Regenerate GPG test keys

The previous test GPG keys had expired on 2015-08-22, causing all subsequent Travis CI builds to fail. The new keys are set to not expire, to avoid a repeat of this problem in future. test/gnupg_test_home/regen_keys.sh modified for GPG 2.1+, storing keys in formats suitable for use by GPG 1, GPG 2.0, and GPG 2.1+. Note: - RSA instead of DSA, because GPG 2.1+ doesn't like DSA for usage "encrypt" - ECC test key wasn't being used by any tests, so not regenerated
sup-heliotrope · Jun 14, 2020 · 4f7a242 · 4f7a242
1 parent c843953
commit 4f7a242
Show file tree

Hide file tree

Showing 15 changed files with 90 additions and 87 deletions.
diff --git a/.gitignore b/.gitignore
@@ -17,6 +17,4 @@ Gemfile.lock
 test/gnupg_test_home/random_seed
 test/gnupg_test_home/trustdb.gpg
 test/gnupg_test_home/.gpg-v21-migrated
-test/gnupg_test_home/private-keys-v1.d
-
-
+test/gnupg_test_home/openpgp-revocs.d
diff --git a/test/gnupg_test_home/key1.gen b/test/gnupg_test_home/key1.gen
diff --git a/test/gnupg_test_home/key2.gen b/test/gnupg_test_home/key2.gen
diff --git a/test/gnupg_test_home/key_ecc.gen b/test/gnupg_test_home/key_ecc.gen
diff --git a/test/gnupg_test_home/private-keys-v1.d/306D2EE90FF0014B5B9FD07E265C751791674140.key b/test/gnupg_test_home/private-keys-v1.d/306D2EE90FF0014B5B9FD07E265C751791674140.key
diff --git a/test/gnupg_test_home/private-keys-v1.d/719C7455A7169C6EE8819C6E91002E4F9DD00A65.key b/test/gnupg_test_home/private-keys-v1.d/719C7455A7169C6EE8819C6E91002E4F9DD00A65.key
diff --git a/test/gnupg_test_home/private-keys-v1.d/8A130806A754AA29D59487D76BD355040D9F26C0.key b/test/gnupg_test_home/private-keys-v1.d/8A130806A754AA29D59487D76BD355040D9F26C0.key
diff --git a/test/gnupg_test_home/private-keys-v1.d/B7AA46B22BD8A6AD1B4F266C19A3B124A32DDD71.key b/test/gnupg_test_home/private-keys-v1.d/B7AA46B22BD8A6AD1B4F266C19A3B124A32DDD71.key
diff --git a/test/gnupg_test_home/private-keys-v1.d/FA64ACD7CC871371BDF57285A6CDF0E618827783.key b/test/gnupg_test_home/private-keys-v1.d/FA64ACD7CC871371BDF57285A6CDF0E618827783.key
diff --git a/test/gnupg_test_home/pubring.gpg b/test/gnupg_test_home/pubring.gpg
diff --git a/test/gnupg_test_home/receiver_pubring.gpg b/test/gnupg_test_home/receiver_pubring.gpg
diff --git a/test/gnupg_test_home/receiver_secring.gpg b/test/gnupg_test_home/receiver_secring.gpg
diff --git a/test/gnupg_test_home/regen_keys.sh b/test/gnupg_test_home/regen_keys.sh
@@ -1,38 +1,89 @@
-#! /bin/bash
+#!/bin/bash
 #
 # re-generate test keys for the sup test base
 #
 # https://github.com/sup-heliotrope/sup/wiki/Development%3A-Crypto
+# 
+# Requires GPG 2.1+ installed as "gpg2"
+# 
+# GPG 2.1+ by default uses pubring.kbx - but this isn't backwards compatible
+# with GPG 1 or GPG 2.0.
+# Workaround:
+#   - Create empty pubring.gpg file, which causes GPG 2.1+ to use this
+#     backwards-compatible store.
+#   - Manually export private key copy to secring.gpg, which would be used
+#     by GPG 1.
+
+set -e -u -o pipefail
 
 pushd $(dirname $0)
 
-export GNUPGHOME="$(pwd)"
+echo "Generating keys in: $(pwd)..."
 
-echo "genrating keys in: $GNUPGHOME.."
+echo "Checking gpg2 version"
+gpg2 --version | head -1
 
-rm *.gpg *.asc
+echo "Deleting all existing test keys"
+rm -f \
+    *.gpg \
+    *.asc \
+    private-keys-v1.d/*.key \
+    .gpg-v21-migrated
 
-echo "generate receiver key.."
-gpg --batch --gen-key key2.gen
+echo "Generating key pair for test receiver (email sup-test-2@foo.bar.asc)"
+touch pubring.gpg  # So GPG 2.1+ writes to pubring.gpg instead of pubring.kbx
+gpg2 \
+    --homedir . \
+    --batch \
+    --pinentry-mode loopback \
+    --passphrase '' \
+    --quick-generate-key sup-test-2@foo.bar rsa encrypt,sign 0
 
-echo "export receiver key.."
+echo "Exporting public key only for test receiver (file sup-test-2@foo.bar.asc)"
+gpg2 \
+    --homedir . \
+    --armor \
+    --output sup-test-2@foo.bar.asc \
+    --export sup-test-2@foo.bar
 
-gpg --output sup-test-2@foo.bar.asc --armor --export sup-test-2@foo.bar
+echo "Backing up secret key for test receiver (file receiver_secring.gpg)"
+gpg2 \
+    --homedir . \
+    --export-secret-keys \
+    >receiver_secring.gpg
 
-mv trustdb.gpg receiver_trustdb.gpg
-mv secring.gpg receiver_secring.gpg
-mv pubring.gpg receiver_pubring.gpg
+echo "Backing up pubring.gpg for test receiver (file receiver_pubring.gpg)"
+cp -a pubring.gpg receiver_pubring.gpg
 
-echo "generate sender key.."
-gpg --batch --gen-key key1.gen
+echo "Clearing key store, so we can start from a blank slate for next key(s)"
+rm -f pubring.gpg trustdb.gpg private-keys-v1.d/*.key .gpg-v21-migrated
 
-echo "generate ecc key.."
-gpg --batch --gen-key key_ecc.gen
+echo "Generating key pair for sender (email sup-test-1@foo.bar)"
+touch pubring.gpg  # So GPG 2.1+ writes to pubring.gpg instead of pubring.kbx
+gpg2 \
+    --homedir . \
+    --batch \
+    --pinentry-mode loopback \
+    --passphrase '' \
+    --quick-generate-key sup-test-1@foo.bar rsa encrypt,sign 0
 
-echo "import receiver key.."
-gpg --import sup-test-2@foo.bar.asc
+echo "Importing public key for receiver, into sender's key store"
+gpg2 \
+    --homedir . \
+    --import sup-test-2@foo.bar.asc
 
+echo "Copy private key also to secring.gpg (old format used by GPG 1)"
+gpg2 \
+    --homedir . \
+    --export-secret-keys \
+    >secring.gpg
 
+echo "Done."
 
-popd
+echo "We now have two non-expiring public keys (receiver & sender):"
+gpg2 --homedir . --list-keys
 
+echo "And we also have only *one* corresponding private key (sender only):"
+gpg2 --homedir . --list-secret-keys
+
+popd
diff --git a/test/gnupg_test_home/secring.gpg b/test/gnupg_test_home/secring.gpg
diff --git a/test/gnupg_test_home/sup-test-2@foo.bar.asc b/test/gnupg_test_home/sup-test-2@foo.bar.asc
@@ -1,25 +1,23 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2
 
-mQGiBFP3VogRBADVBEkaZQXj728C1HUIaTRDCFoKzojwC79Z1BLsD72qQYE8z1ic
-5P9CJpJU5wbhQFDTGBjw+i1nNTWy01z4q5bfFqok+KorT3XNp5IJRcRIEOkj+Twq
-7ZaSODwXGsUmdzSoOVDYmtUpVzRQe0IM0rPQQV4vGzgw55FdJBe7a63nIwCg+WvR
-iQN09PlhpGG7SIEmx0psEqUEAL/t1c5oC9RC7L4a0GM+2AcgFRBMXvzpdnytrzgt
-73Ud6CcUplQp6WODrUYhX0RLzSJPO4zWDsBmkBad/iQCwbCKpFPfAFdBMArJpknx
-rc6vRED4a9dLfCNTT1g86CkiElge9t36juZgOoFT3xt/XP7BxhU1fCFshZNR6VK6
-tN9eA/9G4fUX6XvEGIrNiBYKyU4QvM1nyMXCBujm7vYF6KfSlYyAvVXxG4h+mvUy
-ZXQ/WHMQJSbPTY3dd4hmo0p0GUMlSvXU8JLf7qienW1IccD9Pv88J1XjkbFd+wgw
-feoSx1sAfc36gH+aE17lvsU+PPAP4Bc9CSiScNo0iQv7v/KZjrQ+U3VwIFRlc3Qg
-UmVjZWl2ZXIgKFRlc3QgcmVjZWl2ZXIgZm9yIFN1cCkgPHN1cC10ZXN0LTJAZm9v
-LmJhcj6IaQQTEQIAKQUCU/dWiAIbIwUJAeEzgAcLCQgHAwIBBhUIAgkKCwQWAgMB
-Ah4BAheAAAoJEKfs+g8ACvQGPxIAnj1CSZCzjwyIFLgNEQnIhntU+b28AKDsMEVN
-gf9mHqwhabN+UKgBwX0U3LkBDQRT91aIEAQAjQZEnDK++SKp/l2Oiku6H9IuCsi4
-lv+MhLQP0bMuD4DrPk3mauZNc8BB+U0wgAMh/kZoCKySEdMK1mcf2iOsd5yOCrK+
-sJQAMsALAnrYjCE9QA2xIQs8gHF4PrKopycF55iRHQMDNa1QWfs+j4WJaXderlGQ
-S0dGfLyoqtZsFusAAwUEAIi0+aDZlAVVIdDO2cvR0lu6eDW2Mr2ExZzuwTfAI6dS
-tJLoPzoA2OAVW7cFVVpCOHcVLiF2GOHvtJPw1MgpxaNjzpNdJPTiP2sYZg253dfR
-v66Cw9IuWKgZcElWXmIy5vFWqWWbLyTBOuwEQxCsFnjN9UUZauSADOJSPFy1sekf
-iE8EGBECAA8FAlP3VogCGwwFCQHhM4AACgkQp+z6DwAK9Ab/swCg8LWNwfMwNk+H
-gLgnS1LVsesZ8D4An2Ie2P0/oYuSmPPFV44kbWySX9wW
-=Jo82
+mQGNBF7leTkBDAC3auy8xodH6jxoISylFZTpVqy/0L2ul879YUb/QbC58+F/H36S
+CjLfPxFlq0FAOXHelOvktxaybg+BG5UpSvTgBLbcArq5nctee+04TMXCzQzrG2V1
+zb9gIRT665fX3+WYncSIXdr4LAp7r8Jw3RT3tTOZqbaencumCWaJblnvfFwPrMKf
+AXWa/NVndNMAXmJ5uBf1MRr45KXaQ2tczPIeHqSOKhKNnKZPRqPs0fg4i3d0Vb6G
+yItgtJapfBo50FV+PvtodMHo3LDlz/BBjdEJHSvghqEjb1S7xGo+hdXs+lfCMfa0
+3PAWoj+OeHNorbK0YbVKOtS0E0xYvScbyC7bfwtA9yb3LZYmy7VHsKJmQfygCNQ6
+wIKQGAVN1NcQcJsvWyAwk9+WMN5oqB5lb76u40beoWlUjSJRlph2VvWvkGuh/huU
+sVGqcN7EO4SFkwi2YQLoWfQRGur3mids/PQTBywpGE1SyziPZK76pT6SqP8b+OpI
+CG1QbcTZzYpbv6kAEQEAAbQSc3VwLXRlc3QtMkBmb28uYmFyiQHOBBMBCgA4FiEE
+e0oXvVeqMzUcfd1s2bF8xbTizW8FAl7leTkCGw8FCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQ2bF8xbTizW92TAv/WGlYfDTKNEmJ0K+kxt33T2ldmZXaJKL04Mft
+h5s5KlRZWDNpkCC/L55uyaeEg+Uy+BEEQKLAEeJrrLMV8UMJwMPDOizSTT9uLyiz
+b8RjnQw4iMT8wt9TQboXGaTMslwdXvFPii7w44KgCimE7VuPetJuLMLMbnl147G8
++QhkNUsrB51TuPS8xZJ4qjbH+K/Y2NlvwLtJrxNE3SRQuy2ApYJxKPZIj1KpUL8M
+7Jy/2hI8DaRm/0Fpu8HwRIVsd6/dgdkqdj1uVyLj+wyhgdzqV5WrPLFCRVhd3icd
+lPNRIDjg8YKCh353LVHjKwefOW4SnkOPn4uVMdCP9gUFd9zpMP9lMFpjk0o0tcYO
+NiFrOclS4q5qZ5jrj1MnBF0NaGhuC83DDgRfKV+p5noVeJxg0nXYZSlsSMfAT/K7
+FbdNEg0XUsrLgWVzhvWv/ebMetFPSfGHIveZ7lhiq1qpA5hLBNfSSBb1JJsFmtQt
+cEUluymdNe5W7Y6UGs1CpvcIvbj+
+=Cy9S
 -----END PGP PUBLIC KEY BLOCK-----