$ docker run --rm --name validator-libsodium-usage-ruby-rbnacl-hmac-sha256-auth-batch12-2732 -t --mount type=bind,src=/tmp/validator-status-libsodium-usage-ruby-rbnacl-hmac-sha256-auth-batch12,dst=/validator/status validator-libsodium-shared bash -lc 'set -euo pipefail
/validator/tests/_shared/install_override_debs.sh
exec /validator/tests/_shared/run_library_tests.sh "$@"' validator-testcase libsodium usage-ruby-rbnacl-hmac-sha256-auth-batch12 -- bash -c 'PS4=$1; shift; set -x; source "$@"' validator-xtrace '__VALIDATOR_XTRACE__ ' /validator/tests/libsodium/tests/cases/usage/usage-ruby-rbnacl-hmac-sha256-auth-batch12.sh
no override packages found; continuing with apt originals
key = ("\x44".b * 32)
message = "validator hmac-sha256 payload"
auth = RbNaCl::HMAC::SHA256.new(key)
tag = auth.auth(message)
raise "unexpected tag length: #{tag.bytesize}" unless tag.bytesize == 32

# Matching tag must verify (no exception).
auth.verify(tag, message)

# A tampered tag must be rejected.
tampered = tag.dup
tampered.setbyte(0, tampered.getbyte(0) ^ 0x01)
rejected_tampered = false
begin
  auth.verify(tampered, message)
rescue RbNaCl::BadAuthenticatorError
  rejected_tampered = true
end
raise "tampered tag accepted" unless rejected_tampered

# A wrong key must also reject the original tag.
wrong = RbNaCl::HMAC::SHA256.new(("\x45".b * 32))
rejected_wrong = false
begin
  wrong.verify(tag, message)
rescue RbNaCl::BadAuthenticatorError
  rejected_wrong = true
end
raise "wrong key accepted tag" unless rejected_wrong

# Determinism: same input under same key reproduces tag.
again = RbNaCl::HMAC::SHA256.new(key).auth(message)
raise "non-deterministic hmac" unless again == tag

puts tag.unpack1("H*")
'
d860f0aafe335a13c814d82e8eb5e289147f989341fa0715c1936e5e78e8d211