kit

run.sh (29225B)

---

 #!/bin/sh
 # Driver-level checks for kit pkg distribution formats.
 
 set -u
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
 repo_root=$(cd "$script_dir/../.." && pwd)
 
 KIT="${KIT:-$repo_root/build/kit}"
 
 if [ ! -x "$KIT" ]; then
     echo "pkg: kit binary not found at $KIT" >&2
     exit 2
 fi
 
 work=$(mktemp -d "${TMPDIR:-/tmp}/kit-pkg-test.XXXXXX")
 trap 'rm -rf "$work"' EXIT
 
 HOME="$work/home"
 KIT_TRUSTED_KEYS="$work/trusted_keys"
 SOURCE_DATE_EPOCH=1
 export HOME KIT_TRUSTED_KEYS SOURCE_DATE_EPOCH
 mkdir -p "$HOME" "$work/in" "$work/pkg" "$work/unpack" "$work/cas"
 
 artifacts="empty.dat one.bin dup-one.bin payload.txt chunk64.bin chunk64-copy.bin chunk64p1.bin chunk3.bin bin/tool.sh"
 tree_id=
 
 # Type-K mode-P kit: shared assert verbs + CAS helpers, all recording through
 # the unified kit_* counters over $work. pkg-specific helpers (not_contains,
 # same_artifacts, not_same_file, have_cmd) stay below.
 KIT_KIT_DIR="$repo_root/test/lib"
 . "$repo_root/test/lib/kit_sh_kit.sh"
 kit_report_init
 
 not_contains() {
     name=$1
     file=$2
     needle=$3
     if grep -F "$needle" "$file" >/dev/null 2>&1; then
         {
             printf 'unexpected text: %s\n' "$needle"
             sed 's/^/file: /' "$file"
         } > "$work/$name.diag"
         not_ok "$name" "$work/$name.diag"
     else
         ok "$name"
     fi
 }
 
 same_artifacts() {
     name=$1
     dir=$2
     diag="$work/$name.diag"
     : > "$diag"
     good=1
     for f in $artifacts; do
         if ! cmp -s "$work/in/$f" "$dir/$f"; then
             printf 'artifact differs or is missing: %s\n' "$f" >> "$diag"
             good=0
         fi
     done
     if [ "$good" -eq 1 ]; then
         ok "$name"
     else
         not_ok "$name" "$diag"
     fi
 }
 
 not_same_file() {
     name=$1
     left=$2
     right=$3
     if cmp -s "$left" "$right"; then
         {
             printf 'files unexpectedly match:\n'
             printf '  left:  %s\n' "$left"
             printf '  right: %s\n' "$right"
         } > "$work/$name.diag"
         not_ok "$name" "$work/$name.diag"
     else
         ok "$name"
     fi
 }
 
 have_cmd() {
     command -v "$1" >/dev/null 2>&1
 }
 
 make_fixtures() {
     : > "$work/in/empty.dat"
     printf x > "$work/in/one.bin"
     cp "$work/in/one.bin" "$work/in/dup-one.bin"
     printf 'portable package deflate regression payload\n' > "$work/in/payload.txt"
     dd if=/dev/zero of="$work/in/chunk64.bin" bs=65536 count=1 >/dev/null 2>&1
     cp "$work/in/chunk64.bin" "$work/in/chunk64-copy.bin"
     dd if=/dev/zero of="$work/in/chunk64p1.bin" bs=65536 count=1 >/dev/null 2>&1
     printf y >> "$work/in/chunk64p1.bin"
     dd if=/dev/zero of="$work/in/chunk3.bin" bs=65536 count=3 >/dev/null 2>&1
     printf tail >> "$work/in/chunk3.bin"
     mkdir -p "$work/in/bin"
     {
         printf '#!/bin/sh\n'
         printf 'printf "tool executed\\n"\n'
     } > "$work/in/bin/tool.sh"
     chmod +x "$work/in/bin/tool.sh"
 }
 
 keyid_from_keygen() {
     sed -n 's/.*key id \([0-9a-fA-F][0-9a-fA-F]*\)).*/\1/p' "$1"
 }
 
 inspect_checks() {
     label=$1
     out=$2
     contains "$label-inspect-magic" "$out" "kit-package 3"
     contains "$label-inspect-name" "$out" "name = matrix-test"
     contains "$label-inspect-version" "$out" "version = 1.0.0"
     contains "$label-inspect-desc" "$out" "description = package test matrix"
     contains "$label-inspect-hash" "$out" "hash = blake2b-256"
     contains "$label-inspect-tree-format" "$out" "tree = kit-tree-v1"
     contains "$label-inspect-blob-format" "$out" "blob = kit-blob-v1"
     contains "$label-inspect-output" "$out" "[output]"
     contains "$label-inspect-output-tree" "$out" "tree = $tree_id"
     contains "$label-inspect-empty" "$out" "path = empty.dat"
     contains "$label-inspect-boundary" "$out" "path = chunk64p1.bin"
     contains "$label-inspect-exec" "$out" "path = bin/tool.sh"
     not_contains "$label-inspect-no-v2-hash" "$out" "blake2b-merkle-v1"
     not_contains "$label-inspect-no-sha256" "$out" "sha256"
 }
 
 repack_targz() {
     src=$1
     out=$2
     files=$(cd "$src" && find . -type f -print | sed 's#^\./##' | sort)
     (cd "$src" && tar -czf "$out" $files)
 }
 
 extract_targz() {
     pkg=$1
     dst=$2
     mkdir -p "$dst"
     gzip -dc "$pkg" | tar -xf - -C "$dst"
 }
 
 flip_byte() {
     file=$1
     off=$2
     printf '\377' | dd of="$file" bs=1 seek="$off" count=1 conv=notrunc >/dev/null 2>&1
 }
 
 kpkg3_field_offset() {
     file=$1
     idx=$2
     perl -e '
         use strict;
         use warnings;
         my ($file, $idx) = @ARGV;
         open my $fh, "<:raw", $file or die "$file: $!";
         read $fh, my $magic, 7;
         die "bad magic" unless $magic eq "kpkg3\0\0";
         seek $fh, 16 + 8 * $idx, 0 or die "seek: $!";
         read $fh, my $b, 8;
         die "short read" unless length($b) == 8;
         print unpack("Q<", $b);
     ' "$file" "$idx"
 }
 
 extract_kpkg3_descriptor() {
     pkg=$1
     out=$2
     descriptor_off=$(kpkg3_field_offset "$pkg" 4)
     descriptor_size=$(kpkg3_field_offset "$pkg" 5)
     dd if="$pkg" of="$out" bs=1 skip="$descriptor_off" count="$descriptor_size" >/dev/null 2>&1
 }
 
 extract_kpkg3_manifest() {
     pkg=$1
     out=$2
     manifest_off=$(kpkg3_field_offset "$pkg" 0)
     manifest_size=$(kpkg3_field_offset "$pkg" 1)
     dd if="$pkg" of="$out" bs=1 skip="$manifest_off" count="$manifest_size" >/dev/null 2>&1
 }
 
 descriptor_value() {
     file=$1
     key=$2
     sed -n "s/^$key = //p" "$file" | sed -n '1p'
 }
 
 check_kpkg3_index() {
     label=$1
     pkg=$2
     descriptor=$3
     expected_compression=$4
 
     index_off=$(descriptor_value "$descriptor" "index-offset")
     index_size=$(descriptor_value "$descriptor" "index-size")
     content_size=$(descriptor_value "$descriptor" "content-size")
     empty_blob=$(tree_blob_for_path "$tree_file" "empty.dat")
     one_blob=$(tree_blob_for_path "$tree_file" "one.bin")
     dup_one_blob=$(tree_blob_for_path "$tree_file" "dup-one.bin")
     chunk64_blob=$(tree_blob_for_path "$tree_file" "chunk64.bin")
     chunk64_copy_blob=$(tree_blob_for_path "$tree_file" "chunk64-copy.bin")
     chunk64p1_blob=$(tree_blob_for_path "$tree_file" "chunk64p1.bin")
     chunk3_blob=$(tree_blob_for_path "$tree_file" "chunk3.bin")
     if perl -e '
         use strict;
         use warnings;
         my ($pkg, $index_off, $index_size, $content_size, $expected_comp,
             $empty, $one, $dup_one, $chunk64, $chunk64_copy, $chunk64p1,
             $chunk3) = @ARGV;
         die "duplicate one.bin blob mismatch" unless $one eq $dup_one;
         die "duplicate chunk64 blob mismatch" unless $chunk64 eq $chunk64_copy;
         die "bad index size" unless $index_size % 168 == 0;
         open my $fh, "<:raw", $pkg or die "$pkg: $!";
         seek $fh, $index_off, 0 or die "seek: $!";
         read $fh, my $index, $index_size;
         die "short index" unless length($index) == $index_size;
         my %count;
         my ($prev_blob, $prev_chunk) = ("", -1);
         for (my $off = 0; $off < $index_size; $off += 168) {
             my $rec = substr($index, $off, 168);
             my $blob = unpack("H64", substr($rec, 0, 32));
             my $chunk = unpack("Q<", substr($rec, 32, 8));
             my $content_off = unpack("Q<", substr($rec, 40, 8));
             my $stored_size = unpack("Q<", substr($rec, 48, 8));
             my $raw_size = unpack("Q<", substr($rec, 56, 8));
             my $compression = unpack("V", substr($rec, 64, 4));
             my $reserved = unpack("V", substr($rec, 68, 4));
             die "reserved field is nonzero" if $reserved != 0;
             die "wrong compression" if $compression != $expected_comp;
             die "raw chunk size out of range" if $raw_size == 0 || $raw_size > 65536;
             die "content range out of bounds"
                 if $content_off > $content_size || $stored_size > $content_size - $content_off;
             if ($prev_blob ne "") {
                 my $cmp = $prev_blob cmp $blob;
                 die "index not sorted" if $cmp > 0;
                 die "chunk index not increasing" if $cmp == 0 && $chunk <= $prev_chunk;
                 die "new blob does not start at chunk 0" if $cmp < 0 && $chunk != 0;
             } elsif ($chunk != 0) {
                 die "first blob does not start at chunk 0";
             }
             $count{$blob}++;
             ($prev_blob, $prev_chunk) = ($blob, $chunk);
         }
         die "unexpected record count" unless $index_size / 168 == 10;
         die "empty blob should have no records" if exists $count{$empty};
         die "one-byte duplicate blob count" unless ($count{$one} // 0) == 1;
         die "chunk64 duplicate blob count" unless ($count{$chunk64} // 0) == 1;
         die "chunk64p1 blob count" unless ($count{$chunk64p1} // 0) == 2;
         die "chunk3 blob count" unless ($count{$chunk3} // 0) == 4;
     ' "$pkg" "$index_off" "$index_size" "$content_size" "$expected_compression" \
         "$empty_blob" "$one_blob" "$dup_one_blob" "$chunk64_blob" \
         "$chunk64_copy_blob" "$chunk64p1_blob" "$chunk3_blob" \
         > "$work/$label.out" 2> "$work/$label.err"; then
         ok "$label"
     else
         not_ok "$label" "$work/$label.err"
     fi
 }
 
 maybe_corrupt_native_region() {
     label=$1
     pkg=$2
     descriptor=$3
     key=$4
     off=$(descriptor_value "$descriptor" "$key")
     case "$off" in
         ''|*[!0-9]*|0)
             skip_test "$label"
             ;;
         *)
             cp "$pkg" "$work/pkg/bad-$label.kpkg"
             flip_byte "$work/pkg/bad-$label.kpkg" "$off"
             run_fail "$label" "$KIT" pkg verify -p "$work/key.pub" \
                 "$work/pkg/bad-$label.kpkg"
             ;;
     esac
 }
 
 run_matrix_for_package() {
     label=$1
     pkg=$2
     format=$3
 
     run_ok "$label-inspect" "$KIT" pkg inspect "$pkg"
     inspect_checks "$label" "$work/$label-inspect.out"
 
     run_ok "$label-verify-pubkey" "$KIT" pkg verify -p "$work/key.pub" "$pkg"
     contains "$label-verify-output-name" "$work/$label-verify-pubkey.out" "ok: matrix-test 1.0.0"
 
     outdir="$work/unpack/$label"
     mkdir -p "$outdir"
     run_ok "$label-unpack-pubkey" "$KIT" pkg unpack --verify -p "$work/key.pub" "$pkg" -C "$outdir"
     contains "$label-unpack-verify-output-name" "$work/$label-unpack-pubkey.out" "ok: matrix-test 1.0.0"
     same_artifacts "$label-unpack-content" "$outdir"
     is_executable "$label-unpack-exec-mode" "$outdir/bin/tool.sh"
 
     run_ok "$label-verify-format-override" "$KIT" pkg verify -p "$work/key.pub" --format "$format" "$pkg"
 }
 
 make_fixtures
 
 run_ok "pkg-keygen" "$KIT" pkg keygen -o "$work/key"
 keyid=$(keyid_from_keygen "$work/pkg-keygen.out")
 if [ -n "$keyid" ]; then
     ok "pkg-keygen-keyid"
 else
     echo "could not parse key id from keygen output" > "$work/pkg-keygen-keyid.diag"
     not_ok "pkg-keygen-keyid" "$work/pkg-keygen-keyid.diag"
 fi
 
 run_ok "pkg-cas-add-tree" "$KIT" cas add-tree --cas "$work/cas" --root "$work/in"
 tree_id=$(first_hex_id "$work/pkg-cas-add-tree.out")
 if [ -n "$tree_id" ]; then
     ok "pkg-cas-tree-id"
 else
     echo "could not parse tree id from cas add-tree output" > "$work/pkg-cas-tree-id.diag"
     not_ok "pkg-cas-tree-id" "$work/pkg-cas-tree-id.diag"
 fi
 tree_file=$(cas_object_path "$work/cas" tree "$tree_id")
 assert_file_exists "pkg-cas-tree-object" "$tree_file"
 contains "pkg-cas-tree-magic" "$tree_file" "kit-tree 1"
 contains "pkg-cas-tree-exec-mode" "$tree_file" "mode = x"
 contains "pkg-cas-tree-file-mode" "$tree_file" "mode = -"
 
 run_ok "pkg-create-targz-deflate" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --desc "package test matrix" \
     --format tar.gz --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix.tar.gz"
 
 run_ok "pkg-create-kpkg-none" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --desc "package test matrix" \
     --format kpkg --compression none --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix-none.kpkg"
 
 run_ok "pkg-create-kpkg-lz4" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --desc "package test matrix" \
     --format kpkg --compression lz4-block-v1 --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix-lz4.kpkg"
 
 run_ok "pkg-create-root-targz" "$KIT" pkg create \
     --name order-test --version 1.0.0 --desc "order independence" \
     --format tar.gz --root "$work/in" -s "$work/key.key" \
     -o "$work/pkg/order-root.tar.gz"
 run_ok "pkg-create-cas-targz" "$KIT" pkg create \
     --name order-test --version 1.0.0 --desc "order independence" \
     --format tar.gz --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/order-cas.tar.gz"
 run_ok "pkg-inspect-order-targz-root" "$KIT" pkg inspect "$work/pkg/order-root.tar.gz"
 run_ok "pkg-inspect-order-targz-cas" "$KIT" pkg inspect "$work/pkg/order-cas.tar.gz"
 same_file "pkg-root-and-cas-manifest-match" \
     "$work/pkg-inspect-order-targz-root.out" \
     "$work/pkg-inspect-order-targz-cas.out"
 
 run_ok "pkg-create-version-alt" "$KIT" pkg create \
     --name matrix-test --version 1.0.1 --desc "package test matrix" \
     --format tar.gz --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix-alt-version.tar.gz"
 run_ok "pkg-inspect-version-alt" "$KIT" pkg inspect "$work/pkg/matrix-alt-version.tar.gz"
 contains "pkg-version-alt-tree-same" "$work/pkg-inspect-version-alt.out" "tree = $tree_id"
 contains "pkg-version-alt-version" "$work/pkg-inspect-version-alt.out" "version = 1.0.1"
 
 run_matrix_for_package "targz" "$work/pkg/matrix.tar.gz" "tar.gz"
 run_matrix_for_package "kpkg-none" "$work/pkg/matrix-none.kpkg" "kpkg"
 run_matrix_for_package "kpkg-lz4" "$work/pkg/matrix-lz4.kpkg" "kpkg"
 
 if have_cmd perl; then
     extract_kpkg3_descriptor "$work/pkg/matrix-none.kpkg" "$work/native-none.descriptor"
     contains "native-descriptor-magic" "$work/native-none.descriptor" "kit-encoding 3"
     contains "native-descriptor-tree-region" "$work/native-none.descriptor" "tree-offset = "
     contains "native-descriptor-index-bytes" "$work/native-none.descriptor" "index-bytes = 1680"
     check_kpkg3_index "native-none-index-shape" \
         "$work/pkg/matrix-none.kpkg" "$work/native-none.descriptor" 0
     extract_kpkg3_descriptor "$work/pkg/matrix-lz4.kpkg" "$work/native-lz4.descriptor"
     check_kpkg3_index "native-lz4-index-shape" \
         "$work/pkg/matrix-lz4.kpkg" "$work/native-lz4.descriptor" 1
     extract_kpkg3_manifest "$work/pkg/matrix-none.kpkg" "$work/native-none.manifest"
     contains "native-manifest-v3" "$work/native-none.manifest" "kit-package 3"
 else
     skip_test "native-descriptor-inspection"
 fi
 
 run_ok "pkg-create-kpkg-thin" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --desc "package test matrix" \
     --format kpkg --native-shape thin --external "$work/ext-thin" \
     --compression none --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix-thin.kpkg"
 run_ok "native-thin-inspect-encoding" "$KIT" pkg inspect --encoding \
     "$work/pkg/matrix-thin.kpkg"
 contains "native-thin-tree-external" "$work/native-thin-inspect-encoding.out" \
     "tree-size = 0"
 contains "native-thin-index-external" "$work/native-thin-inspect-encoding.out" \
     "index-size = 0"
 contains "native-thin-content-external" "$work/native-thin-inspect-encoding.out" \
     "content-size = 0"
 contains "native-thin-index-url" "$work/native-thin-inspect-encoding.out" \
     "index-url = index/"
 contains "native-thin-tree-url" "$work/native-thin-inspect-encoding.out" \
     "url = tree/"
 contains "native-thin-chunk-template" "$work/native-thin-inspect-encoding.out" \
     "template = chunk/{blob-prefix}/{blob}/{chunk}"
 run_fail "native-thin-verify-without-external-fails" "$KIT" pkg verify \
     -p "$work/key.pub" "$work/pkg/matrix-thin.kpkg"
 run_ok "native-thin-verify-external" "$KIT" pkg verify \
     -p "$work/key.pub" --external "$work/ext-thin" \
     "$work/pkg/matrix-thin.kpkg"
 mkdir -p "$work/unpack/kpkg-thin"
 run_ok "native-thin-unpack-external" "$KIT" pkg unpack --verify \
     -p "$work/key.pub" --external "$work/ext-thin" \
     "$work/pkg/matrix-thin.kpkg" -C "$work/unpack/kpkg-thin"
 same_artifacts "native-thin-unpack-content" "$work/unpack/kpkg-thin"
 is_executable "native-thin-unpack-exec-mode" \
     "$work/unpack/kpkg-thin/bin/tool.sh"
 
 run_ok "pkg-create-kpkg-metadata" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --desc "package test matrix" \
     --format kpkg --native-shape metadata --external "$work/ext-metadata" \
     --compression none --cas "$work/cas" --tree "$tree_id" \
     -s "$work/key.key" -o "$work/pkg/matrix-metadata.kpkg"
 run_fail "native-metadata-verify-without-external-fails" "$KIT" pkg verify \
     -p "$work/key.pub" "$work/pkg/matrix-metadata.kpkg"
 run_ok "native-metadata-verify-external" "$KIT" pkg verify \
     -p "$work/key.pub" --external "$work/ext-metadata" \
     "$work/pkg/matrix-metadata.kpkg"
 
 payload_blob_for_external=$(tree_blob_for_path "$tree_file" "payload.txt")
 payload_blob_prefix=$(id_prefix "$payload_blob_for_external")
 cp -R "$work/ext-thin" "$work/ext-thin-bad-chunk"
 printf tamper >> "$work/ext-thin-bad-chunk/chunk/$payload_blob_prefix/$payload_blob_for_external/0"
 run_fail "native-external-mutated-chunk-fails" "$KIT" pkg verify \
     -p "$work/key.pub" --external "$work/ext-thin-bad-chunk" \
     "$work/pkg/matrix-thin.kpkg"
 
 cp -R "$work/ext-thin" "$work/ext-thin-bad-tree"
 printf tamper >> "$(cas_object_path "$work/ext-thin-bad-tree" tree "$tree_id")"
 run_fail "native-external-mutated-tree-fails" "$KIT" pkg verify \
     -p "$work/key.pub" --external "$work/ext-thin-bad-tree" \
     "$work/pkg/matrix-thin.kpkg"
 
 if have_cmd perl; then
     extract_kpkg3_descriptor "$work/pkg/matrix-thin.kpkg" "$work/native-thin.descriptor"
     thin_index_rel=$(descriptor_value "$work/native-thin.descriptor" "index-url")
     cp -R "$work/ext-thin" "$work/ext-thin-bad-index"
     printf tamper >> "$work/ext-thin-bad-index/$thin_index_rel"
     run_fail "native-external-mutated-index-fails" "$KIT" pkg verify \
         -p "$work/key.pub" --external "$work/ext-thin-bad-index" \
         "$work/pkg/matrix-thin.kpkg"
 else
     skip_test "native-external-mutated-index-fails"
 fi
 
 run_ok "host-gzip-accepts-kit-output" gzip -t "$work/pkg/matrix.tar.gz"
 if gunzip -c "$work/pkg/matrix.tar.gz" > "$work/pkg/matrix.tar" 2> "$work/gunzip.err" &&
    gzip -c "$work/pkg/matrix.tar" > "$work/pkg/host.tar.gz" 2> "$work/regzip.err"; then
     run_ok "pkg-inspect-host-gzip" "$KIT" pkg inspect "$work/pkg/host.tar.gz"
     run_ok "pkg-verify-host-gzip" "$KIT" pkg verify -p "$work/key.pub" "$work/pkg/host.tar.gz"
 else
     not_ok "pkg-inspect-host-gzip" "$work/gunzip.err"
     not_ok "pkg-verify-host-gzip" "$work/regzip.err"
 fi
 
 run_ok "pkg-create-infer-targz" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --root "$work/in" -s "$work/key.key" \
     -o "$work/pkg/infer.tar.gz"
 run_ok "pkg-create-infer-kpkg" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --root "$work/in" -s "$work/key.key" \
     -o "$work/pkg/infer.kpkg"
 run_fail "pkg-create-unknown-extension-needs-format" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 -s "$work/key.key" \
     --root "$work/in" -o "$work/pkg/unknown.pkg"
 run_ok "pkg-create-override-targz-extension" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --format tar.gz -s "$work/key.key" \
     --root "$work/in" -o "$work/pkg/override.pkg"
 run_ok "pkg-verify-override-targz-extension" "$KIT" pkg verify -p "$work/key.pub" \
     --format tar.gz "$work/pkg/override.pkg"
 run_fail "pkg-verify-wrong-format-native" "$KIT" pkg verify -p "$work/key.pub" \
     --format kpkg "$work/pkg/matrix.tar.gz"
 run_fail "pkg-verify-wrong-format-portable" "$KIT" pkg verify -p "$work/key.pub" \
     --format tar.gz "$work/pkg/matrix-none.kpkg"
 
 run_fail "pkg-verify-untrusted-no-key" "$KIT" pkg verify "$work/pkg/matrix.tar.gz"
 run_ok "pkg-trust-path" "$KIT" pkg trust path
 contains "pkg-trust-path-output" "$work/pkg-trust-path.out" "$KIT_TRUSTED_KEYS"
 run_ok "pkg-trust-list-empty" "$KIT" pkg trust list
 contains "pkg-trust-list-empty-message" "$work/pkg-trust-list-empty.out" "(no trusted keys"
 run_ok "pkg-trust-add" "$KIT" pkg trust add "$work/key.pub" matrix-label
 run_ok "pkg-trust-list-added" "$KIT" pkg trust list
 contains "pkg-trust-list-added-key" "$work/pkg-trust-list-added.out" "$keyid"
 contains "pkg-trust-list-added-label" "$work/pkg-trust-list-added.out" "matrix-label"
 run_ok "pkg-verify-trusted-store" "$KIT" pkg verify "$work/pkg/matrix.tar.gz"
 run_ok "pkg-trust-remove" "$KIT" pkg trust remove "$keyid"
 run_ok "pkg-trust-list-removed" "$KIT" pkg trust list
 not_contains "pkg-trust-list-removed-key" "$work/pkg-trust-list-removed.out" "$keyid"
 run_fail "pkg-verify-after-trust-remove" "$KIT" pkg verify "$work/pkg/matrix.tar.gz"
 
 mkdir -p "$work/tofu-home"
 run_ok "pkg-verify-tofu-pins" env HOME="$work/tofu-home" KIT_TRUSTED_KEYS="$work/tofu.keys" \
     "$KIT" pkg verify --tofu "$work/pkg/matrix.tar.gz"
 contains "pkg-tofu-file-key" "$work/tofu.keys" "$keyid"
 run_ok "pkg-verify-tofu-store" env HOME="$work/tofu-home" KIT_TRUSTED_KEYS="$work/tofu.keys" \
     "$KIT" pkg verify "$work/pkg/matrix.tar.gz"
 
 run_ok "pkg-keygen-wrong" "$KIT" pkg keygen -o "$work/wrong"
 run_fail "pkg-verify-wrong-pubkey" "$KIT" pkg verify -p "$work/wrong.pub" "$work/pkg/matrix.tar.gz"
 
 if have_cmd tar; then
     extract_targz "$work/pkg/matrix.tar.gz" "$work/tar-ok"
     tar_tree_file=$(cas_object_path "$work/tar-ok/kit/cas" tree "$tree_id")
     for f in kit/package.manifest kit/package.manifest.minisig kit/package.pub; do
         safe_f=$(printf '%s\n' "$f" | sed 's#[^A-Za-z0-9_.-]#-#g')
         if [ -f "$work/tar-ok/$f" ]; then
             ok "portable-member-$f"
         else
             echo "missing tar member: $f" > "$work/portable-member-$safe_f.diag"
             not_ok "portable-member-$f" "$work/portable-member-$safe_f.diag"
         fi
     done
     assert_file_exists "portable-member-tree-object" "$tar_tree_file"
     same_file "portable-tree-matches-cas" "$tree_file" "$tar_tree_file"
     for f in $artifacts; do
         blob=$(tree_blob_for_path "$tar_tree_file" "$f")
         blob_file=$(cas_object_path "$work/tar-ok/kit/cas" blob "$blob")
         safe_f=$(printf '%s\n' "$f" | sed 's#[^A-Za-z0-9_.-]#-#g')
         assert_file_exists "portable-member-blob-$safe_f" "$blob_file"
     done
     if [ -f "$work/tar-ok/payload.txt" ] || [ -f "$work/tar-ok/bin/tool.sh" ]; then
         echo "portable archive stored output files outside kit/cas" > "$work/portable-no-root-files.diag"
         not_ok "portable-no-root-files" "$work/portable-no-root-files.diag"
     else
         ok "portable-no-root-files"
     fi
 
     extract_targz "$work/pkg/matrix-alt-version.tar.gz" "$work/tar-alt-version"
     contains "portable-alt-manifest-tree-same" \
         "$work/tar-alt-version/kit/package.manifest" "tree = $tree_id"
     not_same_file "portable-metadata-changes-manifest" \
         "$work/tar-ok/kit/package.manifest" \
         "$work/tar-alt-version/kit/package.manifest"
     same_file "portable-metadata-keeps-tree-object" \
         "$tar_tree_file" \
         "$(cas_object_path "$work/tar-alt-version/kit/cas" tree "$tree_id")"
 
     cp -R "$work/tar-ok" "$work/tar-missing-manifest"
     rm -f "$work/tar-missing-manifest/kit/package.manifest"
     repack_targz "$work/tar-missing-manifest" "$work/pkg/bad-missing-manifest.tar.gz"
     run_fail "portable-missing-manifest-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-missing-manifest.tar.gz"
 
     cp -R "$work/tar-ok" "$work/tar-missing-signature"
     rm -f "$work/tar-missing-signature/kit/package.manifest.minisig"
     repack_targz "$work/tar-missing-signature" "$work/pkg/bad-missing-signature.tar.gz"
     run_fail "portable-missing-signature-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-missing-signature.tar.gz"
 
     cp -R "$work/tar-ok" "$work/tar-missing-tree"
     rm -f "$(cas_object_path "$work/tar-missing-tree/kit/cas" tree "$tree_id")"
     repack_targz "$work/tar-missing-tree" "$work/pkg/bad-missing-tree.tar.gz"
     run_fail "portable-missing-tree-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-missing-tree.tar.gz"
 
     payload_blob=$(tree_blob_for_path "$tar_tree_file" "payload.txt")
     cp -R "$work/tar-ok" "$work/tar-missing-blob"
     rm -f "$(cas_object_path "$work/tar-missing-blob/kit/cas" blob "$payload_blob")"
     repack_targz "$work/tar-missing-blob" "$work/pkg/bad-missing-blob.tar.gz"
     run_fail "portable-missing-blob-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-missing-blob.tar.gz"
 
     cp -R "$work/tar-ok" "$work/tar-mutated-blob"
     printf tamper >> "$(cas_object_path "$work/tar-mutated-blob/kit/cas" blob "$payload_blob")"
     repack_targz "$work/tar-mutated-blob" "$work/pkg/bad-mutated-blob.tar.gz"
     run_fail "portable-mutated-blob-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-mutated-blob.tar.gz"
 
     cp -R "$work/tar-ok" "$work/tar-mutated-tree"
     printf '\n# tamper\n' >> "$(cas_object_path "$work/tar-mutated-tree/kit/cas" tree "$tree_id")"
     repack_targz "$work/tar-mutated-tree" "$work/pkg/bad-mutated-tree.tar.gz"
     run_fail "portable-mutated-tree-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-mutated-tree.tar.gz"
 
     cp -R "$work/tar-ok" "$work/tar-mutated-manifest"
     printf '\n# tamper\n' >> "$work/tar-mutated-manifest/kit/package.manifest"
     repack_targz "$work/tar-mutated-manifest" "$work/pkg/bad-mutated-manifest.tar.gz"
     run_fail "portable-mutated-manifest-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-mutated-manifest.tar.gz"
 else
     skip_test "portable-tar-member-and-repack-tests"
 fi
 
 cp "$work/pkg/matrix.tar.gz" "$work/pkg/bad-gzip-byte.tar.gz"
 flip_byte "$work/pkg/bad-gzip-byte.tar.gz" 0
 run_fail "portable-corrupt-gzip-fails" "$KIT" pkg verify -p "$work/key.pub" \
     "$work/pkg/bad-gzip-byte.tar.gz"
 
 cp "$work/pkg/matrix-none.kpkg" "$work/pkg/bad-native-magic.kpkg"
 flip_byte "$work/pkg/bad-native-magic.kpkg" 0
 run_fail "native-bad-magic-fails" "$KIT" pkg verify -p "$work/key.pub" \
     "$work/pkg/bad-native-magic.kpkg"
 
 dd if="$work/pkg/matrix-none.kpkg" of="$work/pkg/bad-native-truncated.kpkg" \
     bs=1 count=100 >/dev/null 2>&1
 run_fail "native-truncated-fails" "$KIT" pkg verify -p "$work/key.pub" \
     "$work/pkg/bad-native-truncated.kpkg"
 
 cp "$work/pkg/matrix-none.kpkg" "$work/pkg/bad-native-manifest.kpkg"
 if have_cmd perl; then
     manifest_off=$(kpkg3_field_offset "$work/pkg/matrix-none.kpkg" 0)
     flip_byte "$work/pkg/bad-native-manifest.kpkg" "$manifest_off"
     run_fail "native-mutated-manifest-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-native-manifest.kpkg"
 else
     skip_test "native-mutated-manifest-fails"
 fi
 
 if have_cmd perl; then
     descriptor_off=$(kpkg3_field_offset "$work/pkg/matrix-none.kpkg" 4)
     extract_kpkg3_descriptor "$work/pkg/matrix-none.kpkg" "$work/native-corrupt.descriptor"
 
     cp "$work/pkg/matrix-none.kpkg" "$work/pkg/bad-native-descriptor.kpkg"
     flip_byte "$work/pkg/bad-native-descriptor.kpkg" "$descriptor_off"
     run_fail "native-mutated-descriptor-fails" "$KIT" pkg verify -p "$work/key.pub" \
         "$work/pkg/bad-native-descriptor.kpkg"
 
     maybe_corrupt_native_region "native-mutated-tree-region-fails" \
         "$work/pkg/matrix-none.kpkg" "$work/native-corrupt.descriptor" "tree-offset"
     maybe_corrupt_native_region "native-mutated-index-fails" \
         "$work/pkg/matrix-none.kpkg" "$work/native-corrupt.descriptor" "index-offset"
     maybe_corrupt_native_region "native-mutated-content-fails" \
         "$work/pkg/matrix-none.kpkg" "$work/native-corrupt.descriptor" "content-offset"
 else
     skip_test "native-region-offset-corruption-tests"
 fi
 
 run_fail "pkg-create-missing-required-fails" "$KIT" pkg create \
     --name missing-version -s "$work/key.key" --root "$work/in" -o "$work/pkg/missing.tar.gz"
 run_fail "pkg-create-unknown-format-fails" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --format nope -s "$work/key.key" \
     --root "$work/in" -o "$work/pkg/badformat.tar.gz"
 run_fail "pkg-create-unknown-compression-fails" "$KIT" pkg create \
     --name matrix-test --version 1.0.0 --format kpkg --compression nope \
     -s "$work/key.key" --root "$work/in" -o "$work/pkg/badcomp.kpkg"
 mkdir -p "$work/dup/a" "$work/dup/b"
 printf one > "$work/dup/a/same.dat"
 printf two > "$work/dup/b/same.dat"
 cat > "$work/dup.map" <<EOF
 same.dat - $work/dup/a/same.dat
 same.dat - $work/dup/b/same.dat
 EOF
 run_fail "pkg-cas-duplicate-tree-path-fails" "$KIT" cas add-tree \
     --cas "$work/cas" --map "$work/dup.map"
 printf unsafe > "$work/in/bad\\path.dat"
 cat > "$work/unsafe.map" <<EOF
 bad\\path.dat - $work/in/bad\\path.dat
 EOF
 run_fail "pkg-cas-unsafe-tree-path-fails" "$KIT" cas add-tree \
     --cas "$work/cas" --map "$work/unsafe.map"
 run_fail "pkg-verify-missing-file-fails" "$KIT" pkg verify -p "$work/key.pub" \
     "$work/pkg/does-not-exist.tar.gz"
 printf not-a-package > "$work/not-a-package.kpkg"
 run_fail "pkg-inspect-malformed-fails" "$KIT" pkg inspect "$work/not-a-package.kpkg"
 run_fail "pkg-trust-add-missing-pubkey-fails" "$KIT" pkg trust add
 run_fail "pkg-trust-remove-bad-keyid-fails" "$KIT" pkg trust remove xyz
 
 kit_summary pkg
 kit_exit