Merge branch 'tristan/bst-1/fix-ostree-api' into 'bst-1'

Fix and test OSTree repo.remote_gpg_import() calls

See merge request BuildStream/buildstream!1917

10 files changed, 120 insertions, 8 deletions

diff --git a/buildstream/_ostree.py b/buildstream/_ostree.py
index a0c056293..c3c849322 100644
--- a/buildstream/_ostree.py
+++ b/buildstream/_ostree.py
@@ -271,6 +271,20 @@ def configure_remote(repo, remote, url, key_url=None):
         try:
             gfile = Gio.File.new_for_uri(key_url)
             stream = gfile.read()
-            repo.remote_gpg_import(remote, stream, None, None)
+
+            # In ostree commit `v2019.2-10-gaa5df899`, the python
+            # facing API was changed by way of modifying the
+            # instrospection annotations.
+            #
+            # This means we need to call this API in two different
+            # ways depending on which ostree version is installed.
+            #
+            try:
+                # New API
+                repo.remote_gpg_import(remote, stream, None, None)
+            except TypeError:
+                # Old API
+                repo.remote_gpg_import(remote, stream, None, 0, None)
+
         except GLib.GError as e:
             raise OSTreeError("Failed to add gpg key from url '{}': {}".format(key_url, e.message)) from e
diff --git a/tests/sources/ostree.py b/tests/sources/ostree.py
index e059a882f..eb04a74ff 100644
--- a/tests/sources/ostree.py
+++ b/tests/sources/ostree.py
@@ -55,3 +55,40 @@ def test_submodule_track_no_ref_or_track(cli, tmpdir, datafiles):
     result = cli.run(project=project, args=['show', 'target.bst'])
     result.assert_main_error(ErrorDomain.SOURCE, "missing-track-and-ref")
     result.assert_task_error(None, None)
+
+
+@pytest.mark.datafiles(os.path.join(DATA_DIR, 'template'))
+def test_fetch_gpg_verify(cli, tmpdir, datafiles):
+    project = os.path.join(datafiles.dirname, datafiles.basename)
+
+    gpg_homedir = os.path.join(DATA_DIR, "gpghome")
+
+    # Create the repo from 'repofiles' subdir
+    repo = create_repo('ostree', str(tmpdir))
+    ref = repo.create(
+        os.path.join(project, 'repofiles'),
+        gpg_sign="FFFF54C070353B52D046DEB087FA0F41A6EFD9E9",
+        gpg_homedir=gpg_homedir
+    )
+
+    # Write out our test target
+    ostreesource = repo.source_config(ref=ref, gpg_key='test.gpg')
+    element = {
+        'kind': 'import',
+        'sources': [
+            ostreesource
+        ]
+    }
+
+    _yaml.dump(element, os.path.join(project, 'target.bst'))
+
+    # Assert that a fetch is needed
+    assert cli.get_element_state(project, 'target.bst') == 'fetch needed'
+
+    # Now try to fetch it
+    result = cli.run(project=project, args=['fetch', 'target.bst'])
+    result.assert_success()
+
+    # Assert that we are now buildable because the source is
+    # now cached.
+    assert cli.get_element_state(project, 'target.bst') == 'buildable'
diff --git a/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev b/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev
new file mode 100644
index 000000000..e5d1cbdb5
--- /dev/null
+++ b/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev
@@ -0,0 +1,29 @@
+This is a revocation certificate for the OpenPGP key:
+
+pub   rsa1024 2020-05-10 [S]
+      FFFF54C070353B52D046DEB087FA0F41A6EFD9E9
+uid          Ponyman (It's a flying pony) <pony@man.com>
+
+A revocation certificate is a kind of "kill switch" to publicly
+declare that a key shall not anymore be used.  It is not possible
+to retract such a revocation certificate once it has been published.
+
+Use it to revoke this key in case of a compromise or loss of
+the secret key.  However, if the secret key is still accessible,
+it is better to generate a new revocation certificate and give
+a reason for the revocation.  For details see the description of
+of the gpg command "--generate-revocation" in the GnuPG manual.
+
+To avoid an accidental use of this file, a colon has been inserted
+before the 5 dashes below.  Remove this colon with a text editor
+before importing and publishing this revocation certificate.
+
+:-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iLYEIAEKACAWIQT//1TAcDU7UtBG3rCH+g9Bpu/Z6QUCXrfEHAIdAAAKCRCH+g9B
+pu/Z6ez3BACQL3lnMaePfXhewvavv4iHChRXBZ7sMXdBVOvQb56d/5YIr/YzdFo/
+O8Xt/5DFw4uwcs6pTVgc5i4GyJsouTmZSqCeQzQ2i4BjXd4HBlYw6OUAQTdOJfwg
+1XlvSbMfNA6qh6eFOknf3VWpbDK6Fc0v9qEbyUxVyCggOZdT8EC2jA==
+=yz0g
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key b/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key
new file mode 100644
index 000000000..8efda3464
--- /dev/null
+++ b/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key
diff --git a/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key b/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key
new file mode 100644
index 000000000..237eba3cb
--- /dev/null
+++ b/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key
diff --git a/tests/sources/ostree/gpghome/pubring.kbx b/tests/sources/ostree/gpghome/pubring.kbx
new file mode 100644
index 000000000..fd57843e8
--- /dev/null
+++ b/tests/sources/ostree/gpghome/pubring.kbx
diff --git a/tests/sources/ostree/gpghome/pubring.kbx~ b/tests/sources/ostree/gpghome/pubring.kbx~
new file mode 100644
index 000000000..0a4a27504
--- /dev/null
+++ b/tests/sources/ostree/gpghome/pubring.kbx~
diff --git a/tests/sources/ostree/gpghome/trustdb.gpg b/tests/sources/ostree/gpghome/trustdb.gpg
new file mode 100644
index 000000000..bf256b9a6
--- /dev/null
+++ b/tests/sources/ostree/gpghome/trustdb.gpg
diff --git a/tests/sources/ostree/template/test.gpg b/tests/sources/ostree/template/test.gpg
new file mode 100644
index 000000000..fa2cc973a
--- /dev/null
+++ b/tests/sources/ostree/template/test.gpg
@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mI0EXrfECQEEALtcIRRbUcGnLiDULztXaUboEKNQQIJeEOgG8wjmMsRnhjX78A7S
+ScsxtBhtZUm/s/KciTCTSwv43KHi9VOBwuBGUZAGpMCkJwF8E/WsVh+fxCxWS4hC
+s1lYky6VBhDKJJ6vkTkgHwVxf1Nf4C+MhIYu4K5EZ7SSOIkcY7ulqQkJABEBAAG0
+K1BvbnltYW4gKEl0J3MgYSBmbHlpbmcgcG9ueSkgPHBvbnlAbWFuLmNvbT6IzgQT
+AQoAOBYhBP//VMBwNTtS0EbesIf6D0Gm79npBQJet8QJAhsDBQsJCAcCBhUKCQgL
+AgQWAgMBAh4BAheAAAoJEIf6D0Gm79np548D/jXDKOc0jphHllI99vRUuQyMEJVo
+LzP+2fskSKeCokePGCPlE5BdE05kcUNed6yDAceg8r2m4UEglhsGvKb6xdMSJ1la
+PLhMCbtr7UQo4Dg/SyPYql/S5tqRz/ayhVtTQ7jbO70LKjm/QvbkYZGM1riYFpmX
+fHlX/ux1JRnn982TuI0EXrfECQEEAN66k8damFTpQDocTPg0ta/scT0hGTiPwwDz
+8dn+pG/el7v1/pVkXsXY0eUmJcOC8ea/cXfOk+wVWZ5TpkpvyxnOzs3bGdRk8pL2
+lyr4r14O9g3rQbR3j401n7FhvgWRR2lWGLuoHrZaW8Zz4l1PqMcUZExvQvtRwjq8
+OiTIlDqJABEBAAGItgQYAQoAIBYhBP//VMBwNTtS0EbesIf6D0Gm79npBQJet8QJ
+AhsMAAoJEIf6D0Gm79np/2UD/2+nEwRykN3YmImtST11edEUQ66sxxhzZFQRWn1s
+MgyJVM7xgHyxk1XLAASZS1IXDqNtF5uuwEZimTjbBByLqHayMfRukpXVj82+Uhuo
+JpaitHtph2N0eJTP4S3ia6qTOpaSORTxDdFhf/6Rfj7A0TJSLedhWFJqcUDKDzN4
+cwBu
+=dIhT
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/testutils/repo/ostree.py b/tests/testutils/repo/ostree.py
index e240de113..1e6444c69 100644
--- a/tests/testutils/repo/ostree.py
+++ b/tests/testutils/repo/ostree.py
@@ -13,21 +13,31 @@ class OSTree(Repo):
 
         super(OSTree, self).__init__(directory, subdir)
 
-    def create(self, directory):
+    def create(self, directory, *, gpg_sign=None, gpg_homedir=None):
         subprocess.call(['ostree', 'init',
                          '--repo', self.repo,
                          '--mode', 'archive-z2'])
-        subprocess.call(['ostree', 'commit',
-                         '--repo', self.repo,
-                         '--branch', 'master',
-                         '--subject', 'Initial commit',
-                         directory])
+
+        commit_args = ['ostree', 'commit',
+                       '--repo', self.repo,
+                       '--branch', 'master',
+                       '--subject', 'Initial commit']
+
+        if gpg_sign and gpg_homedir:
+            commit_args += [
+                '--gpg-sign={}'.format(gpg_sign),
+                '--gpg-homedir={}'.format(gpg_homedir)
+            ]
+
+        commit_args += [directory]
+
+        subprocess.call(commit_args)
 
         latest = self.latest_commit()
 
         return latest
 
-    def source_config(self, ref=None):
+    def source_config(self, ref=None, *, gpg_key=None):
         config = {
             'kind': 'ostree',
             'url': 'file://' + self.repo,
@@ -35,6 +45,8 @@ class OSTree(Repo):
         }
         if ref is not None:
             config['ref'] = ref
+        if gpg_key is not None:
+            config['gpg-key'] = gpg_key
 
         return config