summaryrefslogtreecommitdiffstats
path: root/test/units/testsuite-04.fss.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
commit55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch)
tree33f869f55a1b149e9b7c2b7e201867ca5dd52992 /test/units/testsuite-04.fss.sh
parentInitial commit. (diff)
downloadsystemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz
systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/units/testsuite-04.fss.sh')
-rwxr-xr-xtest/units/testsuite-04.fss.sh46
1 files changed, 46 insertions, 0 deletions
diff --git a/test/units/testsuite-04.fss.sh b/test/units/testsuite-04.fss.sh
new file mode 100755
index 0000000..03351b8
--- /dev/null
+++ b/test/units/testsuite-04.fss.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# Forward Secure Sealing
+
+if ! journalctl --version | grep -qF +GCRYPT; then
+ echo "Built without gcrypt, skipping the FSS tests"
+ exit 0
+fi
+
+journalctl --force --setup-keys --interval=2 |& tee /tmp/fss
+FSS_VKEY="$(sed -rn '/([a-f0-9]{6}\-){3}[a-f0-9]{6}\/[a-f0-9]+\-[a-f0-9]+/p' /tmp/fss)"
+[[ -n "$FSS_VKEY" ]]
+
+# Generate some buzz in the journal and wait until the FSS key is changed
+# at least once
+systemd-cat cat /etc/os-release
+sleep 4
+# Seal the journal
+journalctl --rotate
+# Verification should fail without a valid FSS key
+(! journalctl --verify)
+(! journalctl --verify --verify-key="")
+(! journalctl --verify --verify-key="000000-000000-000000-000000/00000000-00000")
+# FIXME: ignore --verify result until #27532 is resolved
+journalctl --verify --verify-key="$FSS_VKEY" || :
+
+# Sealing + systemd-journal-remote
+/usr/lib/systemd/systemd-journal-remote --getter="journalctl -n 5 -o export" \
+ --split-mode=none \
+ --seal=yes \
+ --output=/tmp/sealed.journal
+(! journalctl --file=/tmp/sealed.journal --verify)
+(! journalctl --file=/tmp/sealed.journal --verify --verify-key="")
+(! journalctl --file=/tmp/sealed.journal --verify --verify-key="000000-000000-000000-000000/00000000-00000")
+# FIXME: ignore --verify result until #27532 is resolved
+journalctl --file=/tmp/sealed.journal --verify --verify-key="$FSS_VKEY" || :
+rm -f /tmp/sealed.journal
+
+# Return back to a journal without FSS
+rm -fv "/var/log/journal/$(</etc/machine-id)/fss"
+journalctl --rotate --vacuum-size=1
+# FIXME: ignore --verify result until #27532 is resolved
+journalctl --verify || :