1Password/load-secrets-action
1
0
Fork 0
mirror of https://github.com/1Password/load-secrets-action.git synced 2026-06-21 14:23:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add gpg fallback

Browse Source
This commit is contained in:
Jill Regan
2026-05-21 11:22:18 -04:00
parent da7c7c6490
commit d463472f19
9 changed files with 197 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/op-cli-installer/github-action/cli-installer/linux-signature.test.ts
-65
View File
@@ -1,65 +0,0 @@
import {
ONEPASSWORD_GPG_KEY_FINGERPRINT,
ONEPASSWORD_GPG_KEY_URL,
verifyLinuxSignature,
} from "./linux-signature";
describe("verifyLinuxSignature", () => {
const OP_PATH = "/tmp/op";
const SIG_PATH = `${OP_PATH}.sig`;
const CORRECT_FPR = `fpr:::::::::${ONEPASSWORD_GPG_KEY_FINGERPRINT}:\n`;
const WRONG_FPR = `fpr:::::::::DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF:\n`;
const downloadKey = jest
.fn<Promise<string>, [string]>()
.mockResolvedValue("/tmp/key.asc");
beforeEach(() => downloadKey.mockClear());
const gpgRunner = (...responses: (string | Error)[]) => {
const runner = jest.fn<Promise<string>, [readonly string[]]>();
for (const r of responses) {
if (r instanceof Error) {
runner.mockRejectedValueOnce(r);
} else {
runner.mockResolvedValueOnce(r);
}
}
return runner;
};
const subcommandsCalled = (runner: ReturnType<typeof gpgRunner>) =>
runner.mock.calls.map(([args]: [readonly string[]]) =>
args.find(
(a) => a === "--import" || a === "--list-keys" || a === "--verify",
),
);
it("passes when the imported key matches and gpg --verify succeeds", async () => {
const runner = gpgRunner("", CORRECT_FPR, "");
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner, downloadKey),
).resolves.toBeUndefined();
expect(downloadKey).toHaveBeenCalledWith(ONEPASSWORD_GPG_KEY_URL);
expect(subcommandsCalled(runner)).toEqual([
"--import",
"--list-keys",
"--verify",
]);
});
it("throws and skips --verify when the imported key fingerprint is wrong", async () => {
const runner = gpgRunner("", WRONG_FPR);
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner, downloadKey),
).rejects.toThrow(/does not match expected/);
expect(subcommandsCalled(runner)).toEqual(["--import", "--list-keys"]);
});
it("throws when gpg --verify rejects the signature", async () => {
const runner = gpgRunner("", CORRECT_FPR, new Error("BAD signature"));
await expect(
verifyLinuxSignature(OP_PATH, SIG_PATH, runner, downloadKey),
).rejects.toThrow(/BAD signature/);
});
});