nixos/tests/gitea: test gpg commit signing key

`/api/v1/signing-key.gpg` spawns a `gpg` process, which is great to test if `gpg` is available and can be invoked from in the unit. Which is somewhat relevant, since `gpg` was missing from the unit's `$PATH` until recently. And even after adding `gpg` to the unit's `$PATH`, configuring commit signing for a instance resulted in http/500s nonetheless. That's due to `@memlock` being present in `SystemCallFilter=~` and `gpg` trying to use `mlock` (probably to prevent secrets in the memory to swap), resulting in an immediate `SIGKILL` of any spawned `gpg` processes.
2024-11-18 03:30:45 +00:00 · 2023-03-01 23:44:21 +01:00 · 2023-03-01 23:44:21 +01:00 · 249f6c4c1d
parent 29211dc4b4
commit 249f6c4c1d
1 changed files with 24 additions and 1 deletions
--- a/nixos/tests/gitea.nix
+++ b/nixos/tests/gitea.nix
@ -8,6 +8,21 @@ with import ../lib/testing-python.nix { inherit system pkgs; };
 with pkgs.lib;

 let
+  ## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign
+  signingPrivateKey = ''
+    -----BEGIN PGP PRIVATE KEY BLOCK-----
+
+    lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7
+    5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr
+    ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC
+    ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI
+    TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO
+    GCqGCRf9O/hzBA==
+    =9Uy3
+    -----END PGP PRIVATE KEY BLOCK-----
+  '';
+  signingPrivateKeyId = "4D642DE8B678C79D";
+
  supportedDbTypes = [ "mysql" "postgres" "sqlite3" ];
  makeGiteaTest = type: nameValuePair type (makeTest {
    name = "${giteaPackage.pname}-${type}";
@ -21,8 +36,9 @@ let
          database = { inherit type; };
          package = giteaPackage;
          settings.service.DISABLE_REGISTRATION = true;
+          settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
        };
-        environment.systemPackages = [ giteaPackage pkgs.jq ];
+        environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ];
        services.openssh.enable = true;
      };
      client1 = { config, pkgs, ... }: {
@ -58,6 +74,13 @@ let
      server.wait_for_open_port(3000)
      server.succeed("curl --fail http://localhost:3000/")

+      server.succeed(
+          "su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg "
+          + "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'"
+      )
+
+      assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg")
+
      server.succeed(
          "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. "
          + "Please contact your site administrator.'"