Coverage for src/ansible_sign/signing/gpg/verifier.py: 86%

33 statements  

« prev     ^ index     » next       coverage.py v7.6.1, created at 2024-09-05 08:12 +0000

1""" 

2This module handles GPG signature verification for Ansible content. It makes use 

3of python-gnupg (which ultimately shells out to GPG). 

4""" 

5 

6import gnupg 

7import os 

8 

9from ansible_sign.signing.base import ( 

10 SignatureVerifier, 

11 SignatureVerificationResult, 

12) 

13 

14__author__ = "Rick Elrod" 

15__copyright__ = "(c) 2022 Red Hat, Inc." 

16__license__ = "MIT" 

17 

18 

19class GPGVerifier(SignatureVerifier): 

20 def __init__(self, manifest_path, detached_signature_path, gpg_home=None, keyring=None): 

21 super(GPGVerifier, self).__init__() 

22 

23 if manifest_path is None: 23 ↛ 24line 23 didn't jump to line 24 because the condition on line 23 was never true

24 raise RuntimeError("manifest_path must not be None") 

25 self.manifest_path = manifest_path 

26 

27 if detached_signature_path is None: 27 ↛ 28line 27 didn't jump to line 28 because the condition on line 27 was never true

28 raise RuntimeError("detached_signature_path must not be None") 

29 self.detached_signature_path = detached_signature_path 

30 

31 self.gpg_home = gpg_home 

32 self.keyring = keyring 

33 

34 def verify(self) -> SignatureVerificationResult: 

35 if not os.path.exists(self.detached_signature_path): 35 ↛ 36line 35 didn't jump to line 36 because the condition on line 35 was never true

36 return SignatureVerificationResult( 

37 success=False, 

38 summary="The specified detached signature path does not exist.", 

39 ) 

40 

41 extra = {} 

42 

43 gpg = gnupg.GPG(gnupghome=self.gpg_home, keyring=self.keyring) 

44 

45 with open(self.detached_signature_path, "rb") as sig: 

46 verified = gpg.verify_file(sig, self.manifest_path) 

47 

48 if not verified: 

49 extra["stderr"] = verified.stderr 

50 return SignatureVerificationResult( 

51 success=False, 

52 summary="GPG signature verification failed.", 

53 extra_information=extra, 

54 ) 

55 

56 extra["stderr"] = verified.stderr 

57 extra["fingerprint"] = verified.fingerprint 

58 extra["creation_date"] = verified.creation_date 

59 extra["status"] = verified.status 

60 extra["timestamp"] = verified.timestamp 

61 

62 return SignatureVerificationResult( 

63 success=True, 

64 summary="GPG signature verification succeeded.", 

65 extra_information=extra, 

66 )