feat: ajouts get testing et corrections

2025-07-25 05:32:35 +02:00
parent fec8e13f5a
commit 45e61f45cd
753 changed files with 254335 additions and 19 deletions
--- a/gpg/keystore.py
+++ b/gpg/keystore.py
@@ -6,6 +6,7 @@ from re import compile

 _DEBIAN_KEY_SERVER_HOSTNAME = "keyring.debian.org"
 _DEBIAN_CD_SIGNING_KEY_ID = "DA87E80D6294BE9B"
+_DEBIAN_CD_TESTING_SIGNING_KEY_ID = "42468F4009EA8AC3"


 def import_debian_signing_key():
@@ -36,14 +37,52 @@ def import_debian_signing_key():
            raise RuntimeError("Failed to import key using gpg.")

    # check shell output:
-    # the first line of stdout should look like this
-    expected_first_line = str(
-        f"gpg: key {_DEBIAN_CD_SIGNING_KEY_ID}: public key "
-        f"\"Debian CD signing key <debian-cd@lists.debian.org>\""
-        f" imported"
+    # verify that the key was imported successfully by checking for key patterns
+    stdout_lower = process_result.stdout.lower()
+    key_id_in_output = _DEBIAN_CD_SIGNING_KEY_ID.lower() in stdout_lower
+    imported_or_unchanged = any(word in stdout_lower for word in ["imported", "unchanged", "importée", "importées"])
+    
+    if not (key_id_in_output and imported_or_unchanged):
+        raise RuntimeError(
+            f"Unexpected output while importing PGP public key:\n"
+            f"{process_result.stdout}"
+        )
+
+
+def import_debian_testing_signing_key():
+    """Imports the public debian testing CD signing key using gpg.
+
+    The key is imported from keyring.debian.org into the invoking user's
+    GPG public key store using a shell command.
+    """
+
+    # execute a gpg key import as a shell command, redirecting stderr to stdout
+    process_result = run(
+        [
+            "gpg", "--keyserver", _DEBIAN_KEY_SERVER_HOSTNAME,
+            "--recv-key", _DEBIAN_CD_TESTING_SIGNING_KEY_ID
+        ],
+        stdout=PIPE,
+        stderr=STDOUT,
+        text=True,
    )

-    if not process_result.stdout.split("\n")[0] == expected_first_line:
+    # check shell return code
+    if process_result.returncode != 0:
+        if process_result.stdout:
+            raise RuntimeError(
+                f"Failed to import key using gpg:\n{process_result.stdout}"
+            )
+        else:
+            raise RuntimeError("Failed to import key using gpg.")
+
+    # check shell output:
+    # verify that the key was imported successfully by checking for key patterns
+    stdout_lower = process_result.stdout.lower()
+    key_id_in_output = _DEBIAN_CD_TESTING_SIGNING_KEY_ID.lower() in stdout_lower
+    imported_or_unchanged = any(word in stdout_lower for word in ["imported", "unchanged", "importée", "importées"])
+    
+    if not (key_id_in_output and imported_or_unchanged):
        raise RuntimeError(
            f"Unexpected output while importing PGP public key:\n"
            f"{process_result.stdout}"
@@ -110,3 +149,56 @@ def debian_signing_key_is_imported():
            )

    return True
+
+
+def debian_testing_signing_key_is_imported():
+    """Checks whether the debian testing PGP signing key exists in the local key store.
+
+    The invoking user's GPG key store is checked using a shell command.
+
+    Returns True if the key exists, False otherwise.
+    """
+
+    # execute a gpg key lookup as a shell command, redirecting stderr to stdout
+    process_result = run(
+        ["gpg", "--locate-keys", _DEBIAN_CD_TESTING_SIGNING_KEY_ID],
+        stdout=PIPE,
+        stderr=STDOUT,
+        text=True,
+    )
+
+    # check shell return code
+    if process_result.returncode != 0:
+        raise RuntimeError("Failed to search local keys using gpg.")
+
+    # no shell output means that the key does not exist locally
+    if not process_result.stdout:
+        return False
+
+    # verify existing key shell output using regex:
+    # it should contain six lines in the following format
+    expected_output_lines_regexes = [
+        compile(r"^pub .*$"),
+        compile(r"^ *[0-9A-F]{40}$"),
+        compile(r"^uid .*$"),
+        compile(r"^sub .*$"),
+        compile(r"^$"),
+        compile(r"^$"),
+    ]
+
+    actual_output_lines = process_result.stdout.split("\n")
+    if len(actual_output_lines) < 4:
+        raise RuntimeError(
+            f"Unexpected shell output format while performing local "
+            f"GPG key lookup:\n"
+            f"{process_result.stdout}"
+        )
+    for i in range(4):
+        if not expected_output_lines_regexes[i].match(actual_output_lines[i]):
+            raise RuntimeError(
+                f"Unexpected shell output format while performing local"
+                f"GPG key lookup:\n"
+                f"{process_result.stdout}"
+            )
+
+    return True
--- a/gpg/verify.py
+++ b/gpg/verify.py
@@ -113,9 +113,10 @@ def assert_detached_signature_is_valid(
        # successful verification causes return code 0
        # and the following output on line 3:
        verification_successful_regex = compile(
-            r"^gpg: Good signature from .*$"
+            r"^gpg: (Good signature|Bonne signature) (from|de) .*$"
        )
-        if not verification_successful_regex.match(output_lines[2]):
+        signature_found = any(verification_successful_regex.match(line) for line in output_lines)
+        if not signature_found:
            raise ex.UnexpectedOutputException(
                f"Unexpected output during gpg verification:\n"
                f"{process_result.stdout}"