From 558a584df130da635b88498f99e1a0de5ef63f5f Mon Sep 17 00:00:00 2001 From: William Beuil Date: Wed, 23 Jun 2021 15:02:44 +0200 Subject: [PATCH] Fix PGP signature check --- libexec/dctlenv-install | 11 +++-- libexec/dctlenv-version | 2 +- test/dctlenv-install.bats | 85 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 5 deletions(-) diff --git a/libexec/dctlenv-install b/libexec/dctlenv-install index 49d909f..6c3a456 100755 --- a/libexec/dctlenv-install +++ b/libexec/dctlenv-install @@ -65,14 +65,16 @@ $(curlw -s -f -L -o "$dst_path/driftctl_SHA256SUMS" "$driftctl_url/v$version/dri if [[ -f "$dst_path/driftctl_SHA256SUMS" ]]; then sha256sum_bin="$(command -v sha256sum 2>/dev/null)" - if [[ -n "$sha256sum_bin" && -x "$sha256sum_bin" ]]; then + if [[ -n "$sha256sum_bin" ]]; then (cd "$dst_path"; grep "driftctl_$os" "driftctl_SHA256SUMS" | "$sha256sum_bin" -c) &>/dev/null \ && echo "SHA256 hash matched!" \ || log_error 'SHA256 hash does not match!' else echo 'No sha256sum tool available. Skipping SHA256 hash validation' fi - $(rm "$dst_path/driftctl_SHA256SUMS") + if [ "${DCTLENV_PGP:-0}" -eq 0 ]; then + $(rm "$dst_path/driftctl_SHA256SUMS") + fi else echo 'No SHA256 hashes file available. Skipping SHA256 hash validation' fi @@ -83,8 +85,8 @@ if [ "${DCTLENV_PGP:-0}" -gt 0 ]; then if [[ -f "$dst_path/driftctl_SHA256SUMS.gpg" ]]; then gpg_bin="$(command -v gpg 2>/dev/null)" - if [[ -n "$gpg_bin" && -x "$gpg_bin" ]]; then - "$gpg_bin" --verify "$dst_path/driftctl_SHA256SUMS.gpg" \ + if [[ -n "$gpg_bin" ]]; then + ("$gpg_bin" --verify "$dst_path/driftctl_SHA256SUMS.gpg" "$dst_path/driftctl_SHA256SUMS") &>/dev/null \ && echo "PGP signature matched!" \ || log_error 'PGP signature rejected!' else @@ -94,6 +96,7 @@ if [ "${DCTLENV_PGP:-0}" -gt 0 ]; then else echo 'No SHA256 hashes signature file available. Skipping signature validation' fi + $(rm "$dst_path/driftctl_SHA256SUMS") fi $(mv "$dst_path/driftctl_$os" "$dst_path/driftctl") diff --git a/libexec/dctlenv-version b/libexec/dctlenv-version index f818c81..a9ddea1 100755 --- a/libexec/dctlenv-version +++ b/libexec/dctlenv-version @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -uo pipefail -version="0.1.4" +version="0.1.5" git_revision="" if cd "${BASH_SOURCE%/*}" 2>/dev/null && git remote -v 2>/dev/null | grep -q dctlenv; then diff --git a/test/dctlenv-install.bats b/test/dctlenv-install.bats index 69e3285..a3be5db 100644 --- a/test/dctlenv-install.bats +++ b/test/dctlenv-install.bats @@ -6,6 +6,7 @@ setup() { export DCTLENV_TMPDIR="$BATS_TMPDIR/dctlenv" export DCTLENV_TMPDIR="$(mktemp -d "$DCTLENV_TMPDIR.XXX" 2>/dev/null || echo "$DCTLENV_TMPDIR")" export DCTLENV_ROOT="$DCTLENV_TMPDIR" + export DCTLENV_PGP=0 dctlenv-list-remote() { echo "0.1.0 @@ -84,6 +85,7 @@ Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/relea No SHA256 hashes file available. Skipping SHA256 hash validation Fail to make the binary executable OUT + refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] } @test "dctlenv install []: prints a success message at the end of the install" { @@ -105,6 +107,7 @@ Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/relea No SHA256 hashes file available. Skipping SHA256 hash validation Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1' OUT + refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] } @test "dctlenv install []: prints an error message if it failed to check SHA256" { @@ -125,6 +128,7 @@ Downloading release tarball from https://github.com/cloudskiff/driftctl/releases Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/releases/download/v0.3.1/driftctl_SHA256SUMS SHA256 hash does not match! OUT + assert [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] } @test "dctlenv install []: prints a success message if it can install and check for SHA256" { @@ -146,6 +150,7 @@ Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/relea SHA256 hash matched! Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1' OUT + refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] } @test "dctlenv install []: prints a success message if it can install v0.3.1" { @@ -167,6 +172,7 @@ Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/relea SHA256 hash matched! Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1' OUT + refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] } @test "dctlenv install []: prints a success message if it can install the latest version" { @@ -188,6 +194,85 @@ Downloading SHA256 hashes file from https://github.com/cloudskiff/driftctl/relea SHA256 hash matched! Installation of driftctl v0.3.1 successful. To make this your default version, run 'dctlenv use 0.3.1' OUT + refute [ -e "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" ] +} + +@test "dctlenv install []: prints a missing hashes signature file" { + uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + (cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS") + exit 0 + }; export -f curlw; + + DCTLENV_PGP=1 run dctlenv install 0.3.1 + + assert_success + assert_output <]: prints an error message if the PGP signature check fails" { + uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + (cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS") + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg" + exit 0 + }; export -f curlw; + gpg() { exit 1; }; export -f gpg; + + DCTLENV_PGP=1 run dctlenv install 0.3.1 + + assert_failure + assert_output <]: prints a success message if the PGP signature check matches" { + uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + (cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS") + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS.gpg" + exit 0 + }; export -f curlw; + gpg() { exit 0; }; export -f gpg; + + DCTLENV_PGP=1 run dctlenv install 0.3.1 + + assert_success + assert_output <