mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-12 10:10:30 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

build: check AllowedAPKSigningKeys in reproducible build scenario

Browse source 
The builder should check the `AllowedAPKSigningKeys` at build time, so
that the CI can check if somebody gives a wrong value that doesn't match
a compared RB binary.  In the event it fails, it gives useful
information, and in the event it succeeds, it makes it clear that this
build has verification back to the developer's original key.

Also, add tests for this to the test suite.
This commit is contained in:
Jason A. Donenfeld 2023-04-18 14:38:58 +02:00 committed by Hans-Christoph Steiner
parent 8a0b7e5b1b
commit 26472c22ce
2 changed files with 75 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

51
tests/build.TestCase
View file

@ -627,6 +627,9 @@ class BuildTest(unittest.TestCase):
}
)
app['Builds'] = [build]
expected_key = 'a' * 64
bogus_key = 'b' * 64
app['AllowedAPKSigningKeys'] = [expected_key]
fdroidserver.metadata.write_metadata(metadata_file, app)
os.makedirs(os.path.join('unsigned', 'binaries'))
@ -657,13 +660,32 @@ class BuildTest(unittest.TestCase):
a, b, c, d, e, f # silence linters' "unused" warnings
with mock.patch('sys.argv', ['fdroid build', appid]):
# successful comparison
# successful comparison, successful signer
open(production_result, 'w').close()
open(production_compare_file, 'w').close()
with mock.patch('fdroidserver.common.verify_apks', lambda *args: None):
with mock.patch(
'fdroidserver.common.verify_apks', lambda *args: None
) as g, mock.patch(
'fdroidserver.common.apk_signer_fingerprint',
lambda *args: expected_key,
) as h:
g, h
fdroidserver.build.main()
self.assertTrue(os.path.exists(production_result))
self.assertTrue(os.path.exists(production_compare_file))
# successful comparison, failed signer
open(production_result, 'w').close()
open(production_compare_file, 'w').close()
with mock.patch(
'fdroidserver.common.verify_apks', lambda *args: None
) as g, mock.patch(
'fdroidserver.common.apk_signer_fingerprint',
lambda *args: bogus_key,
) as h:
g, h
fdroidserver.build.main()
self.assertFalse(os.path.exists(production_result))
self.assertFalse(os.path.exists(production_compare_file))
# failed comparison
open(production_result, 'w').close()
open(production_compare_file, 'w').close()
@ -675,15 +697,36 @@ class BuildTest(unittest.TestCase):
self.assertFalse(os.path.exists(production_compare_file))
with mock.patch('sys.argv', ['fdroid build', '--test', appid]):
# successful comparison
# successful comparison, successful signer
open(test_result, 'w').close()
open(test_compare_file, 'w').close()
with mock.patch('fdroidserver.common.verify_apks', lambda *args: None):
with mock.patch(
'fdroidserver.common.verify_apks', lambda *args: None
) as g, mock.patch(
'fdroidserver.common.apk_signer_fingerprint',
lambda *args: expected_key,
) as h:
g, h
fdroidserver.build.main()
self.assertTrue(os.path.exists(test_result))
self.assertTrue(os.path.exists(test_compare_file))
self.assertFalse(os.path.exists(production_result))
self.assertFalse(os.path.exists(production_compare_file))
# successful comparison, failed signer
open(test_result, 'w').close()
open(test_compare_file, 'w').close()
with mock.patch(
'fdroidserver.common.verify_apks', lambda *args: None
) as g, mock.patch(
'fdroidserver.common.apk_signer_fingerprint',
lambda *args: bogus_key,
) as h:
g, h
fdroidserver.build.main()
self.assertTrue(os.path.exists(test_result))
self.assertFalse(os.path.exists(test_compare_file))
self.assertFalse(os.path.exists(production_result))
self.assertFalse(os.path.exists(production_compare_file))
# failed comparison
open(test_result, 'w').close()
open(test_compare_file, 'w').close()