From 8519141e5ee46dcac44221de39c76d0def5a0088 Mon Sep 17 00:00:00 2001
From: Jonathan McDowell <noodles@earth.li>
Date: Fri, 15 Sep 2023 15:39:58 +0530
Subject: [PATCH] Add a test for signature verification

Test signature verification by adding my new ECC key with verification
enabled, which will strip all signatures, then adding my old RSA key,
then readding my ECC key. This should result in the ECC key having a
signature from my old RSA key.
---
 keys/README            |   4 +++-
 keys/noodles-ecc.key   | Bin 0 -> 4911 bytes
 t/all-037-check-sigs.t |  31 +++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 keys/noodles-ecc.key
 create mode 100755 t/all-037-check-sigs.t

diff --git a/keys/README b/keys/README
index 2244d3e..8df4a8e 100644
--- a/keys/README
+++ b/keys/README
@@ -15,7 +15,9 @@ blackcat.key
 autodns.key
 	A v4 DSA/Elg key.
 noodles.key
-	My v4 DSA/Elg key.
+	My v4 RSA key.
+noodles-ecc.key
+	My v4 ECC ED25519 key.
 putro.key
 	A v4 key with a non revocation signature on the public key.
 huggie-rev.key
diff --git a/keys/noodles-ecc.key b/keys/noodles-ecc.key
new file mode 100644
index 0000000000000000000000000000000000000000..1adafd6ba95a597f01e733e197c19f55cd1dd77f
GIT binary patch
literal 4911
zcmaKvWl$9E+J|?Sg{8X@kPsvUDG?E*OHxD-LD{7ic1b}>5LgzFPU(^cDT$?FX-P@x
zjz1~g@ya=`bIzyp^*8g(^P79Fx$n8+MZjkB@tw2;e0V@Ga8j8J2!zP!ee3fw&-HY$
zg$%thX8jpHPorMguj9#hhb*f3cx0lff>X`T7U~3t+TPVLRj_k0M<VY&wY9S|Lz=&r
zF^4)j!3B_3(t%&VRJ4QuX<9b0Y+6OtD=*uV*%I&c2rlyQ8o9<ST+r>uASNI#0Zxl0
z0GEgWAA*BRLr8#6gi8y;0RliQKoFfbfRKRv?~_1Xz$Gzymx+vX@T9uu)bQYv^|IEs
z+oK;zpK#G^p3`;Fo&&h~SmlK?q?`=+BKJfa8EICl_1hRWO2l5=4wCOtW9S5a28n>l
zfrJ3&KgHZxE4h;bN1u-zasZAV71&cS>(l-zwqe|N`|sZ*=MmYBUCbHh5~@WxShnMt
zZ#<W;&*E4AW~w)uyQj9{iPMQe48LZr!7#tYG2`m6&g>~B!GwUgmgU)*oli9Gk>xUJ
zyX7yNIR&hJL0yS>eng_9ZKi(5I_0F-q_6#VsM!;M=$_2%m9jpVk@?R_%8K9`b(I6E
zX=C@k)UWgrPd$}_qaMATTy=ShQ2s!SG1bSZYhh3Ki;q>FBJ;I<&N4pQSG7<dI_~pP
zevX#t8-vDJ5t%r#HDP`MuR~74i1@GN@MrA9H@`k#<2oFc^2jcVFm;94_(I8`Qn_^^
zy^Q8+qq(PoO3hA2Osd~$$`cbTn3|0WPa>i3RxqlTXw*>w-t((5(3zq0Gq8vCnq$~?
z``uO(BhQkufbJ(Sn>D|Rbf7&{o}Q9GkMl&{H9sN>E$wM0(gQkeLl1T83$?KVuT2JW
z_8+qeklt78-JQ=nw=M&{ojV))oDH6~WJmvinMqeXQ`feA%4&AE|F=K<N3-CFYcU1l
z?R$w3({BxPF?fDF>ZxNS%5iJU3X%pX2Nc5NmG)lk0YRqRXYIe_B#VZ@`xZ;1s!4#r
z&3^Gx1#}B{Jxd<)qqtoD(oP}4=N~&!K#~xPUTwV}{zM}N<|fr~9oFG>GvaFJG0_7G
z$e$a%{cI!@M;1|99HQNZSLR;=FJRaYIG@0&*t$zP{(n=0|1WCjqQ?rIEu;~9;Mgao
zTF(d9iuB-rsM+K(xuxcBB7R18qgp#=`opFyY362l+z}cl-cpq9!OcjG`hqtgMjOtn
zX>KL$hncfN4Z9z?;O+l5yv8vjxz|lYc;&XCgH<z}#K^W!$psaE1$=gph{F0&Vc+%#
z;+x-9n{PJDQ_-c>q&$T7j&5pY=XbuM=^s?DT739T!OlxFj?BMqz*&la(^fqPe!ZH`
zDPnC8B~0B-yIV`i@1f@hEIXZ7f7wR-Wzj=U<t3bMFC%R>5%5peqwES~z}$#pP>7{x
zriqSZ{!x@enW<-gLYB6Ci_R+JRwma&?KZQTCSJhBeMkHE8>AIIfij^tqK532_xEDj
z!t$<BVY<9vC;~^s`G@d{0tWvcb!h$Nt8SyZgU@EZAVF89y5oqWWFgC##ux#&E!=P6
zv@`4}*&%++ajcYarC7C1SCQd+GAj`U5T$2su8o>E$=H4CA2#LFGKm@NKEw+?X9JpX
z@E$(aoqxg}H}T`-Iu-Dk%#y+A?y;J_hPuzBSoN6D{w~1cX1P{6TK!<^epz#9ydR*b
zYg_+)Etm%b6dC%K9M4900mEI{VHtKwS^<+$5APE$eq}tGNNFg5%4MNYjG8bZ$<?Y<
zdNbkmbutdFg%8(j5kn*bH03-&R^2CX?TH(L^{3Zl>#-fC@S3e4d`sLX_=>#SjDkZg
z!UkDx+Q+@AlpHTVdVdD~XV>T@E+ZcxY=q6%dNP)lBsf$mNhEHm;e*{$^EdI$f?PlQ
zr_}2s4`qo=_l}K!IcKNd4|SFNh7E3Gu}p@VScqtrG=lqUs#}PDr|lw@{RDZF&5Rqf
z>T~fj-&rT>Mq7*h{bR$=zD-_x^#sqUKqNY?q9TiizV_PgILFhgFQz;{Fb{NjJYuN-
z(8wtHZdHtb;Tg_BI$&_RYhVo$BJdlZZFmJd*7jWk>)9)e<b4)o@;i^kXV#(js=D`+
z^@onjdgdRim;7LSg{7aeHe9l_nJo>lch0$6#$&;cV>P$b1IKC9Yw{ekuqjp>S(8f%
ziWd<a>}C)a_POBLT8cJ@#2iByJ-<eLduE+r*Tn>{s95bdavqa&;VyKbudDC;-y8Z@
zX21kFy)Lr+;fV|H%96TYMXBDure=3LwZF+iFWEI`UP42uy8@|!&h%J<t9-C7T;Y)_
zL&bH%($eT<JA6%8Y0T&gRj?C-gu@6)L<xWJ<GvF1o2l}yV{!@6)LeE|mFA2nxYF?U
zb$V-7QS+vqw0D-9M)|Hb%*|vkMs)eq^2b#l7K?H(Ry~=Hl@lGL$coAeP^wCgd5*8U
zFCX2|(91#CYE4lKfB%(cZ{=c!O#T}fuglw<LG_ONP?$(647ZvC4|$k=Ud6XFimSSV
zW-v9dCDkUxu_RfTK*FAtsqPs@eY?wbuGr<0z-_@>I_R)eM7?Woo&PLenmbx-vr@vc
zM7b{N?Mt2yry+Bpv<%*9OTA|m`X8R`$4fa6+HikGjVULnLpoy)DG5ULl7jQk-ee4E
z(%C;e8@DNw_zsydMuAjR#O|n|#!g%Bnc`{lAXHNBbAm6K%2hd3TaPgQ+`VsVb?B;f
zE(Oso^*SF=6n(5SS^J-&fUitHEy@Tu3php}-9*nN^U+ew3To)4>F+kBvtH5x9ofpC
zyk<ldlb*Lt)HG6QSGT`Hm<x%n);x}CBBdm>TVtE64=q>Ncz;ub==DCBcuyRGDx%-w
zza;!p^Yk?m!%L-Z`x(SoJu9cd%S-rW`tI0*o@f>EIFF*;BkIaes{PC*<Afs=Qe3B%
zIat}9lxj(k0QR)fXKxTMP<$fJizpWU-_(#kiD~`kA!xEXq?<P8T%7MgUJd#WHS-BV
zx77SiPN~SQ=q7#Mi?w)}%YG{&1=U58)}miK(^__yyeX2Z-7eAA9@prI-T0Z;MJ3zd
z|Inh;($yPNKQ`(%zcBtvBfJ4KH2P5o#xpW5_VH)-G4U{dyP;JEb7-5jo%vx_sA7&7
zyf+6b84!%?LQoVw&@*`z7+i9q_N!Aj>Yl>8iHEPI1fp9F*K>ZR?%<u$KS*#5^m>~y
z@~Zm{-B?lQL9<S5;z5AXPq(V&%+E5%g&)%(;`xG2NTb$0o+$}4(RrfX!8fBE>4U_Y
zQIixA5VO|q5gEB5<Lkhur7qVLA1Ut?PYt5ad6;V#9eh-?E5~Xk(e?DU;a(>;mrh3N
z<n`ZPXRA(`bku4tH&Z#IB&G`ypD|3uH1UaiXJF3thL_EUcmqZcyXrmCV2%SN!PSdX
z<@uKd?O>m7+oY+8L@B-VK^e<Ijaht!O*HL=ywf~k9plhDh#mo{jLBJ;=j0go>Eznt
z%l*mOlc$e*$(b=+>${AR1gHCqs%kF8AzijZ6YKUg0XLp?okB6O|4<JGU-ksiuWi7K
z0f)0RL#RF<J~RL1FfOU8?fxKBitChsl=|8k2rCUe8#6{(04g!b*C+it7tXt9P0^Zm
z$Ao*^pQ0ve?YfZ{t&gv+3lok}D?;{?9_}*Qyf{jWnaa(?`Xw(<5)O$2F#;D4;43AR
zJO541)QWsc+&CAPSw<<n!h(xTHIya!4>iB(-`!I4H&IL>yCjpF3aoewTwJ>B3e~7y
zMw{vz^`WAbt%W+?KbY^AwJ;btWfaxPd9~|IDQ$tgzwaiSE=!P|UbylpBQ1D#E@f|7
zdclRVP;#Da`er#U-5ttD3vf*_Y)toh8#8PimZgb8W!K2%`J%}ek-+KoHVfVAnJj$`
zedeqH1_Kw$`Uk1i1O3=!s_qwiLu;m~lD0LL;L-SjhzFm-waY`-V3Pu+=S8VCllo|<
zo>AS0_oMj(pR&=g!Ym6qZ#viNYw1I8BHdADt5#1k@H~uHnR*LGLIM?yjdj2?##<oI
zz18g!*?If#_uQ$qINd5c^Q&}T>?-bW^h;Yu$DUy$(fL=W=B96k`KgU&E<y&~xR)KO
zN9?4&EGOtI>O)!U$Dj-HC*R*g%m3Wy#{dOm=*TPSJA2WZ?ry47U=AjzL_2mq<R+#J
zy;_ueWFH<`S-O%go!o7)y~T4JW+AVd1CHu<Y@zO{ZZ}WNt>=i&U+g<FVao28T+lr7
zvp)IYC~LjFo{2bNT<J;*^G00`RpS~r(Dqrrpq8Ow!CT)sBvL6v_RujUifl!5h%(1V
zJMqX4Az5uq1dOz#S0)DVPSxtJ_UMZi8luaMKm)W=6#G%EY_NNl+9`S`Rk1XIZ&R15
zxt;H=B-~l831ua~tianJ3%Q%(%k!+YfxJm91D(N?f86F)A-bU{=DEBcMVDWOycx{s
z3pSm)GH#*CM%+U4H=#iT0XbrU8N6!@6{>MkZ+zt?59Pua5m#hByQ4&A>JIen9e^9%
zh29!v2zpW?7NeRmiGLkpNGehKlWt?{2_QMe!ws+c@vW`xP!j&j*5dSlxVO3{IymNF
zaK3N&#2nGlF2)(eC9E;W->2`=sKI)t-?|!s1H^{}dV%Tx6z2M0GPVO^BL26G-8TO#
zUE-908+)0Uk}X#3o0g%C#pz1)#$iLGq1x14L6{00TW~&44!GvnRQgq|E>)__;7Ty3
zXtQM;1Qs0++dMy*uF~jzqz9}4k^HHCC<!D749w(Dt2}m&4;gVsv@cK{v4=J^A}P91
z>qEsB+u>J2(VD)Qy>u^#)Q!RzO5}|@Bb4FIx(LZ;)n%tfJF4nygD-x(uqA~%g*)65
zD=Y-3Vs)V;)C5ZB8fC*txGfHu{m)4{qD7~cNQk|^ax<McjYJ#qJU{066}G#d>ani!
zfnEi=Bjphj0nBwHSf78T@Apq^``}kkOB#MV>Mz{_J}Wj^0^IK^nKgqUSy~HsKBA1A
z(d*0Zg!2OTi3|$;PHTpRxI^VK&vhXC5437`Hxu|J##Oh9LSc}vhPr`H(%(ZrAlvmu
z=`bwT=J5J6+65MYeIjtA@zA|?t5~aTnkhFV90QL|jS8XEx8-(~EbN~M5Gr(5+a0O`
zEXDPQqYNB`*ntG77L)OGrB>p*LZ>vlKJcTa(>9GeCndeZXY#+Nl3kWW&3|jXyxFcH
z|3#050LmlI7De!uZFfhR+uBkIQX`8yu*c1V{?wBU_<ZG<DB%7$vRza=Ez&G&4?D#n
z!`mS1RNKp?QnV$n=r`K6sA`t@j0l)u<}vbQp1pWy`}b80y4V5}Ad!s!T`*)<)dwLd
zQ);k)HlR;v$PRqb#Kc>2Ks_KYyu5sQDokWb5q>VB=TMkAsa^9@q}AwGe*%@8p3;&4
zh|wk&UZ+*cFHv@nkMz;lASA8~Kmi2&k?@K?K;r*TAP*%$OrU=Q36l8_kXWa?V21zq
zcg+HbJ=>y0o{XcInZ;XtV|6Cd^xHdsD0z$U--MTm98kah25=x>v5{?+<TqJP`KX)r
zXlaQ9Aus!gabnaUq$KDnLBz}1H27^}D8e^9Xtt=x(5^bKvn{xFqkcOTFY`Q(iQDLt
zUxa1t13Q}Tuor=f#i<QB_2y$&f?bgvp7Ugw?(2-M8R>Ozs}?e9dH!IJMO0rKKfa12
z@+8TfLf1U)#U-Rs43ZlXTBr6iA|gbm8$ygv{VX+N_|?VWYjTr=THlNfawEUPupZ`=
z`(8X<l5uCA$Xt^=$k>sR5Ymr1$Q=e>$2YoJ$KRSHEXfi6F13D~{Z#oLvz>3&dd4pV
zM#0&afYlJUjkG0K2tGqh$opA^?CZA8D*N2Y1)t{5;ZRAzwpO0bMPUHOj<lhMwTcw_
zoRoF--DP2XBY!%8)dJYQ54(>u=ipDJh~4rnLIh$sBIJ#t7)+WqYD^HnaGi>GZvvfP
zTiKk{@tP5^_*P(j*4E`L?U9fq+rb_gwzgxxJ;f->a87Oo<M7Q^fX5vB#|FrPc3Vs~
z#!bLNn6J%L&qmB_02SPwquvwU@h*x?OC$o@92HvAM9oBGFE@P<i*OQD`N#wk>0IoY
zTG2AC0rb3vmO6UhrEa>PrzhWWqs9Y2lk(p9`RP-gKo&fxAKP4Dkk695O6wo%7G;NB
zb2zDFta$n`_(e<_NmF2wMChHN7#2p>Mb~T~AZcbAA$KT!qEjrp#6Uqb9GgYhHK63b
vw@3ebrVf1{2XIAQO_C|P@Kz~pytEXO9u};1fP+xR!~1DFY?^17gNO5f)-XAV

literal 0
HcmV?d00001

diff --git a/t/all-037-check-sigs.t b/t/all-037-check-sigs.t
new file mode 100755
index 0000000..ed02c23
--- /dev/null
+++ b/t/all-037-check-sigs.t
@@ -0,0 +1,31 @@
+#!/bin/sh
+# Check that signatures are only added when they can be verified
+
+set -e
+
+cd ${WORKDIR}
+cp $1 check-sigs.ini
+
+trap cleanup exit
+cleanup () {
+	rm check-sigs.ini
+}
+echo verify_signatures=true >> check-sigs.ini
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles-ecc.key || true
+if ${BUILDDIR}/onak -c $1 vindex 0x9026108FB942BEA4 2>&1 | \
+	grep -q '0x94FA372B2DA8B985'; then
+	echo "* Did not correctly strip unknown signatures"
+	exit 1
+fi
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles.key || true
+
+${BUILDDIR}/onak -b -c check-sigs.ini add < ${TESTSDIR}/../keys/noodles-ecc.key || true
+if ! ${BUILDDIR}/onak -c $1 vindex 0x9026108FB942BEA4 2>&1 | \
+	grep -q '0x94FA372B2DA8B985'; then
+	echo "* Did not correctly verify new signature"
+	exit 1
+fi
+
+exit 0
-- 
2.39.2