age-plugin-tpm: 0.2.0 -> 0.3.0

2025-02-16 09:49:59 -08:00 · 2025-02-16 09:49:59 -08:00 · b9ae163054
commit b9ae163054
parent b921710b50
4 changed files with 66 additions and 5 deletions
--- a/nixos/tests/age-plugin-tpm-decrypt.nix
+++ b/nixos/tests/age-plugin-tpm-decrypt.nix
@ -0,0 +1,33 @@
+{ pkgs, lib, ... }:
+{
+  name = "age-plugin-tpm-decrypt";
+  meta = with lib.maintainers; {
+    maintainers = [
+      sgo
+      josh
+    ];
+  };
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      virtualisation.tpm.enable = true;
+      environment.systemPackages = with pkgs; [
+        age
+        age-plugin-tpm
+      ];
+    };
+
+  testScript = ''
+    machine.start()
+
+    machine.succeed("age-plugin-tpm --generate --output identity.txt")
+    machine.succeed("age-plugin-tpm --convert identity.txt --output recipient.txt")
+    machine.succeed("echo -n 'Hello World' >data.txt")
+
+    machine.succeed("age --encrypt --recipients-file recipient.txt --output data.age data.txt")
+    data = machine.succeed("age --decrypt --identity identity.txt data.age")
+
+    assert data == "Hello World"
+  '';
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -112,6 +112,7 @@ in {
  aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix;
  agate = runTest ./web-servers/agate.nix;
  agda = handleTest ./agda.nix {};
+  age-plugin-tpm-decrypt = runTest ./age-plugin-tpm-decrypt.nix;
  agorakit = runTest ./web-apps/agorakit.nix;
  airsonic = handleTest ./airsonic.nix {};
  akkoma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./akkoma.nix {};
--- a/pkgs/by-name/ag/age-plugin-tpm/package.nix
+++ b/pkgs/by-name/ag/age-plugin-tpm/package.nix
@ -1,27 +1,31 @@
 {
  lib,
+  callPackage,
  buildGoModule,
  fetchFromGitHub,
+  nixosTests,
  swtpm,
  openssl,
+  age,
 }:

 buildGoModule rec {
  pname = "age-plugin-tpm";
-  version = "0.2.0";
+  version = "0.3.0";

  src = fetchFromGitHub {
    owner = "Foxboron";
    repo = "age-plugin-tpm";
-    rev = "v${version}";
-    hash = "sha256-oTvK8U5j+llHgoChhGb+vcUrUf9doVYxd3d5MEuCNz8=";
+    tag = "v${version}";
+    hash = "sha256-yr1PSSmcUoOrQ8VMQEoaCLNvDO+3+6N7XXdNUyYVz9M=";
  };

  proxyVendor = true;

-  vendorHash = "sha256-veduD0K3Onkqvyg9E5v854a6/8UIRQZEH098lUepRNU=";
+  vendorHash = "sha256-VEx6qP02QcwETOQUkMsrqVb+cOElceXcTDaUr480ngs=";

  nativeCheckInputs = [
+    age
    swtpm
  ];

@ -34,12 +38,17 @@ buildGoModule rec {
    "-w"
  ];

+  passthru.tests = {
+    encrypt = callPackage ./tests/encrypt.nix { };
+    decrypt = nixosTests.age-plugin-tpm-decrypt;
+  };
+
  meta = with lib; {
    description = "TPM 2.0 plugin for age (This software is experimental, use it at your own risk)";
    mainProgram = "age-plugin-tpm";
    homepage = "https://github.com/Foxboron/age-plugin-tpm";
    license = licenses.mit;
-    platforms = platforms.linux;
+    platforms = platforms.all;
    maintainers = with maintainers; [
      kranzes
      sgo
--- a/pkgs/by-name/ag/age-plugin-tpm/tests/encrypt.nix
+++ b/pkgs/by-name/ag/age-plugin-tpm/tests/encrypt.nix
@ -0,0 +1,18 @@
+{
+  runCommand,
+  age,
+  age-plugin-tpm,
+}:
+runCommand "age-plugin-tpm-encrypt"
+  {
+    nativeBuildInputs = [
+      age
+      age-plugin-tpm
+    ];
+    # example pubkey from Foxboron/age-plugin-tpm README
+    env.AGE_RECIPIENT = "age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36";
+  }
+  ''
+    echo "Hello World" | age --encrypt --armor --recipient "$AGE_RECIPIENT"
+    touch $out
+  ''