2 files changed, 88 insertions, 0 deletions
diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py
index 3e30b65..602379e 100644
--- a/tests/test_openpgp.py
+++ b/tests/test_openpgp.py
@@ -585,6 +585,9 @@ def test_cli(base_tree, caplog, manifest_var, key_var, expected):
                               str(base_tree / '.key.bin'),
                               '--no-refresh-keys',
                               '--require-signed-manifest',
+                              # we verify this option separately
+                              # and our test data currently sucks
+                              '--no-require-secure-hashes',
                               str(base_tree)])
     if str(OpenPGPNoImplementation('install gpg')) in caplog.text:
         pytest.skip('OpenPGP implementation missing')
@@ -1030,3 +1033,27 @@ def test_update_require_secure_cli(base_tree, caplog, hashes_arg,
     assert retval == expected
     if expected == 1:
         assert str(ManifestInsecureHashes(insecure)) in caplog.text
+
+
+@pytest.mark.parametrize(
+    "require_secure", ["", "--no-require-secure-hashes"])
+def test_verify_require_secure_cli(base_tree, caplog, require_secure):
+    with open(base_tree / ".key.bin", "wb") as keyf:
+        keyf.write(VALID_PUBLIC_KEY)
+    with open(base_tree / "Manifest", "w") as f:
+        f.write(SIGNED_MANIFEST)
+
+    retval = gemato.cli.main(["gemato", "verify",
+                              "--no-refresh-keys",
+                              "--require-signed-manifest",
+                              "-K", str(base_tree / ".key.bin"),
+                              str(base_tree)]
+                             + require_secure.split())
+    if str(OpenPGPNoImplementation('install gpg')) in caplog.text:
+        pytest.skip('OpenPGP implementation missing')
+
+    expected = (1 if require_secure != "--no-require-secure-hashes"
+                else 0)
+    assert retval == expected
+    if expected == 1:
+        assert str(ManifestInsecureHashes(["MD5"])) in caplog.text
diff --git a/tests/test_recursiveloader.py b/tests/test_recursiveloader.py
index 5cbd4d8..6e2395b 100644
--- a/tests/test_recursiveloader.py
+++ b/tests/test_recursiveloader.py
@@ -817,6 +817,20 @@ DATA test 0 X-UNKNOWN 0123456789abcdef
     }
 
 
+class SecureHashLayout(BaseLayout):
+    """Layout using at least one cryptographically secure hash"""
+
+    MANIFESTS = {
+        "Manifest": """
+DATA test 0 MD5 d41d8cd98f00b204e9800998ecf8427e\
+ SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+""",
+    }
+    FILES = {
+        "test": "",
+    }
+
+
 FLAT_LAYOUTS = [
     DuplicateEntryLayout,
     DuplicateEbuildEntryLayout,
@@ -2490,6 +2504,12 @@ INSECURE_HASH_TESTS = [
     ("", []),
 ]
 
+INSECURE_HASH_VERIFY_TESTS = [
+    # layout, insecure
+    (UnknownHashLayout, ["MD5"]),
+    (SecureHashLayout, None),
+]
+
 
 @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 def test_insecure_hashes(layout_factory, hashes_arg, insecure):
@@ -2504,6 +2524,36 @@ def test_insecure_hashes(layout_factory, hashes_arg, insecure):
                                 require_secure_hashes=True)
 
 
+@pytest.mark.parametrize("layout,insecure", INSECURE_HASH_VERIFY_TESTS)
+@pytest.mark.parametrize(
+    "func,path",
+    [(ManifestRecursiveLoader.verify_path, "test"),
+     (ManifestRecursiveLoader.assert_path_verifies, "test"),
+     (ManifestRecursiveLoader.assert_directory_verifies, ""),
+     ])
+def test_insecure_hashes_verify(layout_factory, layout, insecure, func, path):
+    tmp_path = layout_factory.create(layout)
+    m = ManifestRecursiveLoader(tmp_path / layout.TOP_MANIFEST,
+                                allow_xdev=False,
+                                require_secure_hashes=True)
+
+    ctx = (pytest.raises(ManifestInsecureHashes) if insecure is not None
+           else contextlib.nullcontext())
+    with ctx:
+        func(m, path)
+
+
+def test_insecure_hashes_load(layout_factory):
+    layout = BasicTestLayout
+    tmp_path = layout_factory.create(layout)
+    m = ManifestRecursiveLoader(tmp_path / layout.TOP_MANIFEST,
+                                allow_xdev=False,
+                                require_secure_hashes=True)
+
+    with pytest.raises(ManifestInsecureHashes):
+        m.load_manifests_for_path("sub")
+
+
 @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 @pytest.mark.parametrize(
     "func,arg",
@@ -2534,6 +2584,17 @@ def test_insecure_hashes_update_no_arg(layout_factory):
         m.update_entry_for_path("sub/deeper/test")
 
 
+@pytest.mark.parametrize("layout,insecure", INSECURE_HASH_VERIFY_TESTS)
+def test_insecure_hashes_verify_cli(layout_factory, caplog, layout,
+                                    insecure):
+    tmp_path = layout_factory.create(layout)
+    expected = 1 if insecure is not None else 0
+    assert gemato.cli.main(["gemato", "verify", "--require-secure-hashes",
+                            str(tmp_path)]) == expected
+    if insecure is not None:
+        assert str(ManifestInsecureHashes(insecure)) in caplog.text
+
+
 @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 @pytest.mark.parametrize("command", ["create", "update"])
 def test_insecure_hashes_update_cli(layout_factory, caplog,