Mock signature verification for application testing

Jacob Bachmeyer jcb62281 at gmail.com
Fri Mar 12 05:03:08 CET 2021


Hello all,

I answered a call for volunteers to help with the FTP upload handling 
tool that runs ftp.gnu.org and I have been developing a testsuite for 
that tool.  To support automated testing I have written a mockup of 
gpgv, attached to this message.

I am sending this message on a recommendation from Ian at the FSF to ask 
the gnupg list when I requested that someone review the mock gpgv script 
that I had written.  I apologize in advance if this is not the 
appropriate list for this request.  The mock gpgv's role inside the 
testsuite is to provide an easy way to test and verify the upload 
handler's behavior with various combinations of valid and invalid 
signatures, without having to actually generate those signatures.  The 
mock gpgv itself should be self-contained, although some additional 
DejaGnu interface code for driving it has also been written.

The mock gpgv was written mostly by examining GPG source code, and there 
is a chance that I may have misunderstood the program flow, although I 
believe I have it right, including some surprising (to me) results with 
the exit code returned by gpgv:  a valid signature produces a successful 
exit code, even if the key has expired or been revoked, or the signature 
itself has expired.  An unsuccessful exit code occurs only if (code 1) 
the data is found to not match the signature or (code 2) an error 
prevents checking the signature at all.  It seems to me that the proper 
way to distinguish the other situations (matching signature from 
questionable key) involves using the --status-fd mechanism.

Do I understand correctly?  Does the attached shell script accurately 
mimic gpgv's behavior?  Are there further elements that should be added 
to better support testing of programs that use gpgv to perform automatic 
signature verification against a set of approved keys?

As a maintainer of DejaGnu, I may eventually put this script and its 
associated DejaGnu code into DejaGnu's contrib/ directory, if it is or 
can be made sufficiently general, or I would be happy to contribute this 
support for automated testing to the GnuPG project.


-- Jacob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mockgpgv
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210311/987f9f60/attachment-0001.ksh>


More information about the Gnupg-devel mailing list