Am Tue, 10 Jul 2018 13:09:01 -0400 schrieb Jeff King <peff@xxxxxxxx>: > On Tue, Jul 10, 2018 at 10:52:31AM +0200, Henning Schild wrote: > > > diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh > > index a5d3b2cba..9dcb4e990 100755 > > --- a/t/lib-gpg.sh > > +++ b/t/lib-gpg.sh > > @@ -38,7 +38,14 @@ then > > "$TEST_DIRECTORY"/lib-gpg/ownertrust && > > gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null > > 2>&1 \ --sign -u committer@xxxxxxxxxxx && > > - test_set_prereq GPG > > + test_set_prereq GPG && > > + echo | gpgsm --homedir "${GNUPGHOME}" -o > > "$TEST_DIRECTORY"/lib-gpg/gpgsm.crt.user --passphrase-fd 0 > > --pinentry-mode loopback --generate-key --batch > > "$TEST_DIRECTORY"/lib-gpg/gpgsm-gen-key.in && > > Is this --generate-key going to require high-quality entropy? That > could slow the test suite down (and maybe even stall it quite a bit > on servers doing automated CI). Yes, i also saw that getting "stuck" on one machine. But i blamed an experimental kernel. > Can we save a dummy generated key and just import it? That's what we > do for the regular gpg case. I will look into storing a binary and leaving notes how it was generated, just like regular gpg does. The reason i did not do that in the first place is that x509 certs have a validity and we introduce time into the picture. But i will see if i can generate epoch->infinity to get the host clock or just the future out of the picture. > > + gpgsm --homedir "${GNUPGHOME}" --import > > "$TEST_DIRECTORY"/lib-gpg/gpgsm.crt.user && > > + gpgsm --homedir "${GNUPGHOME}" -K | grep > > fingerprint: | cut -d" " -f4 | tr -d '\n' > > > ${GNUPGHOME}/trustlist.txt && > > + echo " S relax" >> ${GNUPGHOME}/trustlist.txt && > > + (gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) && > > + echo hello | gpgsm --homedir "${GNUPGHOME}" -u > > committer@xxxxxxxxxxx -o /dev/null --sign - 2>&1 && > > + test_set_prereq GPGSM > > This &&-chain means we can't have GPGSM without GPG. In theory the two > could be tested independently. I don't know if it's worth the trouble > to make that work, though. I wouldn't be surprised if there are some > subtle dependencies within the test scripts, and I'm not sure how > common it is for somebody to have gpgsm and not gpg. So it may make > sense to just punt on it until such a person appears. As you found later, i already commented on that and do not think it is worth the effort. Users will be able to just have gpgsm, testers will need gpg to test gpgsm. > > test_expect_success GPG 'log --graph --show-signature' ' > > git log --graph --show-signature -n1 signed >actual && > > grep "^| gpg: Signature made" actual && > > grep "^| gpg: Good signature" actual > > ' > > > > +test_expect_success GPGSM 'log --graph --show-signature x509' ' > > + git log --graph --show-signature -n1 signed-x509 >actual && > > + grep "^| gpgsm: Signature made" actual && > > + grep "^| gpgsm: Good signature" actual > > +' > > We're going to have a lot of duplicated tests here. That's a > maintenance burden when one of them needs fixes later. And when new > tests are added, we won't automatically get them tested under each > format. > > Can we move the battery of tests into a function that takes a few > parameters (prereq name, branch to look at, etc) and then call it for > both the gpg/gpgsm cases? I guess this is part of the earlier "allow GPGSM without GPG" and i can ignore it if we agree that this is not needed? Henning > -Peff