBIAN_REPO_KEY
    cmd = 'apt-key adv'
    user = 'root'
  end
[...]

Given the step definition's regex, it's valid to run the step the shipped Tails key will be valid for the next 3 months. What is the "Tails key" now that there's no reference to a fingerprint? Indeed, when doing this, sig_key_fingerprint, cmd and user will all be undefined resulting in a name error. It's also possible to specify a fingerprint in the "Debian repository" case, although it will be ignored, which is confusing.

What about this instead?

Then /^the shipped (Debian repository key|OpenPGP key ([A-Z0-9]+)) will be valid for the next (\d+) months$/ do |key_type, fingerprint, max_months|
  if key_type == "Debian repository key" 
    sig_key_fingerprint = TAILS_DEBIAN_REPO_KEY
    cmd = 'apt-key adv'
    user = 'root'
  else
    sig_key_fingerprint = fingerprint
    cmd = 'gpg'
    user = LIVE_USER
  end
[...]

IMHO this is a bit clearer too.

Also, please change the name of sig_key_fingerprint; the sig_ part doesn't make sense any more. IMHO fingerprint is good enough, and then that assignment can be skipped in the "OpenPGP key" case. We only assign fingerprint with TAILS_DEBIAN_REPO_KEY in the "Debian repository key" case.

#5 Updated by kytv over 4 years ago

  • Assignee changed from kytv to anonym
  • QA Check changed from Dev Needed to Ready for QA

The issues have been addressed. (I didn't know how to nest () in the regex steps; thanks to you I see it's dead simple)

#6 Updated by kytv over 4 years ago

#7 Updated by anonym over 4 years ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 30 to 100

#8 Updated by anonym over 4 years ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

kytv wrote:

The issues have been addressed. (I didn't know how to nest () in the regex steps; thanks to you I see it's dead simple)

Awesome! IMHO your solution is more elegant than what I suggested. Merged!

#9 Updated by intrigeri about 4 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF