Cleaning up GnuPG User ID validity in the test suite

Cleaning up GnuPG User ID validity in the test suite

[Daniel Kahn Gillmor]

In looking at the cryptographic features of the test suite, i noticed
that we're confusing user ID validity and key ownertrust (not an
uncommon confusion).  We're also not testing with a "normal" GnuPG
installation, which has the secret key we control typically set to
"ultimate" ownertrust.

This is a very nit-picky series without much of a functional
difference, but it makes the test suite more conceptually coherent
cryptographically, and should make future changes cleaner and more
sensible.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

[PATCH 1/3] test/crypto: clarify the difference between ownertrust and validity

[Daniel Kahn Gillmor]

This is a subtle difference, but the output of notmuch shouldn't ever
change based on ownertrust itself -- notmuch is intended to show valid
User IDs, and to avoid showing invalid User IDs.

It so happens that setting ownertrust of a key to ultimate sets all
associated user IDs to "full" validity, so the test is correct, but
just misnamed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T350-crypto.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index 6045a7dc..bd369f8f 100755
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -135,8 +135,9 @@ test_expect_equal_json \
     "$output" \
     "$expected"
 
-test_begin_subtest "signature verification with full owner trust"
-# give the key full owner trust
+test_begin_subtest "signature verification with full user ID validity"
+# give the key ultimate owner trust, which confers full validity on
+# all user IDs in the certificate:
 echo "${FINGERPRINT}:6:" | gpg --no-tty --import-ownertrust >>"$GNUPGHOME"/trust.log 2>&1
 gpg --no-tty --check-trustdb >>"$GNUPGHOME"/trust.log 2>&1
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
-- 
2.20.1

[PATCH 2/3] test: simplify user ID handling

[Daniel Kahn Gillmor]

The user ID on the self-test is a little bit clunky-looking.  It also
may end up showing up elsewhere in the test suite.  Centralizing the
user ID in one place should make it easier to handle if it ever
changes, and should make tests easier to read.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T350-crypto.sh | 4 ++--
 test/test-lib.sh    | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index bd369f8f..f31cd3d7 100755
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -158,7 +158,7 @@ expected='[[[{"id": "XXXXX",
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
  "created": 946728000,
- "userid": "Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"}],
+ "userid": "'"$SELF_USERID"'"}],
  "content-type": "multipart/signed",
  "content": [{"id": 2,
  "content-type": "text/plain",
@@ -366,7 +366,7 @@ expected='[[[{"id": "XXXXX",
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
  "created": 946728000,
- "userid": "Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"}],
+ "userid": "'"$SELF_USERID"'"}],
  "content-type": "multipart/encrypted",
  "content": [{"id": 2,
  "content-type": "application/pgp-encrypted",
diff --git a/test/test-lib.sh b/test/test-lib.sh
index 04d93f7d..b89da572 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -120,6 +120,7 @@ add_gnupg_home ()
 
     # Change this if we ship a new test key
     FINGERPRINT="5AEAB11F5E33DCE875DDB75B6D92612D94E46381"
+    SELF_USERID="Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"
 }
 
 # Each test should start with something like this, after copyright notices:
-- 
2.20.1

[PATCH 3/3] test/crypto: add_gnupg_home should have ultimate trust on "its own" key

[Daniel Kahn Gillmor]

The typical use case for gpg is that if you control a secret key, you
mark it with "ultimate" ownertrust.

The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
to set up ultimate ownertrust (the ":6:" means "ultimate", for
whatever reason).

We adjust the test suite to match this change, inverting the sense of
one test: since the default is now that the user ID of the suite's own
key is valid, we change the test to make sure that the user ID is not
emitted when it is *not* valid.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T350-crypto.sh | 17 +++++++++--------
 test/test-lib.sh    |  1 +
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index f31cd3d7..3539bafe 100755
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -40,7 +40,8 @@ expected='[[[{"id": "XXXXX",
  "body": [{"id": 1,
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
- "created": 946728000}],
+ "created": 946728000,
+ "userid": "'"$SELF_USERID"'"}],
  "content-type": "multipart/signed",
  "content": [{"id": 2,
  "content-type": "text/plain",
@@ -135,11 +136,11 @@ test_expect_equal_json \
     "$output" \
     "$expected"
 
-test_begin_subtest "signature verification with full user ID validity"
-# give the key ultimate owner trust, which confers full validity on
-# all user IDs in the certificate:
-echo "${FINGERPRINT}:6:" | gpg --no-tty --import-ownertrust >>"$GNUPGHOME"/trust.log 2>&1
-gpg --no-tty --check-trustdb >>"$GNUPGHOME"/trust.log 2>&1
+test_begin_subtest "signature verification without full user ID validity"
+# give the key no owner trust, removes validity on all user IDs of the
+# certificate in the absence of other trusted certifiers:
+gpg --quiet --batch --no-tty --export-ownertrust > "$GNUPGHOME/ownertrust.bak"
+echo "${FINGERPRINT}:3:" | gpg --quiet --batch --no-tty --import-ownertrust
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
     | sed -e 's|"created": [1234567890]*|"created": 946728000|')
@@ -157,8 +158,7 @@ expected='[[[{"id": "XXXXX",
  "body": [{"id": 1,
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
- "created": 946728000,
- "userid": "'"$SELF_USERID"'"}],
+ "created": 946728000}],
  "content-type": "multipart/signed",
  "content": [{"id": 2,
  "content-type": "text/plain",
@@ -170,6 +170,7 @@ expected='[[[{"id": "XXXXX",
 test_expect_equal_json \
     "$output" \
     "$expected"
+gpg --quiet --batch --no-tty --import-ownertrust < "$GNUPGHOME/ownertrust.bak"
 
 test_begin_subtest "signature verification with signer key unavailable"
 # move the gnupghome temporarily out of the way
diff --git a/test/test-lib.sh b/test/test-lib.sh
index b89da572..54247a57 100644
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -121,6 +121,7 @@ add_gnupg_home ()
     # Change this if we ship a new test key
     FINGERPRINT="5AEAB11F5E33DCE875DDB75B6D92612D94E46381"
     SELF_USERID="Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"
+    printf '%s:6:\n' "$FINGERPRINT" | gpg --quiet --batch --no-tty --import-ownertrust
 }
 
 # Each test should start with something like this, after copyright notices:
-- 
2.20.1

Re: Cleaning up GnuPG User ID validity in the test suite

[Tomi Ollila]

On Sat, May 04 2019, Daniel Kahn Gillmor wrote:

> In looking at the cryptographic features of the test suite, i noticed
> that we're confusing user ID validity and key ownertrust (not an
> uncommon confusion).  We're also not testing with a "normal" GnuPG
> installation, which has the secret key we control typically set to
> "ultimate" ownertrust.
>
> This is a very nit-picky series without much of a functional
> difference, but it makes the test suite more conceptually coherent
> cryptographically, and should make future changes cleaner and more
> sensible.
>
> Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
>

Aa far as I understand the code changes look good to me!

Tomi

Re: [PATCH 3/3] test/crypto: add_gnupg_home should have ultimate trust on "its own" key

[David Bremner]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> The typical use case for gpg is that if you control a secret key, you
> mark it with "ultimate" ownertrust.
>
> The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
> to set up ultimate ownertrust (the ":6:" means "ultimate", for
> whatever reason).

I've pushed this series. Note that there is some extra burbling from gpg
for me

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Re: [PATCH 3/3] test/crypto: add_gnupg_home should have ultimate trust on "its own" key

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Tue 2019-05-07 06:50:29 -0300, David Bremner wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
>> The typical use case for gpg is that if you control a secret key, you
>> mark it with "ultimate" ownertrust.
>>
>> The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
>> to set up ultimate ownertrust (the ":6:" means "ultimate", for
>> whatever reason).
>
> I've pushed this series. Note that there is some extra burbling from gpg
> for me
>
> gpg: checking the trustdb
> gpg: marginals needed: 3  completes needed: 1  trust model: pgp
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

i think that id:20190507130135.14898-1-dkg@fifthhorseman.net should
address this burbling.  thanks for calling it out. keeping the spew
to more managable levels is a laudatory goal.

   --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]