Add a test for signature verification

Test signature verification by adding my new ECC key with verification
enabled, which will strip all signatures, then adding my old RSA key,
then readding my ECC key. This should result in the ECC key having a
signature from my old RSA key.

diff --git a/keys/README b/keys/README
index 2244d3eaab8d87369d9a84af4b135a722e802175..8df4a8e83241ad7f1209edd07a87a9f8465424ad 100644 (file)
--- a/keys/README
+++ b/keys/README
@@ -15,7 +15,9 @@ blackcat.key
 autodns.key
        A v4 DSA/Elg key.
 noodles.key
-       My v4 DSA/Elg key.
+       My v4 RSA key.
+noodles-ecc.key
+       My v4 ECC ED25519 key.
 putro.key
        A v4 key with a non revocation signature on the public key.
 huggie-rev.key

diff --git a/keys/noodles-ecc.key b/keys/noodles-ecc.key
new file mode 100644 (file)
index 0000000..1adafd6
Binary files /dev/null and b/keys/noodles-ecc.key differ

diff --git a/t/all-037-check-sigs.t b/t/all-037-check-sigs.t
new file mode 100755 (executable)
index 0000000..ed02c23
--- /dev/null
+++ b/t/all-037-check-sigs.t
@@ -0,0 +1,31 @@
+#!/bin/sh
+# Check that signatures are only added when they can be verified
+
+set -e
+
+cd ${WORKDIR}
+cp $1 check-sigs.ini
+
+trap cleanup exit
+cleanup () {
+       rm check-sigs.ini
+}
+echo verify_signatures=true >> check-sigs.ini
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles-ecc.key || true
+if ${BUILDDIR}/onak -c $1 vindex 0x9026108FB942BEA4 2>&1 | \
+       grep -q '0x94FA372B2DA8B985'; then
+       echo "* Did not correctly strip unknown signatures"
+       exit 1
+fi
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles.key || true
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles-ecc.key || true
+if ! ${BUILDDIR}/onak -c $1 vindex 0x9026108FB942BEA4 2>&1 | \
+       grep -q '0x94FA372B2DA8B985'; then
+       echo "* Did not correctly verify new signature"
+       exit 1
+fi
+
+exit 0