@@ -14,6 +14,7 @@ import (
1414 "testing"
1515
1616 "github.com/bazelbuild/bazelisk/config"
17+ "github.com/bazelbuild/bazelisk/httputil/httputil_test_helper"
1718 "github.com/bazelbuild/bazelisk/platforms"
1819)
1920
@@ -888,3 +889,83 @@ func TestRunBazeliskWithStderrRedirection(t *testing.T) {
888889 t .Error ("stdout content should not appear in stderr" )
889890 }
890891}
892+
893+ func TestVerifyBinaryAuthenticity (t * testing.T ) {
894+ tmpDir , err := os .MkdirTemp ("" , "TestVerifyBinaryAuthenticity" )
895+ if err != nil {
896+ t .Fatalf ("Failed to create temp dir: %v" , err )
897+ }
898+ defer os .RemoveAll (tmpDir )
899+
900+ key , err := httputil_test_helper .GenerateTestKey ("Bazelisk Test" , "test@bazel.build" )
901+ if err != nil {
902+ t .Fatalf ("Failed to generate test key: %v" , err )
903+ }
904+
905+ binaryPath := filepath .Join (tmpDir , "bazel" )
906+ content := []byte ("binary content" )
907+ if err := os .WriteFile (binaryPath , content , 0644 ); err != nil {
908+ t .Fatalf ("Failed to write binary: %v" , err )
909+ }
910+
911+ signature , err := httputil_test_helper .SignMessage (content , key )
912+ if err != nil {
913+ t .Fatalf ("Failed to sign message: %v" , err )
914+ }
915+ signaturePath := binaryPath + ".sig"
916+ if err := os .WriteFile (signaturePath , []byte (signature ), 0644 ); err != nil {
917+ t .Fatalf ("Failed to write signature: %v" , err )
918+ }
919+
920+ keyPath := filepath .Join (tmpDir , "key.pub" )
921+ if err := os .WriteFile (keyPath , []byte (key ), 0644 ); err != nil {
922+ t .Fatalf ("Failed to write key: %v" , err )
923+ }
924+
925+ t .Run ("ValidSignatureWithKeyFile" , func (t * testing.T ) {
926+ cfg := config .Static (map [string ]string {
927+ "BAZELISK_VERIFICATION_KEY_FILE" : keyPath ,
928+ })
929+ err := verifyBinaryAuthenticity (binaryPath , signaturePath , cfg )
930+ if err != nil {
931+ t .Errorf ("verifyBinaryAuthenticity failed: %v" , err )
932+ }
933+ })
934+
935+ t .Run ("NoSignatureVerification" , func (t * testing.T ) {
936+ cfg := config .Static (map [string ]string {
937+ "BAZELISK_NO_SIGNATURE_VERIFICATION" : "1" ,
938+ })
939+ // Use invalid signature path, should still pass because verification is skipped
940+ err := verifyBinaryAuthenticity (binaryPath , "nonexistent.sig" , cfg )
941+ if err != nil {
942+ t .Errorf ("verifyBinaryAuthenticity should have skipped verification: %v" , err )
943+ }
944+ })
945+
946+ t .Run ("InvalidSignature" , func (t * testing.T ) {
947+ cfg := config .Static (map [string ]string {
948+ "BAZELISK_VERIFICATION_KEY_FILE" : keyPath ,
949+ })
950+ wrongContent := []byte ("wrong content" )
951+ wrongBinaryPath := filepath .Join (tmpDir , "bazel_wrong" )
952+ if err := os .WriteFile (wrongBinaryPath , wrongContent , 0644 ); err != nil {
953+ t .Fatalf ("Failed to write wrong binary: %v" , err )
954+ }
955+
956+ err := verifyBinaryAuthenticity (wrongBinaryPath , signaturePath , cfg )
957+ if err == nil {
958+ t .Error ("Expected error for invalid signature, but got none" )
959+ }
960+ })
961+
962+ t .Run ("MissingKeyFile" , func (t * testing.T ) {
963+ cfg := config .Static (map [string ]string {
964+ "BAZELISK_VERIFICATION_KEY_FILE" : "nonexistent.key" ,
965+ })
966+ err := verifyBinaryAuthenticity (binaryPath , signaturePath , cfg )
967+ if err == nil {
968+ t .Error ("Expected error for missing key file, but got none" )
969+ }
970+ })
971+ }
0 commit comments