From a27c8b00ebf173659f22f53ce65679e94e7dfb1b Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:19:41 +0200 Subject: Adding upstream version 2022.12.24. Signed-off-by: Daniel Baumann --- t/at-least-2048.t | 22 ++++++++++++++++++++++ t/dm-vs-dd.t | 47 +++++++++++++++++++++++++++++++++++++++++++++++ t/keyids-complete.t | 19 +++++++++++++++++++ t/no-dupes.t | 23 +++++++++++++++++++++++ t/no-expired.t | 20 ++++++++++++++++++++ t/no-revoked.t | 22 ++++++++++++++++++++++ 6 files changed, 153 insertions(+) create mode 100755 t/at-least-2048.t create mode 100755 t/dm-vs-dd.t create mode 100755 t/keyids-complete.t create mode 100755 t/no-dupes.t create mode 100755 t/no-expired.t create mode 100755 t/no-revoked.t (limited to 't') diff --git a/t/at-least-2048.t b/t/at-least-2048.t new file mode 100755 index 0000000..07be53b --- /dev/null +++ b/t/at-least-2048.t @@ -0,0 +1,22 @@ +#!/bin/sh +# Looks for revoked keys in our active keyrings +set -e + +find_too_short () { + k=$1 + gpg --no-options --no-auto-check-trustdb --no-default-keyring \ + --keyring "./output/keyrings/$k" --list-keys --with-colons \ + | awk -F: -v keyring=$1 \ + 'BEGIN { ok = 1 } \ + /^pub/ { fpr = $5 ; if ($3 < 2048 && $4 < 18) { print keyring ":\t0x" $5 " is smaller than 2048 bits"; ok = 0 } } \ + /^sub/ { if ($2 != "r" && $2 != "e" && $3 < 2048 && $4 < 18) { print keyring ":\t0x" fpr " has subkey smaller than 2048 bits"; ok = 0 } } \ + END { if (!ok) { exit 1 } }' +} + +fail=0 +for keyring in debian-keyring.gpg debian-maintainers.gpg \ + debian-nonupload.gpg debian-role-keys.gpg; do + find_too_short $keyring +done + +exit $fail diff --git a/t/dm-vs-dd.t b/t/dm-vs-dd.t new file mode 100755 index 0000000..6b1a99c --- /dev/null +++ b/t/dm-vs-dd.t @@ -0,0 +1,47 @@ +#!/bin/sh +# Compares the DM keyring with the DD keyring. If the same name or email is +# in both keyrings, that's an error. +set -e + +list_uids () { + gpg --no-options --no-auto-check-trustdb --no-default-keyring \ + --keyring "$1" --list-keys | grep -a '^uid' | sed 's/^uid *//' | + egrep -a -v '\[jpeg image of size .*\]' +} + +list_names () { + sed 's/ <.*>//' +} + +list_emails () { + sed 's/.* <\(.*\)>/\1/' +} + +fail=0 + +dd_uids=$(list_uids ./output/keyrings/debian-keyring.gpg) +( + echo "$dd_uids" | list_emails + echo "$dd_uids" | list_names + echo "$dd_uids" +) | sort | uniq > dd-list.tmp + +IFS=" +" +for uid in $(list_uids ./output/keyrings/debian-maintainers.gpg | sort | uniq); do + name=$(echo "$uid" | list_names) + email=$(echo "$uid" | list_emails) + if grep -a -q "^$uid$" dd-list.tmp; then + echo "$uid is in both the DD and DM keyrings" + fail=1 + elif grep -a "^$name$" dd-list.tmp; then + echo "warning: name $name is in both the DD and DM keyrings" + elif grep -a "^$email$" dd-list.tmp; then + echo "email $email is in both the DD and DM keyrings" + fail=1 + fi +done + +rm -f dd-list.tmp + +exit $fail diff --git a/t/keyids-complete.t b/t/keyids-complete.t new file mode 100755 index 0000000..2d562b1 --- /dev/null +++ b/t/keyids-complete.t @@ -0,0 +1,19 @@ +#!/bin/sh +# Makes sure every key in debian-keyring-gpg has an entry in the +# keyids mapping file. +set -e + +fail=0 + +for keyring in debian-keyring-gpg debian-nonupload-gpg; do + cd $keyring + for key in 0x*; do + if ! grep -a -q "^$key " ../keyids; then + echo "$keyring: $key is not in keyids file." + fail=1 + fi + done + cd .. +done + +exit $fail diff --git a/t/no-dupes.t b/t/no-dupes.t new file mode 100755 index 0000000..5f2b6a6 --- /dev/null +++ b/t/no-dupes.t @@ -0,0 +1,23 @@ +#!/bin/sh +# Looks for keys that are duplicated in a keyring +set -e + +find_dupes () { + k=$1 + for key in $(gpg --no-options --no-auto-check-trustdb \ + --no-default-keyring --keyring "./output/keyrings/$k" \ + --list-keys --with-colons | grep '^pub' \ + | cut -d: -f 5 | sort | uniq -c | sort -n \ + | grep -v ' 1 ' | sed -e 's/^ .* //'); do + echo -e "$k:\t0x$key is duplicated" + fail=1 + done +} + +fail=0 +for keyring in debian-keyring.gpg debian-maintainers.gpg \ + debian-nonupload.gpg; do + find_dupes $keyring +done + +exit $fail diff --git a/t/no-expired.t b/t/no-expired.t new file mode 100755 index 0000000..7ac6eb8 --- /dev/null +++ b/t/no-expired.t @@ -0,0 +1,20 @@ +#!/bin/sh +# Looks for expired keys in our active keyrings +set -e + +find_expired () { + k=$1 + gpg --no-options --no-auto-check-trustdb --no-default-keyring \ + --keyring "./output/keyrings/$k" --list-keys --with-colons \ + | grep -a '^pub' \ + | awk -F: -v keyring=$1 \ + '$2 == "e" {print keyring ":\t0x" $5 " expired on " strftime("%F %T", $7) " (" $10 ")"}' +} + +fail=0 +for keyring in debian-keyring.gpg debian-maintainers.gpg \ + debian-nonupload.gpg; do + find_expired $keyring +done + +exit $fail diff --git a/t/no-revoked.t b/t/no-revoked.t new file mode 100755 index 0000000..efd90b0 --- /dev/null +++ b/t/no-revoked.t @@ -0,0 +1,22 @@ +#!/bin/sh +# Looks for revoked keys in our active keyrings +set -e + +find_revoked () { + k=$1 + gpg --no-options --no-auto-check-trustdb --no-default-keyring \ + --keyring "./output/keyrings/$k" --list-keys --with-colons \ + | grep -a '^pub' \ + | awk -F: -v keyring=$1 \ + 'BEGIN { ok = 1 } \ + $2 == "r" {print keyring ":\t0x" $5 " is revoked"; ok = 0} \ + END { if (!ok) { exit 1 } }' +} + +fail=0 +for keyring in debian-keyring.gpg debian-maintainers.gpg \ + debian-nonupload.gpg; do + find_revoked $keyring +done + +exit $fail -- cgit v1.2.3