diff --git a/modules/programs/gpg.nix b/modules/programs/gpg.nix index e3a7a8e87..1978a1b68 100644 --- a/modules/programs/gpg.nix +++ b/modules/programs/gpg.nix @@ -125,7 +125,7 @@ let function importTrust() { local keyIds trust - IFS='\n' read -ra keyIds <<< "$(gpgKeyId "$1")" + mapfile -t keyIds <<< "$(gpgKeyId "$1")" trust="$2" for id in "''${keyIds[@]}" ; do { echo trust; echo "$trust"; (( trust == 5 )) && echo y; echo quit; } \ diff --git a/tests/modules/programs/gpg/default.nix b/tests/modules/programs/gpg/default.nix index a3949b186..40ed739ec 100644 --- a/tests/modules/programs/gpg/default.nix +++ b/tests/modules/programs/gpg/default.nix @@ -1,5 +1,6 @@ { gpg-immutable-keyfiles = ./immutable-keyfiles.nix; gpg-mutable-keyfiles = ./mutable-keyfiles.nix; + gpg-multiple-keys-trust = ./multiple-keys-trust.nix; gpg-override-defaults = ./override-defaults.nix; } diff --git a/tests/modules/programs/gpg/multiple-keys-trust.nix b/tests/modules/programs/gpg/multiple-keys-trust.nix new file mode 100644 index 000000000..966443cf6 --- /dev/null +++ b/tests/modules/programs/gpg/multiple-keys-trust.nix @@ -0,0 +1,61 @@ +{ realPkgs, ... }: + +{ + programs.gpg = { + enable = true; + package = realPkgs.gnupg; + + mutableKeys = false; + mutableTrust = false; + + publicKeys = [ + { + # This file contains three public keys + # The bug causes only the first key to have trust set + source = ./test-keys/multiple-keys.asc; + trust = "ultimate"; # trust level 5 + } + ]; + }; + + nmt.script = '' + assertFileNotRegex activate "^export GNUPGHOME=/home/hm-user/.gnupg$" + + assertFileRegex activate \ + '^install -m 0700 /nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg "/home/hm-user/.gnupg/trustdb.gpg"$' + + # Setup GPGHOME + export GNUPGHOME=$(mktemp -d) + cp -r $TESTED/home-files/.gnupg/* $GNUPGHOME + TRUSTDB=$(grep -o '/nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg' $TESTED/activate) + install -m 0700 $TRUSTDB $GNUPGHOME/trustdb.gpg + + # Export Trust + export WORKDIR=$(mktemp -d) + ${realPkgs.gnupg}/bin/gpg -q --export-ownertrust > $WORKDIR/gpgtrust.txt + + echo "=== Trust database contents ===" + cat $WORKDIR/gpgtrust.txt + echo "=== End of trust database ===" + + # The test file contains three keys: + # - 13B06D9193E01E0F (Test User One) - fingerprint: B07502E7B7ED0A4AA3BF191913B06D9193E01E0F + # - 42E7B990011430DE (Test User Two) - fingerprint: 6A2A713AE7F93C8EA6D264B642E7B990011430DE + # - DFC825F8209CE742 (Test User Three) - fingerprint: E66D263DC7174345AB102829DFC825F8209CE742 + # + # All three keys should have ultimate trust (level 6 in ownertrust format) + # Due to the bug in importTrust function, only the first key gets trust set + + # Check that first key has ultimate trust (this works with current code) + assertFileRegex $WORKDIR/gpgtrust.txt \ + '^B07502E7B7ED0A4AA3BF191913B06D9193E01E0F:6:$' + + # Check that second key has ultimate trust (this FAILS due to bug) + assertFileRegex $WORKDIR/gpgtrust.txt \ + '^6A2A713AE7F93C8EA6D264B642E7B990011430DE:6:$' + + # Check that third key has ultimate trust (this FAILS due to bug) + assertFileRegex $WORKDIR/gpgtrust.txt \ + '^E66D263DC7174345AB102829DFC825F8209CE742:6:$' + ''; +} diff --git a/tests/modules/programs/gpg/test-keys/multiple-keys.asc b/tests/modules/programs/gpg/test-keys/multiple-keys.asc new file mode 100644 index 000000000..c8b9c6937 --- /dev/null +++ b/tests/modules/programs/gpg/test-keys/multiple-keys.asc @@ -0,0 +1,45 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBGkHy/oBCADC4NT6P4eiOv1f9g8mhdLQlexO4Pefh33EicybD4tnlZZGVzYT +2J75slIGFV9+AOX/TXsws7+0IaZYB94a3p1NKoWeYh4XZy0HQ2HRJjNWeLQ41lFC +dCQ4A0JuqCurMFFdph59Xlh4ko3SXmPwNqXEmNX8LQlIDRNk+RiW+gJ4OC8DV6Do +YexeQHrHxtdGrStFmEygEAB5K1xqLRrzETvPubEmPEcrvhT/7W1+TwCb/haKo+Is +OgFcaJFv7CR6EbYh3DNZa4Zrd/WpNAL8+Kmz89VTdw0qaSYJxV9uR4DdmgX+2tAv +WmLuTuPMabU599p9nRUqk1Pj5fit6octCxX9ABEBAAG0IVRlc3QgVXNlciBPbmUg +PHRlc3QxQGV4YW1wbGUuY29tPokBTwQTAQoAORYhBLB1Aue37QpKo78ZGROwbZGT +4B4PBQJpB8v6AxsvBAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRATsG2Rk+Ae +D54fB/9EN7IjdwARheioFsZlifda5t31l084eYsq9kLzjCrxCXNlDZEIi6QrNBBA +CDZyv5bM+JLrZPbZ/1J1caoB6W9+ARPLiERWMhql7JNWSS/4Yhf/L0aD0C3pJFJf +h3bcSxhAzXBL3857cELR88UeV7NHPNdJsKVX0h7r1xe1D1oGZd19qbyZx3FJLzH8 +p01ZkLoKdKAh42x+XN6KrOWGWFyvLX56pXjp9mjero2iDpUlBdIV15CFJ+aoVI3B +KG26z4B7/L8kQVO2eH41k/i39u9SuvuCinYcNQ/5/blpaIc7xqL5jI1gapzE4bBu +GzGOKJoWRgGJDUZzyvTtxbI/nsK6mQENBGkHy/oBCADHGrIJ1uTGWJvSt+2pmqxK +ruXQvVxQva3GbYIgePQa88PzhORYTnuskEdOhNhMTaxKWbxS1bfDXf3Akjis+kHb +xLK692XtKFf88ALV6ts0Rd4YRG6BCcwMPAfFuQhyQRxclNk5XHzaH6IvKvmrSkvG +wilLkrdj9hW32FvVYDyjdiDSbvs05d8EfRr7UF/fMQC5HOJJ6VSC7HJ7tQGWvtNG +eyr/I61OSDxhf6PF5CfuepajO0nzsVHvsXTxoJwYbx+zXSlGxTsHWYxp6r0MdPE/ +vCNmvrfpz4PoTiE43Xa3XsYSO2gRCpMYJKQaxl5pCfBGSmKpCF1YDBSTrRYyacyv +ABEBAAG0IVRlc3QgVXNlciBUd28gPHRlc3QyQGV4YW1wbGUuY29tPokBTwQTAQoA +ORYhBGoqcTrn+TyOptJktkLnuZABFDDeBQJpB8v6AxsvBAULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRBC57mQARQw3nIGB/9/j1SIk+DxmCeT2fihQmS7lubDoq1I +FUdjb7cAGBs4KAmJh8MVMsYyB+EtaVC8qu4C5EgNNV0+c2H8UishGcZvMm9Qg7LQ +MTSGKLwXikaiIvyw3zlh1FpJn2rYUSvCplVswhF/dfSlenmU81eiPigYsvzVoa8h +xJNn01DLu4cd2VsBhWW/2w3DKSvVHRPdlPTPrqkjzMQRy2ULa2yTWiiuxWJxHuj0 +3ocvLGlpyyvIwyoFVG4Lex4r+jSL3RCllEUjADAMgDPfhoTEerfgORCVEqGE/JLR +MVrTl6bMuodGehXgCRalcg9ChUADBHS4fZ0NiH46QhTblwRRFc2K6WbzmQENBGkH +y/oBCADAzZTgBmulUSr29gmBELA1gpMNHZ3J/2R3mTXMFaZAsi84uCZNyLLrDhU4 +WaXVRURlwY4eHdvIMc3IM846s0SkLKDy3cIbusQK9NDVS/69LRyKNiZMjEbpODZl +fT5AtQUOL1jAIxy/wVEKzqih0so6mfNCwKFshWyi4p2+E8dFT8apTvhwJkdpptb6 +q8Q1ABx+NRE1iSK+lFUw7xD7lLDvUYcHn6glpEMIGjg3/BLF74nVYFe6rCuFKgNt +GHLk1ZjoldbQRmTxdaKkb6vmfPWjbQuZCdNAUT87ljnrpdl3YxRN2ujQ1tHrWkby +C+anhmkdoQnqQPpICaeLe6NwHpPVABEBAAG0I1Rlc3QgVXNlciBUaHJlZSA8dGVz +dDNAZXhhbXBsZS5jb20+iQFPBBMBCgA5FiEE5m0mPccXQ0WrECgp38gl+CCc50IF +AmkHy/oDGy8EBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEN/IJfggnOdC7qEH +/idAjYhb9QNnOOu7lPkgLnPVanLCE20uHoGLeDUNkz2+2VFmkTu9poHKp4P7tW4e +/wMyy6uv4X1kcp6XcwVALx2HRU/PKLy1kNQFEeDocA1fx0wloJTfGfJpbxXWPFUG +oTVx0V2BwjiGK1+MTZCJQ+aqS2mXPLMPRv0ZKw8CQOeGHRJCD3NBEiWxpi5wncFM +DFDnaKrTCgmndRIafdXU3B7L4zZkNwcXRylkxVFjl938W5czbqa0o2LLadd/trJZ +YN/21BNkS/QmrH1Kapcgj5GvJp8ky4OpccrCTxfWLmRVfxtdo/N2woNyK9xvjiwd +TYMaXvrf93dAboJrOmiAtPA= +=tjTO +-----END PGP PUBLIC KEY BLOCK-----