InRelease file: support Signed-By field

https://wiki.debian.org/DebianRepository/Format#Signed-By says:
> **Signed-By**
> An optional field containing a comma separated list of
> OpenPGP key fingerprints to be used for validating
> the next Release file. The fingerprints must consist
> only of hex digits and may not contain spaces.
> The fingerprint specifies either the key the Release file
> must be signed with or the key the signature key must be
> a subkey of. The later match can be disabled by appending
> an exclamation mark to the fingerprint.
>
> If the field is present, a client should only accept future updates
> to the repository that are signed with keys listed in the field.
> The field should be ignored if the Valid-Until field is not present
> or if it is expired.

For both the CLI tools and JSON, the field is taken as a string verbatim.

When specified, we must also provide `Valid-Until` field,
and i'm not sure there is an 'infinity' value for it,
so 100 years will have to do?

Fixes https://github.com/aptly-dev/aptly/issues/1497

system/t06_publish/PublishList5Test_gold

@@ -14,6 +14,7 @@
     "Origin": "LP-PPA-gladky-anton-gnuplot",
     "Path": "./maverick",
     "Prefix": ".",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -39,6 +40,7 @@
     "Origin": "",
     "Path": "ppa/smira/wheezy",
     "Prefix": "ppa/smira",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -65,6 +67,7 @@
     "Origin": "origin1",
     "Path": "ppa/tr1/maverick",
     "Prefix": "ppa/tr1",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [
@@ -91,6 +94,7 @@
     "Origin": "",
     "Path": "ppa/tr2/maverick",
     "Prefix": "ppa/tr2",
+    "SignedBy": "",
     "SkipContents": false,
     "SourceKind": "snapshot",
     "Sources": [

system/t06_publish/PublishRepo35Test_gold

@@ -0,0 +1,14 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Local repo local-repo has been successfully published.
+Please setup your webserver to serve directory '${HOME}/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick contrib
+  deb-src http://your-server/ maverick contrib
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.

system/t06_publish/PublishRepo35Test_release

@@ -0,0 +1,12 @@
+Origin: . maverick
+Label: label35
+Suite: maverick
+Codename: maverick
+Signed-By: comma,separated,string
+Architectures: i386
+Components: contrib
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:

system/t06_publish/PublishShow3Test_gold

@@ -13,6 +13,7 @@
   "Origin": "LP-PPA-gladky-anton-gnuplot",
   "Path": "./maverick",
   "Prefix": ".",
+  "SignedBy": "",
   "SkipContents": false,
   "SourceKind": "snapshot",
   "Sources": [

system/t06_publish/PublishShow4Test_gold

@@ -13,6 +13,7 @@
   "Origin": "LP-PPA-gladky-anton-gnuplot",
   "Path": "ppa/smira/maverick",
   "Prefix": "ppa/smira",
+  "SignedBy": "",
   "SkipContents": false,
   "SourceKind": "snapshot",
   "Sources": [

system/t06_publish/PublishSnapshot43Test_gold

@@ -0,0 +1,13 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Snapshot snap43 has been successfully published.
+Please setup your webserver to serve directory '/home/runner/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick main
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.

system/t06_publish/PublishSnapshot43Test_release

@@ -0,0 +1,12 @@
+Origin: LP-PPA-gladky-anton-gnuplot
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: string,separated,by,commas
+Architectures: amd64 i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:

system/t06_publish/PublishSwitch17Test_gold

@@ -0,0 +1,9 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+Cleaning up published repository ./maverick...
+Cleaning up component 'main'...
+
+Published snapshot repository ./maverick (origin: LP-PPA-gladky-anton-gnuplot) [amd64, i386] publishes {main: [snap2]: Snapshot from mirror [gnuplot-maverick]: http://ppa.launchpad.net/gladky-anton/gnuplot/ubuntu/ maverick} has been successfully switched to new source.

system/t06_publish/PublishSwitch17Test_release

@@ -0,0 +1,12 @@
+Origin: LP-PPA-gladky-anton-gnuplot
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: a,string
+Architectures: amd64 i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:

system/t06_publish/PublishUpdate19Test_gold

@@ -0,0 +1,9 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+Cleaning up published repository ./maverick...
+Cleaning up component 'main'...
+
+Published local repository ./maverick [i386, source] publishes {main: [local-repo]} has been updated successfully.

system/t06_publish/PublishUpdate19Test_release

@@ -0,0 +1,12 @@
+Origin: . maverick
+Label: . maverick
+Suite: maverick
+Codename: maverick
+Signed-By: some,string
+Architectures: i386
+Components: main
+Description: Generated by aptly
+MD5Sum:
+SHA1:
+SHA256:
+SHA512:

system/t06_publish/repo.py

@@ -6,7 +6,7 @@ from lib import BaseTest, ungzip_if_required
 
 
 def strip_processor(output):
-    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:')])
+    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])
 
 
 class PublishRepo1Test(BaseTest):
@@ -951,3 +951,22 @@ class PublishRepo34Test(BaseTest):
 
         if 'main/dep11/README' not in pathsSeen:
             raise Exception("README file not included in release file")
+
+
+class PublishRepo35Test(BaseTest):
+    """
+    publish repo: signed-by
+    """
+    fixtureCmds = [
+        "aptly repo create local-repo",
+        "aptly repo add local-repo ${files}",
+    ]
+    runCmd = "aptly publish repo -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -distribution=maverick -component=contrib -label=label35 -signed-by=comma,separated,string local-repo"
+    gold_processor = BaseTest.expand_environ
+
+    def check(self):
+        super(PublishRepo35Test, self).check()
+
+        # verify contents except of sums
+        self.check_file_contents(
+            'public/dists/maverick/Release', 'release', match_prepare=strip_processor)

system/t06_publish/snapshot.py

@@ -6,7 +6,7 @@ from lib import BaseTest, ungzip_if_required
 
 
 def strip_processor(output):
-    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:')])
+    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])
 
 
 def sorted_processor(output):
@@ -1419,3 +1419,23 @@ class PublishSnapshot42Test(BaseTest):
             'public/pool/main/g/gnuplot/gnuplot-doc_4.6.1-1~maverick2_all.deb')
         self.check_exists(
             'public/pool/maverick/main/g/gnuplot/gnuplot-doc_4.6.1-1~maverick2_all.deb')
+
+
+class PublishSnapshot43Test(BaseTest):
+    """
+    publish snapshot: signed-by
+    """
+    fixtureDB = True
+    fixturePool = True
+    fixtureCmds = [
+        "aptly snapshot create snap43 from mirror gnuplot-maverick",
+    ]
+    sortOutput = True
+    runCmd = "aptly publish snapshot -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -signed-by=string,separated,by,commas snap43"
+    gold_processor = BaseTest.expand_environ
+
+    def check(self):
+        super(PublishSnapshot43Test, self).check()
+
+        self.check_file_contents(
+            'public/dists/maverick/Release', 'release', match_prepare=strip_processor)

system/t06_publish/switch.py

@@ -5,7 +5,7 @@ from lib import BaseTest
 
 
 def strip_processor(output):
-    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:')])
+    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])
 
 
 class PublishSwitch1Test(BaseTest):
@@ -603,3 +603,23 @@ class PublishSwitch16Test(BaseTest):
         self.check_exists('public/dists/bookworm/main/binary-amd64/Packages.gz')
 
         self.check_exists('public/pool/bookworm/main/g/gnuplot/gnuplot-x11_4.6.1-1~maverick2_amd64.deb')
+
+
+class PublishSwitch17Test(BaseTest):
+    """
+    publish switch: signed-by
+    """
+    fixtureDB = True
+    fixturePool = True
+    fixtureCmds = [
+        "aptly snapshot create snap1 from mirror gnuplot-maverick",
+        "aptly snapshot create snap2 from mirror gnuplot-maverick",
+        "aptly publish snapshot -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -distribution=maverick snap1",
+    ]
+    runCmd = "aptly publish switch -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -signed-by=a,string maverick snap2"
+    gold_processor = BaseTest.expand_environ
+
+    def check(self):
+        super(PublishSwitch17Test, self).check()
+
+        self.check_file_contents('public/dists/maverick/Release', 'release', match_prepare=strip_processor)

system/t06_publish/update.py

@@ -5,7 +5,7 @@ from lib import BaseTest
 
 
 def strip_processor(output):
-    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:')])
+    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])
 
 
 class PublishUpdate1Test(BaseTest):
@@ -606,3 +606,22 @@ class PublishUpdate18Test(BaseTest):
         components = sorted(components.split(' '))
         if ['other-test', 'test'] != components:
             raise Exception("value of 'Components' in release file is '%s' and does not match '%s'." % (' '.join(components), 'other-test test'))
+
+
+class PublishUpdate19Test(BaseTest):
+    """
+    publish update: signed-by
+    """
+    fixtureCmds = [
+        "aptly repo create local-repo",
+        "aptly repo add local-repo ${files}/",
+        "aptly publish repo -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -distribution=maverick local-repo",
+        "aptly repo remove local-repo pyspi"
+    ]
+    runCmd = "aptly publish update -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -signed-by=some,string maverick"
+    gold_processor = BaseTest.expand_environ
+
+    def check(self):
+        super(PublishUpdate19Test, self).check()
+
+        self.check_file_contents('public/dists/maverick/Release', 'release', match_prepare=strip_processor)