openpgp: Verify key validity for signatures

Require keys to have at least minimal validity for signature verification to be successful. Appropriately mark imported keys ultimately trusted/valid by default. Closes: https://github.com/mgorny/gemato/issues/17 Signed-off-by: Michał Górny <mgorny@gentoo.org>
author: Michał Górny <mgorny@gentoo.org> 2020-09-05 16:13:28 +0200
committer: Michał Górny <mgorny@gentoo.org> 2020-09-05 16:15:59 +0200
commit: d418c9e19970f62143b27b433c44215a249f1a9c (patch)
tree: 09485fc3eb8841b0edeb9e804a350650655ace96 /tests/test_openpgp.py
parent: 0a95b33a5918d16450b51c2f046313cfd8771a81 (diff)
download: gemato-d418c9e19970f62143b27b433c44215a249f1a9c.tar.gz
1 files changed, 16 insertions, 6 deletions
diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py
index edeb0b9..dbb71e5 100644
--- a/tests/test_openpgp.py
+++ b/tests/test_openpgp.py
@@ -22,10 +22,10 @@ from gemato.exceptions import (
     OpenPGPKeyImportError,
     OpenPGPKeyRefreshError,
     OpenPGPRuntimeError,
+    OpenPGPUntrustedSigFailure,
     )
 from gemato.manifest import ManifestFile
 from gemato.openpgp import (
-    GNUPG,
     OpenPGPEnvironment,
     OpenPGPSystemEnvironment,
     )
@@ -338,11 +338,8 @@ class OpenPGPMockedSystemEnvironment(OpenPGPSystemEnvironment):
             self._tmpdir = None
             os.environ.pop('GNUPGHOME', None)
 
-    def import_key(self, keyfile):
-        exitst, out, err = self._spawn_gpg(
-            [GNUPG, '--batch', '--import'], keyfile.read())
-        if exitst != 0:
-            raise OpenPGPKeyImportError(err.decode('utf8'))
+    def import_key(self, keyfile, trust=True):
+        OpenPGPEnvironment.import_key(self, keyfile, trust=trust)
 
 
 @pytest.fixture(params=[OpenPGPEnvironment,
@@ -420,6 +417,19 @@ def test_verify_manifest(openpgp_env, manifest_var, key_var, expected):
         pytest.skip(str(e))
 
 
+def test_verify_untrusted_key():
+    try:
+        openpgp_env = OpenPGPMockedSystemEnvironment()
+        with io.BytesIO(VALID_PUBLIC_KEY) as f:
+            openpgp_env.import_key(f, trust=False)
+
+        with io.StringIO(SIGNED_MANIFEST) as f:
+            with pytest.raises(OpenPGPUntrustedSigFailure):
+                openpgp_env.verify_file(f)
+    except OpenPGPNoImplementation as e:
+        pytest.skip(str(e))
+
+
 @pytest.mark.parametrize('manifest_var,key_var,expected',
                          MANIFEST_VARIANTS)
 def test_manifest_load(openpgp_env, manifest_var, key_var, expected):
author	Michał Górny <mgorny@gentoo.org>	2020-09-05 16:13:28 +0200
committer	Michał Górny <mgorny@gentoo.org>	2020-09-05 16:15:59 +0200
commit	d418c9e19970f62143b27b433c44215a249f1a9c (patch)
tree	09485fc3eb8841b0edeb9e804a350650655ace96 /tests/test_openpgp.py
parent	0a95b33a5918d16450b51c2f046313cfd8771a81 (diff)
download	gemato-d418c9e19970f62143b27b433c44215a249f1a9c.tar.gz