summaryrefslogtreecommitdiffstats
path: root/t
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xt/at-least-2048.t22
-rwxr-xr-xt/dm-vs-dd.t47
-rwxr-xr-xt/keyids-complete.t19
-rwxr-xr-xt/no-dupes.t23
-rwxr-xr-xt/no-expired.t20
-rwxr-xr-xt/no-revoked.t22
6 files changed, 153 insertions, 0 deletions
diff --git a/t/at-least-2048.t b/t/at-least-2048.t
new file mode 100755
index 0000000..07be53b
--- /dev/null
+++ b/t/at-least-2048.t
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Looks for revoked keys in our active keyrings
+set -e
+
+find_too_short () {
+ k=$1
+ gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+ --keyring "./output/keyrings/$k" --list-keys --with-colons \
+ | awk -F: -v keyring=$1 \
+ 'BEGIN { ok = 1 } \
+ /^pub/ { fpr = $5 ; if ($3 < 2048 && $4 < 18) { print keyring ":\t0x" $5 " is smaller than 2048 bits"; ok = 0 } } \
+ /^sub/ { if ($2 != "r" && $2 != "e" && $3 < 2048 && $4 < 18) { print keyring ":\t0x" fpr " has subkey smaller than 2048 bits"; ok = 0 } } \
+ END { if (!ok) { exit 1 } }'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+ debian-nonupload.gpg debian-role-keys.gpg; do
+ find_too_short $keyring
+done
+
+exit $fail
diff --git a/t/dm-vs-dd.t b/t/dm-vs-dd.t
new file mode 100755
index 0000000..6b1a99c
--- /dev/null
+++ b/t/dm-vs-dd.t
@@ -0,0 +1,47 @@
+#!/bin/sh
+# Compares the DM keyring with the DD keyring. If the same name or email is
+# in both keyrings, that's an error.
+set -e
+
+list_uids () {
+ gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+ --keyring "$1" --list-keys | grep -a '^uid' | sed 's/^uid *//' |
+ egrep -a -v '\[jpeg image of size .*\]'
+}
+
+list_names () {
+ sed 's/ <.*>//'
+}
+
+list_emails () {
+ sed 's/.* <\(.*\)>/\1/'
+}
+
+fail=0
+
+dd_uids=$(list_uids ./output/keyrings/debian-keyring.gpg)
+(
+ echo "$dd_uids" | list_emails
+ echo "$dd_uids" | list_names
+ echo "$dd_uids"
+) | sort | uniq > dd-list.tmp
+
+IFS="
+"
+for uid in $(list_uids ./output/keyrings/debian-maintainers.gpg | sort | uniq); do
+ name=$(echo "$uid" | list_names)
+ email=$(echo "$uid" | list_emails)
+ if grep -a -q "^$uid$" dd-list.tmp; then
+ echo "$uid is in both the DD and DM keyrings"
+ fail=1
+ elif grep -a "^$name$" dd-list.tmp; then
+ echo "warning: name $name is in both the DD and DM keyrings"
+ elif grep -a "^$email$" dd-list.tmp; then
+ echo "email $email is in both the DD and DM keyrings"
+ fail=1
+ fi
+done
+
+rm -f dd-list.tmp
+
+exit $fail
diff --git a/t/keyids-complete.t b/t/keyids-complete.t
new file mode 100755
index 0000000..2d562b1
--- /dev/null
+++ b/t/keyids-complete.t
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Makes sure every key in debian-keyring-gpg has an entry in the
+# keyids mapping file.
+set -e
+
+fail=0
+
+for keyring in debian-keyring-gpg debian-nonupload-gpg; do
+ cd $keyring
+ for key in 0x*; do
+ if ! grep -a -q "^$key " ../keyids; then
+ echo "$keyring: $key is not in keyids file."
+ fail=1
+ fi
+ done
+ cd ..
+done
+
+exit $fail
diff --git a/t/no-dupes.t b/t/no-dupes.t
new file mode 100755
index 0000000..5f2b6a6
--- /dev/null
+++ b/t/no-dupes.t
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Looks for keys that are duplicated in a keyring
+set -e
+
+find_dupes () {
+ k=$1
+ for key in $(gpg --no-options --no-auto-check-trustdb \
+ --no-default-keyring --keyring "./output/keyrings/$k" \
+ --list-keys --with-colons | grep '^pub' \
+ | cut -d: -f 5 | sort | uniq -c | sort -n \
+ | grep -v ' 1 ' | sed -e 's/^ .* //'); do
+ echo -e "$k:\t0x$key is duplicated"
+ fail=1
+ done
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+ debian-nonupload.gpg; do
+ find_dupes $keyring
+done
+
+exit $fail
diff --git a/t/no-expired.t b/t/no-expired.t
new file mode 100755
index 0000000..7ac6eb8
--- /dev/null
+++ b/t/no-expired.t
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Looks for expired keys in our active keyrings
+set -e
+
+find_expired () {
+ k=$1
+ gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+ --keyring "./output/keyrings/$k" --list-keys --with-colons \
+ | grep -a '^pub' \
+ | awk -F: -v keyring=$1 \
+ '$2 == "e" {print keyring ":\t0x" $5 " expired on " strftime("%F %T", $7) " (" $10 ")"}'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+ debian-nonupload.gpg; do
+ find_expired $keyring
+done
+
+exit $fail
diff --git a/t/no-revoked.t b/t/no-revoked.t
new file mode 100755
index 0000000..efd90b0
--- /dev/null
+++ b/t/no-revoked.t
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Looks for revoked keys in our active keyrings
+set -e
+
+find_revoked () {
+ k=$1
+ gpg --no-options --no-auto-check-trustdb --no-default-keyring \
+ --keyring "./output/keyrings/$k" --list-keys --with-colons \
+ | grep -a '^pub' \
+ | awk -F: -v keyring=$1 \
+ 'BEGIN { ok = 1 } \
+ $2 == "r" {print keyring ":\t0x" $5 " is revoked"; ok = 0} \
+ END { if (!ok) { exit 1 } }'
+}
+
+fail=0
+for keyring in debian-keyring.gpg debian-maintainers.gpg \
+ debian-nonupload.gpg; do
+ find_revoked $keyring
+done
+
+exit $fail