podman/test/system/011-image.bats

#!/usr/bin/env bats

load helpers

function setup() {
    skip_if_remote "--sign-by does not work with podman-remote"

    basic_setup

    export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg
    mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures

    cat >$PODMAN_TMPDIR/keydetails <<EOF
    %echo Generating a basic OpenPGP key
    Key-Type: RSA
    Key-Length: 2048
    Subkey-Type: RSA
    Subkey-Length: 2048
    Name-Real: Foo
    Name-Comment: Foo
    Name-Email: foo@bar.com
    Expire-Date: 0
    %no-ask-passphrase
    %no-protection
    # Do a commit here, so that we can later print "done" :-)
    %commit
    %echo done
EOF
    GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails
}

function check_signature() {
    local sigfile=$1
    ls -laR $PODMAN_TMPDIR/signatures
    run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN
    local repodigest=${output/:/=}

    local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}"
    test -d $dir || die "Missing signature directory $dir"
    test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'"

    # Confirm good signature
    run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile"
    is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \
       "gpg --verify $sigfile"
}


@test "podman image - sign with no sigfile" {
    GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures  "docker://$PODMAN_TEST_IMAGE_FQN"
    check_signature "signature-1"
}

# vim: filetype=sh