Add tests for "nix verify", "nix sign-paths" etc.

This commit is contained in:
Eelco Dolstra 2017-11-14 18:24:20 +01:00
parent 2c39e4eca0
commit d6dbda7004
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 64 additions and 1 deletions

View file

@ -17,7 +17,8 @@ nix_tests = \
nar-access.sh \
structured-attrs.sh \
fetchGit.sh \
fetchMercurial.sh
fetchMercurial.sh \
signing.sh
# parallel.sh
install-tests += $(foreach x, $(nix_tests), tests/$(x))

62
tests/signing.sh Normal file
View file

@ -0,0 +1,62 @@
source common.sh
clearStore
clearCache
nix-store --generate-binary-cache-key cache1.example.org $TEST_ROOT/sk1 $TEST_ROOT/pk1
pk1=$(cat $TEST_ROOT/pk1)
nix-store --generate-binary-cache-key cache2.example.org $TEST_ROOT/sk2 $TEST_ROOT/pk2
pk2=$(cat $TEST_ROOT/pk2)
# Build a path.
outPath=$(nix-build dependencies.nix --no-out-link --secret-key-files "$TEST_ROOT/sk1 $TEST_ROOT/sk2")
# Verify that the path got signed.
info=$(nix path-info --json $outPath)
[[ $info =~ '"ultimate":true' ]]
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
# Test "nix verify".
nix verify -r $outPath
expect 2 nix verify -r $outPath --sigs-needed 1
nix verify -r $outPath --sigs-needed 1 --binary-cache-public-keys $pk1
expect 2 nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys $pk1
nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
nix verify --all --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
# Build something unsigned.
outPath2=$(nix-build simple.nix --no-out-link)
nix verify -r $outPath
# Verify that the path did not get signed but does have the ultimate bit.
info=$(nix path-info --json $outPath2)
[[ $info =~ '"ultimate":true' ]]
(! [[ $info =~ 'signatures' ]])
# Test "nix verify".
nix verify -r $outPath2
expect 2 nix verify -r $outPath2 --sigs-needed 1
expect 2 nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
# Test "nix sign-paths".
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
# Copy to a binary cache.
nix copy --to file://$cacheDir $outPath2
# Verify that signatures got copied.
info=$(nix path-info --store file://$cacheDir --json $outPath2)
(! [[ $info =~ '"ultimate":true' ]])
[[ $info =~ 'cache1.example.org' ]]
(! [[ $info =~ 'cache2.example.org' ]])