cd2afdb308
Add 20 BATS tests and 1 interactive test for v0.5.0 edge-case fixes. FIDO2 keygen now prompts to retry on "device not found" instead of exiting. Remove stale Qubes vhci_hcd warning. Update hardware test matrix in README. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
99 lines
2.8 KiB
Bash
Executable File
99 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Interactive test: generate ed25519 key via signing wizard
|
|
# Verifies: key created, user.signingkey configured, commit.gpgsign=true
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
IFS=$'\n\t'
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
# shellcheck source=helpers.sh
|
|
source "${SCRIPT_DIR}/helpers.sh"
|
|
|
|
main() {
|
|
trap cleanup EXIT
|
|
|
|
printf 'Test: Signing wizard - generate ed25519 key\n' >&2
|
|
|
|
# Ensure identity is set (prior tests may have cleared it)
|
|
git config --global user.name "Test User" 2>/dev/null || true
|
|
git config --global user.email "test@example.com" 2>/dev/null || true
|
|
|
|
# Ensure no existing signing keys (new dedicated names + legacy)
|
|
rm -f "${HOME}/.ssh/id_ed25519_signing" "${HOME}/.ssh/id_ed25519_signing.pub"
|
|
rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
|
|
|
|
start_session
|
|
|
|
# Safety review gate
|
|
wait_for "reviewed this script"
|
|
send "y" Enter
|
|
|
|
# Proceed with hardening
|
|
wait_for "Proceed with hardening"
|
|
send "y" Enter
|
|
|
|
# Accept settings until signing wizard (v0.2.0 adds more prompts)
|
|
local pane_content
|
|
for _ in $(seq 1 50); do
|
|
sleep 0.3
|
|
pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
|
|
if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
|
|
break
|
|
fi
|
|
if printf '%s' "$pane_content" | grep -qF "Hardening complete"; then
|
|
break
|
|
fi
|
|
send "y" Enter
|
|
done
|
|
|
|
# Signing wizard — option 1: generate ed25519
|
|
wait_for "Signing key options" 20
|
|
send "1" Enter
|
|
|
|
# ssh-keygen prompts for passphrase — enter empty twice
|
|
wait_for "Enter passphrase" 10
|
|
send "" Enter
|
|
wait_for "Enter same passphrase" 10
|
|
send "" Enter
|
|
|
|
# Signing wizard asks "Enable commit and tag signing?" — accept
|
|
wait_for "Enable commit and tag signing" 10
|
|
send "y" Enter
|
|
|
|
# Wait for completion
|
|
sleep 3
|
|
capture_output >/dev/null 2>&1 || true
|
|
|
|
# Verify key exists (new dedicated signing key name)
|
|
if [ -f "${HOME}/.ssh/id_ed25519_signing.pub" ]; then
|
|
pass "Key generated: ~/.ssh/id_ed25519_signing.pub exists"
|
|
else
|
|
fail "Key not generated"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify signing key configured
|
|
local signing_key
|
|
signing_key="$(git config --global --get user.signingkey 2>/dev/null || true)"
|
|
if [ -n "$signing_key" ]; then
|
|
pass "user.signingkey configured: ${signing_key}"
|
|
else
|
|
fail "user.signingkey not configured"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify gpgsign enabled
|
|
local gpgsign
|
|
gpgsign="$(git config --global --get commit.gpgsign 2>/dev/null || true)"
|
|
if [ "$gpgsign" = "true" ]; then
|
|
pass "commit.gpgsign=true"
|
|
else
|
|
fail "commit.gpgsign not set"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
main
|