From 338a8c38b89127172e337f08c453118f1e6cbb5f Mon Sep 17 00:00:00 2001
From: Jacob Bachmeyer <jcb@gnu.org>
Date: Sat, 12 Feb 2022 22:34:25 -0600
Subject: [PATCH] Add test for rejection of future directive signature
 timestamp

---
 testsuite/lib/upload.exp            |  6 +++++
 testsuite/upload.all/03_triplet.exp | 35 +++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/testsuite/lib/upload.exp b/testsuite/lib/upload.exp
index 53e2de8..93654f5 100644
--- a/testsuite/lib/upload.exp
+++ b/testsuite/lib/upload.exp
@@ -753,6 +753,12 @@ proc analyze_log { base_dir name assess } {
 		     set A(validate,signature-timestamp) 1
 		     exp_continue
 		 }
+	-re {^ftp-upload\[[0-9]+\]: \(Test\)\
+		 GPG signed upload from the future - not allowed[^\r\n]+} {
+		     # from read_directive_file, if signature timestamp bad
+		     set A(validate,future-signature-timestamp) 1
+		     exp_continue
+		 }
 
 	-re {^ftp-upload\[[0-9]+\]: \(Test\)\
 		 DEBUG: [^ ]+ size is [[:digit:]]+} {
diff --git a/testsuite/upload.all/03_triplet.exp b/testsuite/upload.all/03_triplet.exp
index ed2e60c..5a95f6b 100644
--- a/testsuite/upload.all/03_triplet.exp
+++ b/testsuite/upload.all/03_triplet.exp
@@ -419,6 +419,41 @@ check_triplet "bogus: signed but package has no email addresses" setup {
 }
 # TODO: should be validate,package-no-email instead of unknown-package here
 
+check_triplet "bogus: directive signature from the future" setup {
+    packages {
+	foo {
+	    email { "foo@example.org" }
+	    keys { { id 1000 name "foo <foo@example.gnu.org>" } }
+	    maintainers { "foo <foo@example.net>" }
+	}
+    }
+} upload {
+    foo.bin {
+	directive {
+	    version 1.2
+	    directory foo
+	    filename foo.bin
+	} dsig { good 05 1000 "3 days" }
+	file { test } fsig { good 06 1000 }
+    }
+} check {
+    file-tree {
+	{ incoming stage pub archive } empty {}
+	{ in-stage } files {
+	    foo.bin.directive.asc foo.bin.sig foo.bin
+	}
+    } log {
+	found,foo.bin.directive.asc "found directive in triplet"
+	found-triplet,foo.bin.directive.asc:foo.bin.sig:foo.bin \
+	    "found triplet"
+	validate,future-signature-timestamp \
+	    "reject upload from the future"
+    } email-to {
+	ftp-upload-script@gnu.org foo@example.gnu.org
+	ftp-upload-report@gnu.org foo@example.org foo@example.net
+    }
+}
+
 check_triplet "bogus: signed with wrong key" setup {
     packages {
 	foo {
-- 
2.25.1