test/crypto: add_gnupg_home should have ultimate trust on "its own" key

The typical use case for gpg is that if you control a secret key, you
mark it with "ultimate" ownertrust.

The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
to set up ultimate ownertrust (the ":6:" means "ultimate", for
whatever reason).

We adjust the test suite to match this change, inverting the sense of
one test: since the default is now that the user ID of the suite's own
key is valid, we change the test to make sure that the user ID is not
emitted when it is *not* valid.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index f31cd3d7be36ab64941c2d0b26880e55203eb955..3539bafe1afb1ee14189c9a504f9755247ecf898 100755 (executable)
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -40,7 +40,8 @@ expected='[[[{"id": "XXXXX",
  "body": [{"id": 1,
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
- "created": 946728000}],
+ "created": 946728000,
+ "userid": "'"$SELF_USERID"'"}],
  "content-type": "multipart/signed",
  "content": [{"id": 2,
  "content-type": "text/plain",
@@ -135,11 +136,11 @@ test_expect_equal_json \
     "$output" \
     "$expected"
 
-test_begin_subtest "signature verification with full user ID validity"
-# give the key ultimate owner trust, which confers full validity on
-# all user IDs in the certificate:
-echo "${FINGERPRINT}:6:" | gpg --no-tty --import-ownertrust >>"$GNUPGHOME"/trust.log 2>&1
-gpg --no-tty --check-trustdb >>"$GNUPGHOME"/trust.log 2>&1
+test_begin_subtest "signature verification without full user ID validity"
+# give the key no owner trust, removes validity on all user IDs of the
+# certificate in the absence of other trusted certifiers:
+gpg --quiet --batch --no-tty --export-ownertrust > "$GNUPGHOME/ownertrust.bak"
+echo "${FINGERPRINT}:3:" | gpg --quiet --batch --no-tty --import-ownertrust
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
     | sed -e 's|"created": [1234567890]*|"created": 946728000|')
@@ -157,8 +158,7 @@ expected='[[[{"id": "XXXXX",
  "body": [{"id": 1,
  "sigstatus": [{"status": "good",
  "fingerprint": "'$FINGERPRINT'",
- "created": 946728000,
- "userid": "'"$SELF_USERID"'"}],
+ "created": 946728000}],
  "content-type": "multipart/signed",
  "content": [{"id": 2,
  "content-type": "text/plain",
@@ -170,6 +170,7 @@ expected='[[[{"id": "XXXXX",
 test_expect_equal_json \
     "$output" \
     "$expected"
+gpg --quiet --batch --no-tty --import-ownertrust < "$GNUPGHOME/ownertrust.bak"
 
 test_begin_subtest "signature verification with signer key unavailable"
 # move the gnupghome temporarily out of the way

diff --git a/test/test-lib.sh b/test/test-lib.sh
index b89da572e439f57a9c813659b1c7a3c3d8522684..54247a57c154ab234fd5779aedf40b0da823cbdd 100644 (file)
--- a/test/test-lib.sh
+++ b/test/test-lib.sh
@@ -121,6 +121,7 @@ add_gnupg_home ()
     # Change this if we ship a new test key
     FINGERPRINT="5AEAB11F5E33DCE875DDB75B6D92612D94E46381"
     SELF_USERID="Notmuch Test Suite <test_suite@notmuchmail.org> (INSECURE!)"
+    printf '%s:6:\n' "$FINGERPRINT" | gpg --quiet --batch --no-tty --import-ownertrust
 }
 
 # Each test should start with something like this, after copyright notices: