From 213fbcceadcc811d23d515e0d33ebdbe85c21421 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Roth?= <neolynx@gmail.com>
Date: Mon, 26 Jan 2026 11:24:47 +0100
Subject: [PATCH] multi sign: add test

---
 system/files/aptly-dual.pub                   | 29 +++++++++
 system/files/aptly3.sec                       | 11 ++++
 system/lib.py                                 |  3 +
 .../PublishAPITestDualSignature_Release.gpg   | 14 +++++
 system/t12_api/publish.py                     | 61 +++++++++++++++++++
 5 files changed, 118 insertions(+)
 create mode 100644 system/files/aptly-dual.pub
 create mode 100644 system/files/aptly3.sec
 create mode 100644 system/t12_api/PublishAPITestDualSignature_Release.gpg

diff --git a/system/files/aptly-dual.pub b/system/files/aptly-dual.pub
new file mode 100644
index 00000000..7a7d1e92
--- /dev/null
+++ b/system/files/aptly-dual.pub
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBFL7pY8RBAC5uHg/9AuGJ7EF7RYty89IDLeqvlPe710eDQpJ+itsOaA/5rr3
+IV1LMlqHpM2rkZkAPpARwjrga2ByJ1ww77Zq2uPqJIO2LZYWTLXic9Zity2OVu3Z
+XwtdsqagIMfT5dAgNmhe5lL7qgGUwYcFFa52s7U4qO0z2FfwHW1IQrnMpwCg5RQh
+Uqs5iUKdDtoeQjX5mWgQhjEEAI1zfXUvvcOrRsDlGNKYZigZiWC6J46jeR8Nnf9C
+WwhXS2fzQaJyDq9DorkvPZgWUAaLLCdfGETqLzDKajynhS1+OnfFQNzvkvEPRBSb
+C5k+GOF2E1E9rGXb31+1XZTcdIprp4/F3RNLLWNUwfgPLWJx9NzHTYqgBStecHkC
+ySZRA/9PNFAbeJZ27HNuzoGnAa0piZDLeAAHsM1V6cosMh7U1IZqjZcrMC9YXNxH
+2D90PvoBvpufCMRzL/fOVPT1JzQGYoKIX17Nmzvdq/a4YyLWRODjvWXd94bae2Xd
+Vy03DYhfp8VOVJW6HuAX9JN6MKXSNxaibgOPjU822Hxd1iCIQ7QtQXB0bHkgVGVz
+dGVyIChkb24ndCB1c2UgaXQpIDx0ZXN0QGFwdGx5LmluZm8+iGIEExECACIFAlL7
+pY8CGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECHbuJwW2z5t2sQAoNn+
+0cADZa66HZNY2qJi44Oq4hjaAJsHzj9JKAHEpdix5N7b6QvaZQZYhrkBDQRS+6WP
+EAQA9BX+kbIM6VJYoyY9vUHXfAF4E2y2M7vl9knZ+jMPfMbI7dE3gRJQb3mngST5
+7eZWawo1DNE6h3LbHsB4mpro9XLUXUMBgXRsOq4D5E0ygvDZ/tJhy0AwFiTOXKEs
+/erzmbF7j/TWh4LVHXFI9DrnN0+EeF/mQC/wzX7WGCKe70cAAwUEAMr7959zUYNp
+E3v4IquIJpD22bT/FiyQjFG8yGy36c+7mOP3VWi0lz5yFqqeR9NDFuLDSwOEi0nB
+zXNmimLy+hIwMaHjbQLjLODmy/T9wKCgeAmK1ygT6YBGJJflThZ05M80T5hBtRA9
+z2eoTn0wbi6MLmD/rbEt+lUPfSA4V0t2iEkEGBECAAkFAlL7pY8CGwwACgkQIdu4
+nBbbPm05hgCgvYatZXRbEdZ91jJCQi1KI7lJ5Y8AnjvrHU0g84mE45QZFegZzzQo
+9relmDMEZ3YCRhYJKwYBBAHaRw8BAQdAYDU0VSBcurX+uqAeR/w/XOLSZcghvOqz
+Y8yWdcj3HUy0L0FwdGx5IFNlY29uZGFyeSBTaWduaW5nIEtleSA8YXB0bHlAZXhh
+bXBsZS5jb20+iJYEExYKAD4WIQSu4W3wGDVPZ/5fXHK79OGUNOkeTgUCZ3YCRgIb
+AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC79OGUNOkeTid/AP9A
+kIMn2qI5TqZgzrnPt7SN16VvpMppPb2H0m0P6knQKQD8DHcLcrqAl2cjcEuntv75
+gOnEvmPDAO6S1rc8UgcWdQQ=
+=XPoo
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/system/files/aptly3.sec b/system/files/aptly3.sec
new file mode 100644
index 00000000..cba4b2f1
--- /dev/null
+++ b/system/files/aptly3.sec
@@ -0,0 +1,11 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lFgEZ3YCRhYJKwYBBAHaRw8BAQdAYDU0VSBcurX+uqAeR/w/XOLSZcghvOqzY8yW
+dcj3HUwAAP9lsZgE1YQfaS9xfVOSi3f91lbq13+U9FPdwxfiET0+bBFrtC9BcHRs
+eSBTZWNvbmRhcnkgU2lnbmluZyBLZXkgPGFwdGx5QGV4YW1wbGUuY29tPoiWBBMW
+CgA+FiEEruFt8Bg1T2f+X1xyu/ThlDTpHk4FAmd2AkYCGwMFCQPCZwAFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQu/ThlDTpHk4nfwD/QJCDJ9qiOU6mYM65z7e0
+jdelb6TKaT29h9JtD+pJ0CkA/Ax3C3K6gJdnI3BLp7b++YDpxL5jwwDukta3PFIH
+FnUE
+=IXTY
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/system/lib.py b/system/lib.py
index ff9c890c..6b79d3de 100644
--- a/system/lib.py
+++ b/system/lib.py
@@ -272,6 +272,9 @@ class BaseTest(object):
             self.run_cmd([
                 self.gpgFinder.gpg2, "--import",
                 os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files") + "/aptly.sec"], expected_code=None)
+            self.run_cmd([
+                self.gpgFinder.gpg2, "--import",
+                os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files") + "/aptly3.sec"], expected_code=None)
 
         if self.fixtureGpg:
             self.run_cmd([self.gpgFinder.gpg, "--no-default-keyring", "--trust-model", "always", "--batch", "--keyring", "aptlytest.gpg", "--import"] +
diff --git a/system/t12_api/PublishAPITestDualSignature_Release.gpg b/system/t12_api/PublishAPITestDualSignature_Release.gpg
new file mode 100644
index 00000000..24381472
--- /dev/null
+++ b/system/t12_api/PublishAPITestDualSignature_Release.gpg
@@ -0,0 +1,14 @@
+gpg: Signature made Mon Jan 26 10:18:32 2026 UTC
+gpg:                using DSA key C5ACD2179B5231DFE842EE6121DBB89C16DB3E6D
+gpg: checking the trustdb
+gpg: no ultimately trusted keys found
+gpg: Good signature from "Aptly Tester (don't use it) <test@aptly.info>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: C5AC D217 9B52 31DF E842  EE61 21DB B89C 16DB 3E6D
+gpg: Signature made Mon Jan 26 10:18:32 2026 UTC
+gpg:                using EDDSA key AEE16DF018354F67FE5F5C72BBF4E19434E91E4E
+gpg: Good signature from "Aptly Secondary Signing Key <aptly@example.com>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: AEE1 6DF0 1835 4F67 FE5F  5C72 BBF4 E194 34E9 1E4E
diff --git a/system/t12_api/publish.py b/system/t12_api/publish.py
index 82751579..28954de1 100644
--- a/system/t12_api/publish.py
+++ b/system/t12_api/publish.py
@@ -1,6 +1,7 @@
 import inspect
 import os
 import threading
+import re
 
 from api_lib import TASK_SUCCEEDED, APITest
 
@@ -1557,3 +1558,63 @@ class PublishUpdateSourcesAPITestRepo(APITest):
         all_repos = self.get("/api/publish")
         self.check_equal(all_repos.status_code, 200)
         self.check_in(repo_expected, all_repos.json())
+
+
+class PublishAPITestDualSignature(APITest):
+    """
+    POST /publish/:prefix (local repos), GET /publish
+    """
+    fixtureGpg = True
+
+    def check(self):
+        repo_name = self.random_name()
+        self.check_equal(self.post(
+            "/api/repos", json={"Name": repo_name, "DefaultDistribution": "wheezy"}).status_code, 201)
+
+        d = self.random_name()
+        self.check_equal(self.upload("/api/files/" + d,
+                                     "libboost-program-options-dev_1.49.0.1_i386.deb", "pyspi_0.6.1-1.3.dsc",
+                                     "pyspi_0.6.1-1.3.diff.gz", "pyspi_0.6.1.orig.tar.gz",
+                                     "pyspi-0.6.1-1.3.stripped.dsc").status_code, 200)
+
+        task = self.post_task("/api/repos/" + repo_name + "/file/" + d)
+        self.check_task(task)
+
+        # publishing under prefix, default distribution
+        prefix = self.random_name()
+        task = self.post_task(
+            "/api/publish/" + prefix,
+            json={
+                 "SourceKind": "local",
+                 "Sources": [{"Name": repo_name}],
+                 "Signing": {"GPGKey": "C5ACD2179B5231DFE842EE6121DBB89C16DB3E6D,AEE16DF018354F67FE5F5C72BBF4E19434E91E4E"},
+            }
+        )
+        self.check_task(task)
+        repo_expected = {
+            'AcquireByHash': False,
+            'Architectures': ['i386', 'source'],
+            'Codename': '',
+            'Distribution': 'wheezy',
+            'Label': '',
+            'Origin': '',
+            'NotAutomatic': '',
+            'ButAutomaticUpgrades': '',
+            'Path': prefix + '/' + 'wheezy',
+            'Prefix': prefix,
+            'SignedBy': '',
+            'SkipContents': False,
+            'MultiDist': False,
+            'SourceKind': 'local',
+            'Sources': [{'Component': 'main', 'Name': repo_name}],
+            'Storage': '',
+            'Suite': ''}
+
+        all_repos = self.get("/api/publish")
+        self.check_equal(all_repos.status_code, 200)
+        self.check_in(repo_expected, all_repos.json())
+
+        self.check_exists("public/" + prefix + "/dists/wheezy/Release")
+        path = os.path.join(os.environ["HOME"], self.aptlyDir, "public", prefix, "dists/wheezy")
+        self.check_cmd_output(f"gpg --verify {path}/Release.gpg {path}/Release", "Release.gpg",
+                              match_prepare=lambda s: re.sub(r'Signature made .*', '', s))