removes insecure DSA keys from signature test

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>

Author: bb-Ricardo

git/signatures/gpg_signature_test.go

@@ -208,7 +208,6 @@ func TestVerifyPGPSignatureForCommitsAndTags(t *testing.T) {
 		{"ecdsa_p256 valid signature", "commit_ecdsa_p256_signed.txt", "tag_ecdsa_p256_signed.txt", "key_ecdsa_p256.pub", false},
 		{"ecdsa_p384 valid signature", "commit_ecdsa_p384_signed.txt", "tag_ecdsa_p384_signed.txt", "key_ecdsa_p384.pub", false},
 		{"ecdsa_p521 valid signature", "commit_ecdsa_p521_signed.txt", "tag_ecdsa_p521_signed.txt", "key_ecdsa_p521.pub", false},
-		{"dsa_2048 valid signature", "commit_dsa_2048_signed.txt", "tag_dsa_2048_signed.txt", "key_dsa_2048.pub", false},
 		{"brainpool_p256 valid signature", "commit_brainpool_p256_signed.txt", "tag_brainpool_p256_signed.txt", "key_brainpool_p256.pub", false},
 		{"brainpool_p384 valid signature", "commit_brainpool_p384_signed.txt", "tag_brainpool_p384_signed.txt", "key_brainpool_p384.pub", false},
 		{"brainpool_p512 valid signature", "commit_brainpool_p512_signed.txt", "tag_brainpool_p512_signed.txt", "key_brainpool_p512.pub", false},

git/signatures/testdata/gpg_signatures/README.md

@@ -20,7 +20,6 @@ The [`generate_gpg_fixtures.sh`](generate_gpg_fixtures.sh) script automates the
 
 1. **GPG Key Pairs** in supported variants:
    - RSA (2048 and 4096 bits)
-   - DSA (2048 bits)
    - ECC/ECDSA (NIST P-256, P-384, P-521)
    - Brainpool curves (P-256, P-384, P-512)
    - EdDSA (Ed25519, Ed448)
@@ -81,18 +80,6 @@ Expire-Date: 0
 EOF
 gpg --batch --generate-key batch_rsa_4096.txt
 
-# DSA 2048-bit key
-cat > batch_dsa_2048.txt <<EOF
-%no-protection
-Key-Type: DSA
-Key-Length: 2048
-Name-Real: Test User
-Name-Email: test-dsa-2048@example.com
-Expire-Date: 0
-%commit
-EOF
-gpg --batch --generate-key batch_dsa_2048.txt
-
 # ECDSA P-256 key
 cat > batch_ecdsa_p256.txt <<EOF
 %no-protection
@@ -192,7 +179,6 @@ gpg --batch --generate-key batch_ed448.txt
 # Export public keys
 gpg --armor --export test-rsa-2048@example.com > key_rsa_2048.pub
 gpg --armor --export test-rsa-4096@example.com > key_rsa_4096.pub
-gpg --armor --export test-dsa-2048@example.com > key_dsa_2048.pub
 gpg --armor --export test-ecdsa-p256@example.com > key_ecdsa_p256.pub
 gpg --armor --export test-ecdsa-p384@example.com > key_ecdsa_p384.pub
 gpg --armor --export test-ecdsa-p521@example.com > key_ecdsa_p521.pub
@@ -284,7 +270,6 @@ The script generates the following files:
 ### Public Keys
 - `key_rsa_2048.pub` - RSA 2048-bit public key
 - `key_rsa_4096.pub` - RSA 4096-bit public key
-- `key_dsa_2048.pub` - DSA 2048-bit public key
 - `key_ecdsa_p256.pub` - ECDSA P-256 public key
 - `key_ecdsa_p384.pub` - ECDSA P-384 public key
 - `key_ecdsa_p521.pub` - ECDSA P-521 public key
@@ -297,7 +282,6 @@ The script generates the following files:
 ### Signed Commits
 - `commit_rsa_2048_signed.txt` - RSA 2048-bit signed commit
 - `commit_rsa_4096_signed.txt` - RSA 4096-bit signed commit
-- `commit_dsa_2048_signed.txt` - DSA 2048-bit signed commit
 - `commit_ecdsa_p256_signed.txt` - ECDSA P-256 signed commit
 - `commit_ecdsa_p384_signed.txt` - ECDSA P-384 signed commit
 - `commit_ecdsa_p521_signed.txt` - ECDSA P-521 signed commit
@@ -310,7 +294,6 @@ The script generates the following files:
 ### Signed Tags
 - `tag_rsa_2048_signed.txt` - RSA 2048-bit signed tag
 - `tag_rsa_4096_signed.txt` - RSA 4096-bit signed tag
-- `tag_dsa_2048_signed.txt` - DSA 2048-bit signed tag
 - `tag_ecdsa_p256_signed.txt` - ECDSA P-256 signed tag
 - `tag_ecdsa_p384_signed.txt` - ECDSA P-384 signed tag
 - `tag_ecdsa_p521_signed.txt` - ECDSA P-521 signed tag
@@ -330,10 +313,6 @@ The script generates the following files:
 - **RSA 4096**: Stronger RSA key with 4096-bit modulus
 - Widely supported, but slower than ECC keys
 
-### DSA (Digital Signature Algorithm)
-- **DSA 2048**: Legacy algorithm, 2048-bit key
-- Less secure than modern alternatives, included for compatibility testing
-
 ### ECDSA (Elliptic Curve Digital Signature Algorithm)
 - **P-256**: NIST P-256 curve (secp256r1)
 - **P-384**: NIST P-384 curve (secp384r1)
@@ -385,7 +364,7 @@ If key generation fails, ensure that:
 
 ### Script structure
 The script uses separate functions for different key types:
-- `generate_rsa_dsa_key()` - For RSA and DSA keys with key length validation
+- `generate_rsa_dsa_key()` - For RSA keys with key length validation
 - `generate_ecc_key()` - For ECC/ECDSA/EdDSA keys with curve validation
 - `create_signed_object()` - For creating signed commits and tags
 - `create_unsigned_commit()` - For creating unsigned test commits

git/signatures/testdata/gpg_signatures/commit_dsa_2048_signed.txt

@@ -31,52 +31,52 @@ generate_key() {
     local key_type=$1
     local key_param=$2
     local key_name=$3
-    
+
     echo "Generating $key_type key pair ($key_name)..."
-    
+
     # Create batch configuration for GPG
     local batch_file="$TEMP_DIR/batch_${key_name}.txt"
     cat > "$batch_file" <<EOF
 %no-protection
 Key-Type: $key_type
 EOF
-    
+
     # Add key-specific parameters
     case "$key_type" in
-        RSA|DSA)
+        RSA)
             echo "Key-Length: $key_param" >> "$batch_file"
             ;;
         ecdsa|eddsa)
             echo "Key-Curve: $key_param" >> "$batch_file"
             ;;
     esac
-    
+
     cat >> "$batch_file" <<EOF
 Name-Real: $TEST_USER_NAME
 Name-Email: test-${key_name}@example.com
 Expire-Date: 0
 %commit
 EOF
-    
+
     # Generate the key
     gpg --batch --generate-key "$batch_file" 2>&1
-    
+
     # Get the key ID
     local key_id
     key_id=$(gpg --list-keys --with-colons "test-${key_name}@example.com" | grep '^fpr' | head -1 | cut -d: -f10)
-    
+
     echo "  Key ID: $key_id"
-    
+
     # Export public key
     gpg --armor --export "test-${key_name}@example.com" > "$SCRIPT_DIR/key_${key_name}.pub"
     echo "  ✓ key_${key_name}.pub created"
-    
+
     # Export secret key (for signing)
     gpg --armor --export-secret-keys "test-${key_name}@example.com" > "$TEMP_DIR/${key_name}.sec"
-    
+
     # Store key ID for later use
     echo "$key_id" > "$TEMP_DIR/${key_name}_id.txt"
-    
+
     rm -f "$batch_file"
     echo "  ✓ $key_name key pair generated successfully"
 }
@@ -85,41 +85,41 @@ EOF
 create_signed_object() {
     local object_type=$1
     local key_name=$2
-    
+
     echo "Creating signed $object_type for $key_name..."
-    
+
     # Get key ID
     local key_id
     key_id=$(cat "$TEMP_DIR/${key_name}_id.txt")
-    
+
     # Create temporary Git repository
     local repo_dir="$TEMP_DIR/repo_${key_name}_${object_type}"
     mkdir -p "$repo_dir"
     cd "$repo_dir"
-    
+
     git init
     git config user.name "$TEST_USER_NAME"
     git config user.email "$TEST_USER_EMAIL"
     git config gpg.program gpg
     git config user.signingkey "$key_id"
-    
+
     # Import the secret key for signing
     gpg --batch --import "$TEMP_DIR/${key_name}.sec" 2>/dev/null
-    
+
     # Create file and commit
     echo "Test content for $key_name $object_type" > test.txt
     git add test.txt
     git commit -m "Test commit for $object_type"
-    
+
     if [[ "$object_type" == "commit" ]]; then
         # Sign the commit (amend)
         git commit --amend --allow-empty -S -m "Test commit signed with $key_name"
-        
+
         # Verify the signed commit
         echo "  Verifying signed commit..."
         git verify-commit HEAD 2>&1 | grep -q "Good signature"
         echo "  ✓ Commit signature verified successfully"
-        
+
         # Export commit object
         git cat-file commit HEAD > "$SCRIPT_DIR/commit_${key_name}_signed.txt"
         cd "$SCRIPT_DIR"
@@ -128,12 +128,12 @@ create_signed_object() {
     elif [[ "$object_type" == "tag" ]]; then
         # Create and sign tag
         git tag -a "test-tag-${key_name}" -m "Test tag signed with $key_name" -s
-        
+
         # Verify the signed tag
         echo "  Verifying signed tag..."
         git verify-tag "test-tag-${key_name}" 2>&1 | grep -q "Good signature"
         echo "  ✓ Tag signature verified successfully"
-        
+
         # Export tag object
         git cat-file tag "test-tag-${key_name}" > "$SCRIPT_DIR/tag_${key_name}_signed.txt"
         cd "$SCRIPT_DIR"
@@ -144,64 +144,61 @@ create_signed_object() {
 # Function to create unsigned commit
 create_unsigned_commit() {
     echo "Creating unsigned commit..."
-    
+
     # Create temporary Git repository
     local repo_dir="$TEMP_DIR/repo_unsigned"
     mkdir -p "$repo_dir"
     cd "$repo_dir"
-    
+
     git init
     git config user.name "$TEST_USER_NAME"
     git config user.email "$TEST_USER_EMAIL"
-    
+
     # Create file and commit (without signature)
     echo "Test content unsigned" > test.txt
     git add test.txt
     git commit -m "Test commit unsigned"
-    
+
     # Export commit object
     git cat-file commit HEAD > "$SCRIPT_DIR/commit_unsigned.txt"
-    
+
     cd "$SCRIPT_DIR"
     echo "  ✓ commit_unsigned.txt created"
 }
 
 # Main program
 main() {
-    echo "Step 1: Generate RSA/DSA keys..."
+    echo "Step 1: Generate RSA keys..."
     echo "-----------------------------------"
-    
+
     # RSA keys (different key lengths)
     generate_key "RSA" "2048" "rsa_2048"
     generate_key "RSA" "4096" "rsa_4096"
-    
-    # DSA key (legacy, but still supported)
-    generate_key "DSA" "2048" "dsa_2048"
-    
+
     echo ""
     echo "Step 2: Generate ECC keys..."
     echo "-----------------------------------"
-    
+
     # ECDSA keys (different curves)
     generate_key "ecdsa" "NIST P-256" "ecdsa_p256"
     generate_key "ecdsa" "NIST P-384" "ecdsa_p384"
     generate_key "ecdsa" "NIST P-521" "ecdsa_p521"
-    
+
     # Brainpool curves
     generate_key "ecdsa" "brainpoolP256r1" "brainpool_p256"
     generate_key "ecdsa" "brainpoolP384r1" "brainpool_p384"
     generate_key "ecdsa" "brainpoolP512r1" "brainpool_p512"
-    
+
     # Ed25519 (modern elliptic curve)
     generate_key "eddsa" "Ed25519" "ed25519"
-    
+
     # Ed448 (less common)
     generate_key "eddsa" "Ed448" "ed448"
-    
+
     echo ""
     echo "Step 3: Create signed commits..."
     echo "----------------------------------------"
-    
+
     # Get list of successfully generated keys
     local keys=() key_name=""
     for key_file in "$TEMP_DIR"/*_id.txt; do
@@ -210,32 +207,32 @@ main() {
             keys+=("$key_name")
         fi
     done
-    
+
     # Signed commits for each key type
     for key_name in "${keys[@]}"; do
         create_signed_object "commit" "$key_name"
     done
-    
+
     echo ""
     echo "Step 4: Create signed tags..."
     echo "-------------------------------------"
-    
+
     # Signed tags for each key type
     for key_name in "${keys[@]}"; do
         create_signed_object "tag" "$key_name"
     done
-    
+
     echo ""
     echo "Step 5: Create unsigned commit..."
     echo "------------------------------------------"
-    
+
     create_unsigned_commit
-    
+
     echo ""
     echo "=== Cleanup ==="
     rm -rf "$TEMP_DIR"
     echo "Temporary directory removed"
-    
+
     echo ""
     echo "=== Done! ==="
     echo "All test fixtures have been successfully created."