1Password/load-secrets-action
1
0
Fork 0
mirror of https://github.com/1Password/load-secrets-action.git synced 2026-06-21 14:23:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add public signing key

Browse Source
This commit is contained in:
Jill Regan
2026-05-21 15:14:34 -04:00
parent cc789f0882
commit 7b7cb42941
6 changed files with 329 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/op-cli-installer/github-action/cli-installer/linux-signature.test.ts
+18 -21
View File
@@ -1,12 +1,13 @@
import {
ONEPASSWORD_GPG_KEY_FINGERPRINT,
ONEPASSWORD_GPG_KEYSERVER,
verifyLinuxSignature,
} from "./linux-signature";
describe("verifyLinuxSignature", () => {
const OP_PATH = "/tmp/op";
const SIG_PATH = `${OP_PATH}.sig`;
const CORRECT_FPR = `fpr:::::::::${ONEPASSWORD_GPG_KEY_FINGERPRINT}:\n`;
const WRONG_FPR = `fpr:::::::::DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF:\n`;
const gpgRunner = (...responses: (string | Error)[]) => {
const runner = jest.fn<Promise<string>, [readonly string[]]>();
@@ -22,38 +23,34 @@ describe("verifyLinuxSignature", () => {
const subcommandsCalled = (runner: ReturnType<typeof gpgRunner>) =>
runner.mock.calls.map(([args]: [readonly string[]]) =>
args.find((a) => a === "--recv-keys" || a === "--verify"),
args.find(
(a) => a === "--import" || a === "--list-keys" || a === "--verify",
),
);
it("fetches the pinned key by fingerprint and verifies the signature", async () => {
const runner = gpgRunner("", "");
it("imports the bundled key and verifies the signature", async () => {
const runner = gpgRunner("", CORRECT_FPR, "");
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner),
).resolves.toBeUndefined();
expect(subcommandsCalled(runner)).toEqual(["--recv-keys", "--verify"]);
const recvKeysArgs = runner.mock.calls[0]![0];
expect(recvKeysArgs).toEqual(
expect.arrayContaining([
"--keyserver",
ONEPASSWORD_GPG_KEYSERVER,
"--recv-keys",
ONEPASSWORD_GPG_KEY_FINGERPRINT,
]),
);
expect(subcommandsCalled(runner)).toEqual([
"--import",
"--list-keys",
"--verify",
]);
});
it("throws if recv-keys fails (e.g., wrong fingerprint or keyserver unreachable)", async () => {
const runner = gpgRunner(new Error("No data"));
it("throws and skips --verify when the imported key has the wrong fingerprint", async () => {
const runner = gpgRunner("", WRONG_FPR);
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner),
).rejects.toThrow(/No data/);
expect(subcommandsCalled(runner)).toEqual(["--recv-keys"]);
).rejects.toThrow(/does not match expected/);
expect(subcommandsCalled(runner)).toEqual(["--import", "--list-keys"]);
});
it("throws if gpg --verify rejects the signature", async () => {
const runner = gpgRunner("", new Error("BAD signature"));
it("throws when gpg --verify rejects the signature", async () => {
const runner = gpgRunner("", CORRECT_FPR, new Error("BAD signature"));
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner),
).rejects.toThrow(/BAD signature/);