go-scm/manifest/sign_test.go

// SPDX-License-Identifier: EUPL-1.2

package manifest

import (
	"crypto/ed25519"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSignAndVerify_Good(t *testing.T) {
	pub, priv, err := ed25519.GenerateKey(nil)
	require.NoError(t, err)

	m := &Manifest{
		Code:    "test-app",
		Name:    "Test App",
		Version: "1.0.0",
		Layout:  "HLCRF",
		Slots:   map[string]string{"C": "main"},
	}

	err = Sign(m, priv)
	require.NoError(t, err)
	assert.NotEmpty(t, m.Sign)

	ok, err := Verify(m, pub)
	require.NoError(t, err)
	assert.True(t, ok)
}

func TestVerify_Bad_Tampered_Good(t *testing.T) {
	pub, priv, _ := ed25519.GenerateKey(nil)
	m := &Manifest{Code: "test-app", Version: "1.0.0"}
	_ = Sign(m, priv)

	m.Code = "evil-app" // tamper

	ok, err := Verify(m, pub)
	require.NoError(t, err)
	assert.False(t, ok)
}

func TestVerify_Bad_Unsigned_Good(t *testing.T) {
	pub, _, _ := ed25519.GenerateKey(nil)
	m := &Manifest{Code: "test-app"}

	ok, err := Verify(m, pub)
	assert.Error(t, err)
	assert.False(t, ok)
}

func TestSign_Bad_InvalidPrivateKey_Good(t *testing.T) {
	m := &Manifest{Code: "test-app", Version: "1.0.0"}

	err := Sign(m, ed25519.PrivateKey([]byte("short")))
	assert.Error(t, err)
	assert.Contains(t, err.Error(), "invalid private key length")
	assert.Empty(t, m.Sign)
}

func TestSign_Bad_NilManifest_Good(t *testing.T) {
	err := Sign(nil, ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize)))
	assert.Error(t, err)
	assert.Contains(t, err.Error(), "nil manifest")
}

func TestVerify_Bad_NilManifest_Good(t *testing.T) {
	ok, err := Verify(nil, ed25519.PublicKey(make([]byte, ed25519.PublicKeySize)))
	assert.Error(t, err)
	assert.False(t, ok)
	assert.Contains(t, err.Error(), "nil manifest")
}

func TestVerify_Bad_InvalidPublicKey_Good(t *testing.T) {
	m := &Manifest{Code: "test-app", Sign: "c2ln"}

	ok, err := Verify(m, ed25519.PublicKey([]byte("short")))
	assert.Error(t, err)
	assert.False(t, ok)
	assert.Contains(t, err.Error(), "invalid public key length")
}
chore(ax): normalize SPDX header identifier 2026-03-30 00:54:20 +00:00			`// SPDX-License-Identifier: EUPL-1.2`
chore(ax): add SPDX headers to remaining Go files 2026-03-30 00:19:43 +00:00
feat: add manifest, marketplace, plugin, repos subpackages Extracted from core/go pkg/{manifest,marketplace,plugin,repos}. Also swapped agentci/forge/gitea config imports to go-config. These packages handle package manifests, marketplace installation, plugin lifecycle, and multi-repo registry management. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-06 13:20:12 +00:00			`package manifest`

			`import (`
			`"crypto/ed25519"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestSignAndVerify_Good(t *testing.T) {`
			`pub, priv, err := ed25519.GenerateKey(nil)`
			`require.NoError(t, err)`

			`m := &Manifest{`
			`Code: "test-app",`
			`Name: "Test App",`
			`Version: "1.0.0",`
			`Layout: "HLCRF",`
			`Slots: map[string]string{"C": "main"},`
			`}`

			`err = Sign(m, priv)`
			`require.NoError(t, err)`
			`assert.NotEmpty(t, m.Sign)`

			`ok, err := Verify(m, pub)`
			`require.NoError(t, err)`
			`assert.True(t, ok)`
			`}`

chore(ax): normalise test naming and usage annotations Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-30 06:37:20 +00:00			`func TestVerify_Bad_Tampered_Good(t *testing.T) {`
feat: add manifest, marketplace, plugin, repos subpackages Extracted from core/go pkg/{manifest,marketplace,plugin,repos}. Also swapped agentci/forge/gitea config imports to go-config. These packages handle package manifests, marketplace installation, plugin lifecycle, and multi-repo registry management. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-06 13:20:12 +00:00			`pub, priv, _ := ed25519.GenerateKey(nil)`
			`m := &Manifest{Code: "test-app", Version: "1.0.0"}`
			`_ = Sign(m, priv)`

			`m.Code = "evil-app" // tamper`

			`ok, err := Verify(m, pub)`
			`require.NoError(t, err)`
			`assert.False(t, ok)`
			`}`

chore(ax): normalise test naming and usage annotations Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-30 06:37:20 +00:00			`func TestVerify_Bad_Unsigned_Good(t *testing.T) {`
feat: add manifest, marketplace, plugin, repos subpackages Extracted from core/go pkg/{manifest,marketplace,plugin,repos}. Also swapped agentci/forge/gitea config imports to go-config. These packages handle package manifests, marketplace installation, plugin lifecycle, and multi-repo registry management. Co-Authored-By: Virgil <virgil@lethean.io> 2026-03-06 13:20:12 +00:00			`pub, _, _ := ed25519.GenerateKey(nil)`
			`m := &Manifest{Code: "test-app"}`

			`ok, err := Verify(m, pub)`
			`assert.Error(t, err)`
			`assert.False(t, ok)`
			`}`
fix(manifest): validate signing inputs Co-Authored-By: Virgil <virgil@lethean.io> 2026-04-02 14:30:04 +00:00
			`func TestSign_Bad_InvalidPrivateKey_Good(t *testing.T) {`
			`m := &Manifest{Code: "test-app", Version: "1.0.0"}`

			`err := Sign(m, ed25519.PrivateKey([]byte("short")))`
			`assert.Error(t, err)`
			`assert.Contains(t, err.Error(), "invalid private key length")`
			`assert.Empty(t, m.Sign)`
			`}`

			`func TestSign_Bad_NilManifest_Good(t *testing.T) {`
			`err := Sign(nil, ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize)))`
			`assert.Error(t, err)`
			`assert.Contains(t, err.Error(), "nil manifest")`
			`}`

			`func TestVerify_Bad_NilManifest_Good(t *testing.T) {`
			`ok, err := Verify(nil, ed25519.PublicKey(make([]byte, ed25519.PublicKeySize)))`
			`assert.Error(t, err)`
			`assert.False(t, ok)`
			`assert.Contains(t, err.Error(), "nil manifest")`
			`}`
fix(manifest): reject invalid public keys in verify Co-Authored-By: Virgil <virgil@lethean.io> 2026-04-02 14:36:38 +00:00
			`func TestVerify_Bad_InvalidPublicKey_Good(t *testing.T) {`
			`m := &Manifest{Code: "test-app", Sign: "c2ln"}`

			`ok, err := Verify(m, ed25519.PublicKey([]byte("short")))`
			`assert.Error(t, err)`
			`assert.False(t, ok)`
			`assert.Contains(t, err.Error(), "invalid public key length")`
			`}`