OTA SIGN: Add static delta superblock signature tests

This new tests ensure:
- delta files with missing signature are not applied
- delta files with mismatching signature are not applied

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

run-test-signature.sh

@@ -4,6 +4,7 @@
 
 delta_no_sign="static-update-no_sign.bundle"
 delta_sign="static-update-sign.bundle"
+delta_no_superblock_sign="static-update-no_superblock_sign.bundle"
 apertis_pk="/usr/share/ostree/trusted.ed25519.d/apertis.ed25519"
 
 phase_boot()
@@ -60,6 +61,15 @@ phase_boot()
         --sign-type=ed25519 --sign=${ED25519SECRET} \
         --filename=${delta_sign}
 
+    # Additional non-signed superblock upgrade bundle
+    ostree static-delta generate \
+        --from=${OLDREV} \
+        --to=${CURREV} \
+        --inline \
+        --min-fallback-size=1024 \
+        --disable-bsdiff \
+        --filename=${delta_no_superblock_sign}
+
     # Additional non-signed upgrade bundle
     # Should not contain signed update
     LOCALREV=$(ostree commit --orphan --add-metadata-string=ostree.collection-binding="org.apertis.os" --bind-ref=$BRANCHNAME --tree=ref=$OLDREV)
@@ -105,12 +115,33 @@ phase_update()
     fi
 
     # Add the public key into the system
-    testname="test-sign-update"
     mkdir -p "/etc/ostree/trusted.ed25519.d"
     cp -av apertis.ed25519 /etc/ostree/trusted.ed25519.d/
+
+    # Signed commits but superblock not signed
+    # Update must fail
+    testname="test-sign-no_superblock_signature"
+    if ! apply_update_sync -d ${delta_no_superblock_sign} ; then
+        echo "${testname}: pass"
+    else
+        echo "${testname}: fail"
+        exit 1
+    fi
+
+    # Signed commits but superblock signed with unknown public key
+    # Update must fail
+    testname="test-sign-wrong_superblock_signature"
+    if ! apply_update_sync -d ${delta_sign} ; then
+        echo "${testname}: pass"
+    else
+        echo "${testname}: fail"
+        exit 1
+    fi
+
     # Add public key for static delta superblock verification
     cp -av superblock.ed25519 /etc/ostree/trusted.ed25519.d/
 
+    testname="test-sign-update"
     apply_update_sync -d ${delta_sign}
 
     sudo ostree admin status