From b3cab292feff48a59b2bf6e37d77176e0dade711 Mon Sep 17 00:00:00 2001
From: Tristan Van Berkom <tristan.vanberkom@codethink.co.uk>
Date: Sat, 9 May 2020 18:18:34 +0900
Subject: _ostree.py: Fix call to remote_gpg_import() again

Last time we fixed this, we actually only adjusted it to work with
the new API but stopped supporting the old API, which is still widely
in use (debian 9, debian 10 and ubuntu 18 all still use ostree v2019.1).

This time, lets add an except block here and fallback to the older
API if the new API raises a TypeError.
---
 buildstream/_ostree.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/buildstream/_ostree.py b/buildstream/_ostree.py
index a0c056293..c3c849322 100644
--- a/buildstream/_ostree.py
+++ b/buildstream/_ostree.py
@@ -271,6 +271,20 @@ def configure_remote(repo, remote, url, key_url=None):
         try:
             gfile = Gio.File.new_for_uri(key_url)
             stream = gfile.read()
-            repo.remote_gpg_import(remote, stream, None, None)
+
+            # In ostree commit `v2019.2-10-gaa5df899`, the python
+            # facing API was changed by way of modifying the
+            # instrospection annotations.
+            #
+            # This means we need to call this API in two different
+            # ways depending on which ostree version is installed.
+            #
+            try:
+                # New API
+                repo.remote_gpg_import(remote, stream, None, None)
+            except TypeError:
+                # Old API
+                repo.remote_gpg_import(remote, stream, None, 0, None)
+
         except GLib.GError as e:
             raise OSTreeError("Failed to add gpg key from url '{}': {}".format(key_url, e.message)) from e
-- 
cgit v1.2.1


From 718a1b9e4eb4a7beef870b40a7fc0b988998708c Mon Sep 17 00:00:00 2001
From: Tristan Van Berkom <tristan.vanberkom@codethink.co.uk>
Date: Sun, 10 May 2020 18:26:05 +0900
Subject: tests/testutils/repo/ostree.py: Add ability to create signed repos

---
 tests/testutils/repo/ostree.py | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/tests/testutils/repo/ostree.py b/tests/testutils/repo/ostree.py
index e240de113..1e6444c69 100644
--- a/tests/testutils/repo/ostree.py
+++ b/tests/testutils/repo/ostree.py
@@ -13,21 +13,31 @@ class OSTree(Repo):
 
         super(OSTree, self).__init__(directory, subdir)
 
-    def create(self, directory):
+    def create(self, directory, *, gpg_sign=None, gpg_homedir=None):
         subprocess.call(['ostree', 'init',
                          '--repo', self.repo,
                          '--mode', 'archive-z2'])
-        subprocess.call(['ostree', 'commit',
-                         '--repo', self.repo,
-                         '--branch', 'master',
-                         '--subject', 'Initial commit',
-                         directory])
+
+        commit_args = ['ostree', 'commit',
+                       '--repo', self.repo,
+                       '--branch', 'master',
+                       '--subject', 'Initial commit']
+
+        if gpg_sign and gpg_homedir:
+            commit_args += [
+                '--gpg-sign={}'.format(gpg_sign),
+                '--gpg-homedir={}'.format(gpg_homedir)
+            ]
+
+        commit_args += [directory]
+
+        subprocess.call(commit_args)
 
         latest = self.latest_commit()
 
         return latest
 
-    def source_config(self, ref=None):
+    def source_config(self, ref=None, *, gpg_key=None):
         config = {
             'kind': 'ostree',
             'url': 'file://' + self.repo,
@@ -35,6 +45,8 @@ class OSTree(Repo):
         }
         if ref is not None:
             config['ref'] = ref
+        if gpg_key is not None:
+            config['gpg-key'] = gpg_key
 
         return config
 
-- 
cgit v1.2.1


From 54c6207308ec56c6a6628f7cdfcf85bc66ee9b28 Mon Sep 17 00:00:00 2001
From: Tristan Van Berkom <tristan.vanberkom@codethink.co.uk>
Date: Sun, 10 May 2020 18:26:40 +0900
Subject: tests/sources/ostree.py: Add test of fetching a signed repo.

This consequently adds:

  * A gpg home directory with a gpg key

  * An exported public gpg key for the test
---
 tests/sources/ostree.py                            |  37 +++++++++++++++++++++
 .../FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev   |  29 ++++++++++++++++
 .../C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key   | Bin 0 -> 526 bytes
 .../E18E82A1918D5926329EEB985E537DEB5E6934B5.key   | Bin 0 -> 526 bytes
 tests/sources/ostree/gpghome/pubring.kbx           | Bin 0 -> 945 bytes
 tests/sources/ostree/gpghome/pubring.kbx~          | Bin 0 -> 32 bytes
 tests/sources/ostree/gpghome/trustdb.gpg           | Bin 0 -> 1280 bytes
 tests/sources/ostree/template/test.gpg             |  20 +++++++++++
 8 files changed, 86 insertions(+)
 create mode 100644 tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev
 create mode 100644 tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key
 create mode 100644 tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key
 create mode 100644 tests/sources/ostree/gpghome/pubring.kbx
 create mode 100644 tests/sources/ostree/gpghome/pubring.kbx~
 create mode 100644 tests/sources/ostree/gpghome/trustdb.gpg
 create mode 100644 tests/sources/ostree/template/test.gpg

diff --git a/tests/sources/ostree.py b/tests/sources/ostree.py
index e059a882f..eb04a74ff 100644
--- a/tests/sources/ostree.py
+++ b/tests/sources/ostree.py
@@ -55,3 +55,40 @@ def test_submodule_track_no_ref_or_track(cli, tmpdir, datafiles):
     result = cli.run(project=project, args=['show', 'target.bst'])
     result.assert_main_error(ErrorDomain.SOURCE, "missing-track-and-ref")
     result.assert_task_error(None, None)
+
+
+@pytest.mark.datafiles(os.path.join(DATA_DIR, 'template'))
+def test_fetch_gpg_verify(cli, tmpdir, datafiles):
+    project = os.path.join(datafiles.dirname, datafiles.basename)
+
+    gpg_homedir = os.path.join(DATA_DIR, "gpghome")
+
+    # Create the repo from 'repofiles' subdir
+    repo = create_repo('ostree', str(tmpdir))
+    ref = repo.create(
+        os.path.join(project, 'repofiles'),
+        gpg_sign="FFFF54C070353B52D046DEB087FA0F41A6EFD9E9",
+        gpg_homedir=gpg_homedir
+    )
+
+    # Write out our test target
+    ostreesource = repo.source_config(ref=ref, gpg_key='test.gpg')
+    element = {
+        'kind': 'import',
+        'sources': [
+            ostreesource
+        ]
+    }
+
+    _yaml.dump(element, os.path.join(project, 'target.bst'))
+
+    # Assert that a fetch is needed
+    assert cli.get_element_state(project, 'target.bst') == 'fetch needed'
+
+    # Now try to fetch it
+    result = cli.run(project=project, args=['fetch', 'target.bst'])
+    result.assert_success()
+
+    # Assert that we are now buildable because the source is
+    # now cached.
+    assert cli.get_element_state(project, 'target.bst') == 'buildable'
diff --git a/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev b/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev
new file mode 100644
index 000000000..e5d1cbdb5
--- /dev/null
+++ b/tests/sources/ostree/gpghome/openpgp-revocs.d/FFFF54C070353B52D046DEB087FA0F41A6EFD9E9.rev
@@ -0,0 +1,29 @@
+This is a revocation certificate for the OpenPGP key:
+
+pub   rsa1024 2020-05-10 [S]
+      FFFF54C070353B52D046DEB087FA0F41A6EFD9E9
+uid          Ponyman (It's a flying pony) <pony@man.com>
+
+A revocation certificate is a kind of "kill switch" to publicly
+declare that a key shall not anymore be used.  It is not possible
+to retract such a revocation certificate once it has been published.
+
+Use it to revoke this key in case of a compromise or loss of
+the secret key.  However, if the secret key is still accessible,
+it is better to generate a new revocation certificate and give
+a reason for the revocation.  For details see the description of
+of the gpg command "--generate-revocation" in the GnuPG manual.
+
+To avoid an accidental use of this file, a colon has been inserted
+before the 5 dashes below.  Remove this colon with a text editor
+before importing and publishing this revocation certificate.
+
+:-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iLYEIAEKACAWIQT//1TAcDU7UtBG3rCH+g9Bpu/Z6QUCXrfEHAIdAAAKCRCH+g9B
+pu/Z6ez3BACQL3lnMaePfXhewvavv4iHChRXBZ7sMXdBVOvQb56d/5YIr/YzdFo/
+O8Xt/5DFw4uwcs6pTVgc5i4GyJsouTmZSqCeQzQ2i4BjXd4HBlYw6OUAQTdOJfwg
+1XlvSbMfNA6qh6eFOknf3VWpbDK6Fc0v9qEbyUxVyCggOZdT8EC2jA==
+=yz0g
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key b/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key
new file mode 100644
index 000000000..8efda3464
Binary files /dev/null and b/tests/sources/ostree/gpghome/private-keys-v1.d/C68F72B3B1BABC2986B2D5C311D8B8F5F26D59C3.key differ
diff --git a/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key b/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key
new file mode 100644
index 000000000..237eba3cb
Binary files /dev/null and b/tests/sources/ostree/gpghome/private-keys-v1.d/E18E82A1918D5926329EEB985E537DEB5E6934B5.key differ
diff --git a/tests/sources/ostree/gpghome/pubring.kbx b/tests/sources/ostree/gpghome/pubring.kbx
new file mode 100644
index 000000000..fd57843e8
Binary files /dev/null and b/tests/sources/ostree/gpghome/pubring.kbx differ
diff --git a/tests/sources/ostree/gpghome/pubring.kbx~ b/tests/sources/ostree/gpghome/pubring.kbx~
new file mode 100644
index 000000000..0a4a27504
Binary files /dev/null and b/tests/sources/ostree/gpghome/pubring.kbx~ differ
diff --git a/tests/sources/ostree/gpghome/trustdb.gpg b/tests/sources/ostree/gpghome/trustdb.gpg
new file mode 100644
index 000000000..bf256b9a6
Binary files /dev/null and b/tests/sources/ostree/gpghome/trustdb.gpg differ
diff --git a/tests/sources/ostree/template/test.gpg b/tests/sources/ostree/template/test.gpg
new file mode 100644
index 000000000..fa2cc973a
--- /dev/null
+++ b/tests/sources/ostree/template/test.gpg
@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mI0EXrfECQEEALtcIRRbUcGnLiDULztXaUboEKNQQIJeEOgG8wjmMsRnhjX78A7S
+ScsxtBhtZUm/s/KciTCTSwv43KHi9VOBwuBGUZAGpMCkJwF8E/WsVh+fxCxWS4hC
+s1lYky6VBhDKJJ6vkTkgHwVxf1Nf4C+MhIYu4K5EZ7SSOIkcY7ulqQkJABEBAAG0
+K1BvbnltYW4gKEl0J3MgYSBmbHlpbmcgcG9ueSkgPHBvbnlAbWFuLmNvbT6IzgQT
+AQoAOBYhBP//VMBwNTtS0EbesIf6D0Gm79npBQJet8QJAhsDBQsJCAcCBhUKCQgL
+AgQWAgMBAh4BAheAAAoJEIf6D0Gm79np548D/jXDKOc0jphHllI99vRUuQyMEJVo
+LzP+2fskSKeCokePGCPlE5BdE05kcUNed6yDAceg8r2m4UEglhsGvKb6xdMSJ1la
+PLhMCbtr7UQo4Dg/SyPYql/S5tqRz/ayhVtTQ7jbO70LKjm/QvbkYZGM1riYFpmX
+fHlX/ux1JRnn982TuI0EXrfECQEEAN66k8damFTpQDocTPg0ta/scT0hGTiPwwDz
+8dn+pG/el7v1/pVkXsXY0eUmJcOC8ea/cXfOk+wVWZ5TpkpvyxnOzs3bGdRk8pL2
+lyr4r14O9g3rQbR3j401n7FhvgWRR2lWGLuoHrZaW8Zz4l1PqMcUZExvQvtRwjq8
+OiTIlDqJABEBAAGItgQYAQoAIBYhBP//VMBwNTtS0EbesIf6D0Gm79npBQJet8QJ
+AhsMAAoJEIf6D0Gm79np/2UD/2+nEwRykN3YmImtST11edEUQ66sxxhzZFQRWn1s
+MgyJVM7xgHyxk1XLAASZS1IXDqNtF5uuwEZimTjbBByLqHayMfRukpXVj82+Uhuo
+JpaitHtph2N0eJTP4S3ia6qTOpaSORTxDdFhf/6Rfj7A0TJSLedhWFJqcUDKDzN4
+cwBu
+=dIhT
+-----END PGP PUBLIC KEY BLOCK-----
-- 
cgit v1.2.1