From: Fabian Stelzer <fs@xxxxxxxxxxxx>
for ssh the key can be a filename/path or even a literal ssh pubkey
in push certs and textual output we prefer the ssh fingerprint instead
Signed-off-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
---
gpg-interface.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
gpg-interface.h | 7 +++++++
send-pack.c | 8 ++++----
3 files changed, 58 insertions(+), 4 deletions(-)
diff --git a/gpg-interface.c b/gpg-interface.c
index fa32a57d372..328af86c272 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -467,6 +467,42 @@ int git_gpg_config(const char *var, const char *value, void *cb)
return 0;
}
+static char *get_ssh_key_fingerprint(const char *signing_key) {
+ struct child_process ssh_keygen = CHILD_PROCESS_INIT;
+ int ret = -1;
+ struct strbuf fingerprint_stdout = STRBUF_INIT;
+ struct strbuf **fingerprint;
+
+ /*
+ * With SSH Signing this can contain a filename or a public key
+ * For textual representation we usually want a fingerprint
+ */
+ if (istarts_with(signing_key, "ssh-")) {
+ strvec_pushl(&ssh_keygen.args, "ssh-keygen",
+ "-lf", "-",
+ NULL);
+ ret = pipe_command(&ssh_keygen, signing_key, strlen(signing_key),
+ &fingerprint_stdout, 0, NULL, 0);
+ } else {
+ strvec_pushl(&ssh_keygen.args, "ssh-keygen",
+ "-lf", configured_signing_key,
+ NULL);
+ ret = pipe_command(&ssh_keygen, NULL, 0, &fingerprint_stdout, 0,
+ NULL, 0);
+ }
+
+ if (!!ret)
+ die_errno(_("failed to get the ssh fingerprint for key '%s'"),
+ signing_key);
+
+ fingerprint = strbuf_split_max(&fingerprint_stdout, ' ', 3);
+ if (!fingerprint[1])
+ die_errno(_("failed to get the ssh fingerprint for key '%s'"),
+ signing_key);
+
+ return strbuf_detach(fingerprint[1], NULL);
+}
+
/* Returns the first public key from an ssh-agent to use for signing */
static char *get_default_ssh_signing_key(void) {
struct child_process ssh_add = CHILD_PROCESS_INIT;
@@ -484,6 +520,17 @@ static char *get_default_ssh_signing_key(void) {
return "";
}
+
+/* Returns a textual but unique representation ot the signing key */
+const char *get_signing_key_id(void) {
+ if (!strcmp(use_format->name, "ssh")) {
+ return get_ssh_key_fingerprint(get_signing_key());
+ } else {
+ /* GPG/GPGSM only store a key id on this variable */
+ return get_signing_key();
+ }
+}
+
const char *get_signing_key(void)
{
if (configured_signing_key)
diff --git a/gpg-interface.h b/gpg-interface.h
index 5dfd92b81f6..1e842188c26 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -64,6 +64,13 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature,
int git_gpg_config(const char *, const char *, void *);
void set_signing_key(const char *);
const char *get_signing_key(void);
+
+/*
+ * Returns a textual unique representation of the signing key in use
+ * Either a GPG KeyID or a SSH Key Fingerprint
+ */
+const char *get_signing_key_id(void);
+
const char *get_ssh_allowed_signers(void);
int check_signature(const char *payload, size_t plen,
const char *signature, size_t slen,
diff --git a/send-pack.c b/send-pack.c
index 9cb9f716509..191fc6da544 100644
--- a/send-pack.c
+++ b/send-pack.c
@@ -341,13 +341,13 @@ static int generate_push_cert(struct strbuf *req_buf,
{
const struct ref *ref;
struct string_list_item *item;
- char *signing_key = xstrdup(get_signing_key());
+ char *signing_key_id = xstrdup(get_signing_key_id());
const char *cp, *np;
struct strbuf cert = STRBUF_INIT;
int update_seen = 0;
strbuf_addstr(&cert, "certificate version 0.1\n");
- strbuf_addf(&cert, "pusher %s ", signing_key);
+ strbuf_addf(&cert, "pusher %s ", signing_key_id);
datestamp(&cert);
strbuf_addch(&cert, '\n');
if (args->url && *args->url) {
@@ -374,7 +374,7 @@ static int generate_push_cert(struct strbuf *req_buf,
if (!update_seen)
goto free_return;
- if (sign_buffer(&cert, &cert, signing_key))
+ if (sign_buffer(&cert, &cert, get_signing_key()))
die(_("failed to sign the push certificate"));
packet_buf_write(req_buf, "push-cert%c%s", 0, cap_string);
@@ -386,7 +386,7 @@ static int generate_push_cert(struct strbuf *req_buf,
packet_buf_write(req_buf, "push-cert-end\n");
free_return:
- free(signing_key);
+ free(signing_key_id);
strbuf_release(&cert);
return update_seen;
}
--
gitgitgadget
