Verify PGP key embedded in .sources files are correct

It's kind of hard to manually test the PGP key inside apt's .sources files are the ones we intended, so write a test to do it. This is copied from the one I wrote in securedrop-client, and adds coverage for the apt-test sources file. This isn't a launcher test, but it needs to have external dependencies installed, so this is the best place for it now until we have unit tests for the rest of the provisioning code.
freedomofpress · Sep 24, 2024 · 3ac7b48 · 3ac7b48
1 parent de73145
commit 3ac7b48
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 2 deletions.
diff --git a/launcher/tests/test_sources.py b/launcher/tests/test_sources.py
@@ -0,0 +1,42 @@
+"""
+Test apt sources files
+
+Strictly speaking this doesn't have to do with the launcher, but
+it needs dependencies installed and to be run under pytest
+"""
+from pathlib import Path
+
+import pysequoia
+from debian import deb822
+
+SECUREDROP_SALT = Path(__file__).parent.parent.parent / "securedrop_salt"
+
+
+def test_prod_sources():
+ """Verify the key in the aptsources file is our prod signing key"""
+ path = SECUREDROP_SALT / "apt_freedom_press.sources.j2"
+
+ sources = deb822.Sources(path.read_text())
+ key = pysequoia.Cert.from_bytes(sources["Signed-By"].encode())
+ assert key.fingerprint.upper() == "2359E6538C0613E652955E6C188EDD3B7B22E6A3"
+ assert len(key.user_ids) == 1
+ assert (
+ str(key.user_ids[0])
+ == "SecureDrop Release Signing Key <[email protected]>"
+ )
+ assert key.expiration.year == 2027
+
+
+def test_test_sources():
+ """Verify the key in the apt-test sources file is our dev signing key"""
+ path = SECUREDROP_SALT / "apt-test_freedom_press.sources.j2"
+
+ sources = deb822.Sources(path.read_text())
+ key = pysequoia.Cert.from_bytes(sources["Signed-By"].encode())
+ assert key.fingerprint.upper() == "83127F68BABB04F3FE9A69AA545E94503FAB65AB"
+ assert len(key.user_ids) == 1
+ assert (
+ str(key.user_ids[0])
+ == "SecureDrop TESTING key <[email protected]>"
+ )
+ assert key.expiration is None
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,6 +20,8 @@ pytest = "^8.3.3"
 pytest-cov = "^5.0.0"
 types-setuptools = "^75.1.0"
 ruff = "^0.6.7"
+python-debian = "^0.1.49"
+pysequoia = "^0.1.24"
 
 [tool.ruff]
 line-length = 100