Signed Reports

The HILSTER Testing Framework supports signed test reports since version htf-1.2.

Signed reports are a very useful feature to proof that a test report was not modified.

This could be useful when dealing with certification authorities or during legal proceedings to document when, how and to what degree a product was tested.

The signature is created using asymmetric cryptography. This allows for independent verification of the signatures validity with the public key.

Signed reports can be verified by others using the checksignatures command line utility which does not need to be licensed and which is shipped with htf.

Creating signed reports

Signed reports can only be created for the internal reports of the HILSTER Testing Framework. These are the HTML-report, the JUnit-xml-report and the JSON-Report. User supplied reports are not signed for security reasons.

To be able to create signed reports you need to license the htf.signatures feature. Once the feature is enabled htf.signatures signed reports are created automatically if you use $ htf, $ htf run, $ htf dryrun, htf.main, htf.run or htf.dryrun.

The signature is written into an extra file with the name of the report plus .sig.

To disable the creation of signatures you can set the environment variable HTF_SIGN_REPORTS to "0" using set HTF_SIGN_REPORTS=0 on Windows or export HTF_SIGN_REPORTS=0 on Linux.

Checking signatures

checksignatures is free to use and does not need a license.

To check signatures you can use the checksignatures commandline utility which is shipped with htf.

When called without any parameters checksignatures scans the current folder and prints the status of the files found.

Files without signatures can be omitted by using the -s option.

To verify specific files or folders, add them as parameters seperated by whitespace.