Add smoketest (package installed, keyring/repo files in place)

.github/workflows/ci.yml

@@ -40,3 +40,31 @@ jobs:
         run: |
           make test-deps
           make reprotest
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: rpm-build
+          path: rpm-build/RPMS/noarch/*.rpm
+          if-no-files-found: error
+  test-rpm:
+    runs-on: ubuntu-latest
+    container:
+      image: registry.fedoraproject.org/fedora:37
+    needs: build-rpm
+    steps:
+      - run: dnf install -y git make
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install dependencies
+        run: |
+          git config --global --add safe.directory '*'
+          make test-deps
+      - uses: actions/download-artifact@v4
+        with:
+          name: rpm-build
+          path: rpm-build/RPMS/noarch/
+          pattern: "*.rpm"
+      - name: Install RPM and run smoketest
+        run: |
+          make smoketest RPM=rpm-build/RPMS/noarch/*fc37.noarch.rpm

Makefile

@@ -27,7 +27,7 @@ build-deps: ## Install package dependencies to build RPMs
 test-deps: build-deps ## Install package dependencies for running tests
 	dnf install -y \
 		python3-pip rpmlint which libfaketime ShellCheck \
-		hostname
+		hostname systemd
 	dnf --setopt=install_weak_deps=False -y install reprotest
 
 .PHONY: lint
@@ -41,6 +41,11 @@ rpmlint: ## Runs rpmlint on the spec file
 shellcheck: ## Runs shellcheck on all shell scripts
 	./scripts/shellcheck.sh
 
+.PHONY: smoketest
+smoketest: ## Run smoketest (builds rpm if none provided)
+    # Run against a prebuilt rpm via `make smoketest RPM=path-to-rpm`
+	$(CONTAINER) ./scripts/smoketest.sh $(RPM)
+
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" to parse lines for make targets.
 # 2. Check for second field matching, skip otherwise.

README.md

@@ -1,9 +1,26 @@
 # SecureDrop Worskatation Keyring (RPM)
 
-This package contains the SecureDrop Release Public Key and a yum .repo file that points to the SecureDrop Workstation production repo.
-It will be used for ease of bootstrapping SecureDrop Workstation on QubesOS.
+This package contains the SecureDrop Release Public Key and a yum .repo file that points
+to the SecureDrop Workstation production repo. It will be used for ease of bootstrapping
+SecureDrop Workstation on QubesOS.
 
 **At the moment this repo is experimental and should not be part of a production SDW installation.**
 
 ## SecureDrop Release Key
-See https://media.securedrop.org/media/documents/securedrop-release-key-2021-2.asc for verification.
+See https://media.securedrop.org/media/documents/securedrop-release-key-2021-2.asc
+for verification.
+
+## Package updates
+Any updates to the SecureDrop Release Signing Key will require an updated version of
+this package to be released. Submit a PR to this repository that contains the updated
+SecureDrop Release Public Key and updates the rpm key ID, which will change any time the
+key or its subkeys are changed. (The rpm key ID is ``gpg-pubkey-xxxxxxxx-yyyyyyyy``, used
+in the ``.spec`` file and in ``tests``, and the new rpm key ID can be found by importing
+the updated pubkey into rpmdb and querying for it via
+``rpm -qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep 'SecureDrop Release Signing Key'``).
+
+Then follow [the RPM release documentation](https://developers.securedrop.org/en/latest/workstation_release_management.html#release-an-rpm-package) to release an updated keyring
+package.
+
+Refer to the internal SecureDrop developer documentation for information on release key
+update procedures.

scripts/smoketest.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/bash
+set -e
+set -u
+set -o pipefail
+
+# If no rpm supplied as commandline arg, build one 
+if [[ "$#" -eq 0 ]]; then
+    echo "No RPM supplied for smoketest, building..."
+    source "$(dirname "$0")/build-rpm.sh"
+    # Choose the fc37.noarch rpm
+    RPM=$(find rpm-build/ -type f -iname "${PROJECT}-$(cat "${TOPLEVEL}/VERSION")*fc37.noarch.rpm")
+elif [[ "$#" -eq 1 ]]; then
+    RPM="${1}"
+    source "$(dirname "$0")/common.sh"
+else
+    echo "Usage: smoketest.sh [path-to-rpm]"
+    exit 1
+fi
+
+echo "Installing RPM..."
+sudo dnf install -y "${RPM}"
+
+echo "RPM installed. (Wait 60 seconds to begin smoketest)..."
+# rpmdb isn't modified right away
+sleep 60
+
+echo "Begin smoketest..."
+python3 "${TOPLEVEL}/tests/test_keyring.py"

tests/test_keyring.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+import subprocess
+from pathlib import Path
+
+#
+# Basic acceptance testing for keyring package (Fedora-based)
+#
+
+# Update this pubkey ID if the key or its subkeys are updated; see README
+GPG_PUBKEY_ID = "gpg-pubkey-7b22e6a3-609966ad"
+RPM_QUERY_PACKAGE = ["rpm", "-q"]
+RPM_GPG_QUERY_SD_RELEASE_KEY = ["rpm", "-q", GPG_PUBKEY_ID]
+REPOFILE_PATH = "/etc/yum.repos.d/securedrop-workstation-dom0.repo"
+KEYFILE_PATH = "/etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation"
+
+def is_fedora():
+    with open("/etc/os-release") as f:
+        for line in f:
+            if line.startswith("NAME"):
+                return "Fedora" in line.split("=")[-1]
+    return False
+
+def is_package_installed(package_name: str):
+    query = RPM_QUERY_PACKAGE + [package_name]
+
+    # raise if package is not installed
+    subprocess.check_call(args=query, stdout=subprocess.DEVNULL)
+
+def is_repo_file_installed():
+    repofile = Path(REPOFILE_PATH)
+    return repofile.exists()
+
+def is_key_in_etc_pki():
+    keyfile = Path(KEYFILE_PATH)
+    return keyfile.exists()
+
+def is_key_in_rpmdb():
+    subprocess.check_call(RPM_GPG_QUERY_SD_RELEASE_KEY,
+                              stdout=subprocess.DEVNULL)
+
+if __name__ == "__main__":
+    assert is_fedora()
+    assert is_package_installed("securedrop-workstation-keyring")
+    assert is_repo_file_installed()
+    assert is_key_in_etc_pki()
+
+    # TODO: CI does not have systemd installed and booted with PID 1,
+    # so skip the test that checks that the key was imported to rpmdb
+    # using systemd-run
+    if is_package_installed("systemd"):
+        assert is_key_in_rpmdb()