nemos-team team mailing list archive

[Isaac True <mp+456060@xxxxxxxxxxxxxxxxxx>]

Isaac True has proposed merging ~nemos-team/nemos/+git/nemos-dev-key:add-autopkgtest into ~nemos-team/nemos/+git/nemos-dev-key:ubuntu/devel.

Requested reviews:
  Laider Lai (laiderlai)

For more details, see:
https://code.launchpad.net/~nemos-team/nemos/+git/nemos-dev-key/+merge/456060
-- 
Your team NemOS Team is subscribed to branch ~nemos-team/nemos/+git/nemos-dev-key:ubuntu/devel.

diff --git a/debian/changelog b/debian/changelog
index 00c318e..64705fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+nemos-dev-key (1.3) noble; urgency=medium
+
+  * Add package test to ensure that the public key can be used to verify
+    signatures generated using the private key.
+
+ -- Isaac True <isaac.true@xxxxxxxxxxxxx>  Wed, 22 Nov 2023 11:04:15 +0100
+
 nemos-dev-key (1.2) lunar; urgency=medium
 
   * Adjust u-boot-signature.dtsi to only contain the key node itself, rather
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..37bf989
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: verify
+Depends: openssl
diff --git a/debian/tests/verify b/debian/tests/verify
new file mode 100644
index 0000000..3fde748
--- /dev/null
+++ b/debian/tests/verify
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright 2023 Canonical Ltd.
+# Ensure that the public key can verify files signed by the private key
+
+FILE=$(mktemp)
+HASH=$(mktemp)
+
+# Create a file with random contents
+dd if=/dev/random of="${FILE}" bs=4096 count=1024 status=none
+
+# Create a detached signature using the private key
+openssl pkeyutl -sign -keyform PEM -rawin -inkey rsa2048_private.pem \
+    -in "${FILE}" > "${HASH}"
+
+# Verify the signature with the public key
+openssl pkeyutl -verify -pubin -keyform PEM -rawin -inkey rsa2048_public.pem \
+    -sigfile "${HASH}" -in "${FILE}"
+
+# Clean up
+rm -f "${FILE}" "${HASH}"