From 86f03ba7870ddf674881d51b6981250b30a4ddaa Mon Sep 17 00:00:00 2001 From: Deivid Soto Date: Thu, 4 Jun 2026 08:35:46 +0200 Subject: [PATCH] test(upgrade): disable signature check in checksum-matching tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TestVerifyChecksumWithHTTPTest and TestVerifyChecksumCaseInsensitive predate release signing (commit 1757bda baked the release pubkey). With the pubkey set, verifyChecksum now requires a valid checksums.txt.sig and fails at signature decode before reaching the SHA256 comparison these tests assert. They exercise the checksum-matching path only, so clear releasePubKeyBase64 for their duration (t.Cleanup restore) — mirroring the existing pattern in signature_test.go. The signature path itself keeps its dedicated coverage there. No production change. --- internal/upgrade/upgrade_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/internal/upgrade/upgrade_test.go b/internal/upgrade/upgrade_test.go index 18cde17..772e3c4 100644 --- a/internal/upgrade/upgrade_test.go +++ b/internal/upgrade/upgrade_test.go @@ -678,6 +678,16 @@ func TestVerifyChecksumWithHTTPTest(t *testing.T) { t.Skip("tar.gz test only on unix") } + // This test predates release signing and exercises the checksum-MATCHING + // logic only. With the baked release pubkey set, verifyChecksum now requires a + // valid checksums.txt.sig and fails at signature decode before reaching the + // SHA256 comparison these cases assert. Disable signature verification here + // (empty pubkey → loadReleasePubKey returns nil → step skipped); the signature + // path has dedicated coverage in signature_test.go. Pattern mirrors that file. + prevPubKey := releasePubKeyBase64 + releasePubKeyBase64 = "" + t.Cleanup(func() { releasePubKeyBase64 = prevPubKey }) + // Create a fake archive file dir := t.TempDir() archiveContent := []byte("archive-content-for-checksum-test") @@ -792,6 +802,13 @@ func TestVerifyChecksumCaseInsensitive(t *testing.T) { t.Skip("tar.gz test only on unix") } + // Predates release signing; tests checksum matching only. Disable signature + // verification (see TestVerifyChecksumWithHTTPTest) so it reaches the SHA256 + // comparison instead of failing on the absent .sig. + prevPubKey := releasePubKeyBase64 + releasePubKeyBase64 = "" + t.Cleanup(func() { releasePubKeyBase64 = prevPubKey }) + dir := t.TempDir() archiveContent := []byte("case-insensitive-hash-test") archivePath := filepath.Join(dir, "archive.tar.gz")