Mailing List Archive

Mock signature verification for application testing
Hello all,

I answered a call for volunteers to help with the FTP upload handling
tool that runs ftp.gnu.org and I have been developing a testsuite for
that tool. To support automated testing I have written a mockup of
gpgv, attached to this message.

I am sending this message on a recommendation from Ian at the FSF to ask
the gnupg list when I requested that someone review the mock gpgv script
that I had written. I apologize in advance if this is not the
appropriate list for this request. The mock gpgv's role inside the
testsuite is to provide an easy way to test and verify the upload
handler's behavior with various combinations of valid and invalid
signatures, without having to actually generate those signatures. The
mock gpgv itself should be self-contained, although some additional
DejaGnu interface code for driving it has also been written.

The mock gpgv was written mostly by examining GPG source code, and there
is a chance that I may have misunderstood the program flow, although I
believe I have it right, including some surprising (to me) results with
the exit code returned by gpgv: a valid signature produces a successful
exit code, even if the key has expired or been revoked, or the signature
itself has expired. An unsuccessful exit code occurs only if (code 1)
the data is found to not match the signature or (code 2) an error
prevents checking the signature at all. It seems to me that the proper
way to distinguish the other situations (matching signature from
questionable key) involves using the --status-fd mechanism.

Do I understand correctly? Does the attached shell script accurately
mimic gpgv's behavior? Are there further elements that should be added
to better support testing of programs that use gpgv to perform automatic
signature verification against a set of approved keys?

As a maintainer of DejaGnu, I may eventually put this script and its
associated DejaGnu code into DejaGnu's contrib/ directory, if it is or
can be made sufficiently general, or I would be happy to contribute this
support for automated testing to the GnuPG project.


-- Jacob