Feature #9402
Generalize automated tests for OpenPGP keys expiration
100%
Description
In config/chroot_local-includes/lib/live/config/2000-import-gnupg-key we import /usr/share/doc/tails/website/*.key into the desktop user’s keyring. Since Bug #9112 was resolved, that now means more keys than it used to. We already have automated tests to ensure that some of these keys are up-to-date and won’t expire any time soon. This should be generalized to all keys we import at boot time.
Subtasks
History
#1 Updated by intrigeri 2015-05-14 10:32:01
- blocks #8538 added
#2 Updated by kytv 2015-05-14 14:49:19
intrigeri wrote:
> This should be generalized to all keys we import at boot time.
As mentioned at Bug #9405, the new key is not included, but the old expired key is.
pub 4096R/0xC436090F4BB47C6F 2014-07-11
pub 4096R/0xEC57B56EF0C43132 2013-07-24 [expires: 2018-07-23]
pub 4096R/0x1D2975EDF93E735F 2009-08-14 [expires: 2016-12-27]
pub 4096R/0x457080B5A072CBE3 2014-07-11
pub 4096R/0x1202821CBE2CD9C1 2010-10-07 [expired: 2015-04-30]Edit: I’m mistaken. A persistence volume confused me.
#3 Updated by kytv 2015-05-14 17:48:56
- Status changed from Confirmed to In Progress
- Assignee changed from kytv to anonym
- % Done changed from 0 to 30
- QA Check set to Ready for QA
- Feature Branch set to kytv:test/9402-check-all-tails-openpgp-keys
With an ISO built near the Tails 1.2.3 release:
Scenario: The shipped Tails OpenPGP keys are up-to-date # features/checks.feature:25
Then the OpenPGP keys shipped with Tails will be valid for the next 3 months # features/step_definitions/checks.rb:7
The following key(s) will not be valid in 3 months: 0D24B36AA9A2A651787876451202821CBE2CD9C1.
<false> is not true. (Test::Unit::AssertionFailedError)
./features/step_definitions/checks.rb:18:in `/^the OpenPGP keys shipped with Tails will be valid for the next (\d+) months$/'
features/checks.feature:26:in `Then the OpenPGP keys shipped with Tails will be valid for the next 3 months'
Scenario failed at time 00:00:44
Took screenshot "/home/kytv/git/tails/tmp/checks-2015-05-14T17:45:21+00:00.png"
Scenario: The Tails Debian repository key is up-to-date # features/checks.feature:28
Then the shipped Tails Debian repository key will be valid for the next 3 months # features/step_definitions/checks.rb:21
The shipped key 221F9A3C6FA3E09E182E060BC7988EA7A358D82E will not be valid 3 months from now.
<false> is not true. (Test::Unit::AssertionFailedError)
./features/step_definitions/checks.rb:37:in `/^the shipped Tails( Debian repository)? key( [A-Z0-9]+)? will be valid for the next (\d+) months$/'
features/checks.feature:29:in `Then the shipped Tails Debian repository key will be valid for the next 3 months'
Scenario failed at time 00:00:52
Took screenshot "/home/kytv/git/tails/tmp/checks-2015-05-14T17:45:30+00:00.png"Run against an ISO built from the devel branch:
Scenario: The shipped Tails OpenPGP keys are up-to-date # features/checks.feature:25
Then the OpenPGP keys shipped with Tails will be valid for the next 3 months # features/step_definitions/checks.rb:7
Scenario: The Tails Debian repository key is up-to-date # features/checks.feature:28
Then the shipped Tails Debian repository key will be valid for the next 3 months # features/step_definitions/checks.rb:21#4 Updated by anonym 2015-05-27 10:06:11
- Assignee changed from anonym to kytv
- QA Check changed from Ready for QA to Dev Needed
All looks very nice; I like the error reporting in particular! :)
I have a few minor nitpicks, though:
Then /^the shipped Tails( Debian repository)? key( [A-Z0-9]+)? will be valid for the next (\d+) months$/ do |debian, fingerprint, max_months|
next if @skip_steps_while_restoring_background
if fingerprint
sig_key_fingerprint = fingerprint
cmd = 'gpg'
user = LIVE_USER
end
if debian
sig_key_fingerprint = TAILS_DEBIAN_REPO_KEY
cmd = 'apt-key adv'
user = 'root'
end
[...]
Given the step definition’s regex, it’s valid to run the step the shipped Tails key will be valid for the next 3 months. What is the “Tails key” now that there’s no reference to a fingerprint? Indeed, when doing this, sig_key_fingerprint, cmd and user will all be undefined resulting in a name error. It’s also possible to specify a fingerprint in the “Debian repository” case, although it will be ignored, which is confusing.
What about this instead?
Then /^the shipped (Debian repository key|OpenPGP key ([A-Z0-9]+)) will be valid for the next (\d+) months$/ do |key_type, fingerprint, max_months|
if key_type == "Debian repository key"
sig_key_fingerprint = TAILS_DEBIAN_REPO_KEY
cmd = 'apt-key adv'
user = 'root'
else
sig_key_fingerprint = fingerprint
cmd = 'gpg'
user = LIVE_USER
end
[...]
IMHO this is a bit clearer too.
Also, please change the name of sig_key_fingerprint; the sig_ part doesn’t make sense any more. IMHO fingerprint is good enough, and then that assignment can be skipped in the “OpenPGP key” case. We only assign fingerprint with TAILS_DEBIAN_REPO_KEY in the “Debian repository key” case.
#5 Updated by kytv 2015-05-27 21:59:37
- Assignee changed from kytv to anonym
- QA Check changed from Dev Needed to Ready for QA
The issues have been addressed. (I didn’t know how to nest () in the regex steps; thanks to you I see it’s dead simple)
#6 Updated by kytv 2015-05-28 15:44:47
Applied in changeset commit:0fc81796479b9d6e4e9735e1830f36c326b47923.
#7 Updated by anonym 2015-05-28 15:44:49
- Status changed from In Progress to Fix committed
- % Done changed from 30 to 100
Applied in changeset commit:1fe8b0d2ad04e98892a3d0335b5173a1a865aae8.
#8 Updated by anonym 2015-05-28 15:45:58
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
kytv wrote:
> The issues have been addressed. (I didn’t know how to nest () in the regex steps; thanks to you I see it’s dead simple)
Awesome! IMHO your solution is more elegant than what I suggested. Merged!
#9 Updated by intrigeri 2015-07-03 03:39:03
- Status changed from Fix committed to Resolved