Adding upstream version 2023.12.24.upstream/2023.12.24

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 153 insertions, 0 deletions

diff --git a/t/at-least-2048.t b/t/at-least-2048.t
new file mode 100755
index 0000000..07be53b
--- /dev/null
+++ b/t/at-least-2048.t
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Looks for revoked keys in our active keyrings
+set -e
+
+find_too_short () {
+	k=$1
+	gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+		--keyring "./output/keyrings/$k" --list-keys --with-colons \
+		| awk -F: -v keyring=$1 \
+		'BEGIN { ok = 1 } \
+		/^pub/ { fpr = $5 ; if ($3 < 2048 && $4 < 18) { print keyring ":\t0x" $5 " is smaller than 2048 bits"; ok = 0 } } \
+		/^sub/ { if ($2 != "r" && $2 != "e" && $3 < 2048 && $4 < 18) { print keyring ":\t0x" fpr " has subkey smaller than 2048 bits"; ok = 0 } } \
+		END { if (!ok) { exit 1 } }'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+		debian-nonupload.gpg debian-role-keys.gpg; do
+	find_too_short $keyring
+done
+
+exit $fail
diff --git a/t/dm-vs-dd.t b/t/dm-vs-dd.t
new file mode 100755
index 0000000..6b1a99c
--- /dev/null
+++ b/t/dm-vs-dd.t
@@ -0,0 +1,47 @@
+#!/bin/sh
+# Compares the DM keyring with the DD keyring. If the same name or email is
+# in both keyrings, that's an error.
+set -e
+
+list_uids () {
+	gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+		--keyring "$1" --list-keys | grep -a '^uid' | sed 's/^uid *//' |
+		egrep -a -v '\[jpeg image of size .*\]'
+}
+
+list_names () {
+	sed 's/ <.*>//'
+}
+
+list_emails () {
+	sed 's/.* <\(.*\)>/\1/'
+}
+
+fail=0
+
+dd_uids=$(list_uids ./output/keyrings/debian-keyring.gpg)
+(
+	echo "$dd_uids" | list_emails
+	echo "$dd_uids" | list_names
+	echo "$dd_uids"
+) | sort | uniq > dd-list.tmp
+
+IFS="
+"
+for uid in $(list_uids ./output/keyrings/debian-maintainers.gpg | sort | uniq); do
+	name=$(echo "$uid" | list_names)
+	email=$(echo "$uid" | list_emails)
+	if grep -a -q "^$uid$" dd-list.tmp; then
+		echo "$uid is in both the DD and DM keyrings"
+		fail=1
+	elif grep -a "^$name$" dd-list.tmp; then
+		echo "warning: name $name is in both the DD and DM keyrings"
+	elif grep -a "^$email$" dd-list.tmp; then
+		echo "email $email is in both the DD and DM keyrings"
+		fail=1
+	fi
+done
+
+rm -f dd-list.tmp
+
+exit $fail
diff --git a/t/keyids-complete.t b/t/keyids-complete.t
new file mode 100755
index 0000000..2d562b1
--- /dev/null
+++ b/t/keyids-complete.t
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Makes sure every key in debian-keyring-gpg has an entry in the
+# keyids mapping file.
+set -e
+
+fail=0
+
+for keyring in debian-keyring-gpg debian-nonupload-gpg; do
+    cd $keyring
+    for key in 0x*; do
+        if ! grep -a -q "^$key " ../keyids; then
+	    echo "$keyring: $key is not in keyids file."
+	    fail=1
+        fi
+    done
+    cd ..
+done
+
+exit $fail
diff --git a/t/no-dupes.t b/t/no-dupes.t
new file mode 100755
index 0000000..5f2b6a6
--- /dev/null
+++ b/t/no-dupes.t
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Looks for keys that are duplicated in a keyring
+set -e
+
+find_dupes () {
+	k=$1
+	for key in $(gpg --no-options --no-auto-check-trustdb \
+			--no-default-keyring --keyring "./output/keyrings/$k" \
+			--list-keys --with-colons | grep '^pub' \
+			| cut -d: -f 5 | sort | uniq -c | sort -n \
+			| grep -v '      1 ' | sed -e 's/^ .* //'); do
+		echo -e "$k:\t0x$key is duplicated"
+		fail=1
+	done
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+		debian-nonupload.gpg; do
+	find_dupes $keyring
+done
+
+exit $fail
diff --git a/t/no-expired.t b/t/no-expired.t
new file mode 100755
index 0000000..7ac6eb8
--- /dev/null
+++ b/t/no-expired.t
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Looks for expired keys in our active keyrings
+set -e
+
+find_expired () {
+	k=$1
+	gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+		--keyring "./output/keyrings/$k" --list-keys --with-colons \
+		| grep -a '^pub' \
+		| awk -F: -v keyring=$1 \
+		'$2 == "e" {print keyring ":\t0x" $5 " expired on " strftime("%F %T", $7) " (" $10 ")"}'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+		debian-nonupload.gpg; do
+	find_expired $keyring
+done
+
+exit $fail
diff --git a/t/no-revoked.t b/t/no-revoked.t
new file mode 100755
index 0000000..efd90b0
--- /dev/null
+++ b/t/no-revoked.t
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Looks for revoked keys in our active keyrings
+set -e
+
+find_revoked () {
+	k=$1
+	gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+		--keyring "./output/keyrings/$k" --list-keys --with-colons \
+		| grep -a '^pub' \
+		| awk -F: -v keyring=$1 \
+		'BEGIN { ok = 1 } \
+		$2 == "r" {print keyring ":\t0x" $5 " is revoked"; ok = 0} \
+		END { if (!ok) { exit 1 } }'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+		debian-nonupload.gpg; do
+	find_revoked $keyring
+done
+
+exit $fail