On 29.07.21 11:48, Fabian Stelzer wrote:
On 29.07.21 01:04, Jonathan Tan wrote:
to verify a ssh signature we first call ssh-keygen -Y find-principal to
look up the signing principal by their public key from the
allowedSignersFile. If the key is found then we do a verify. Otherwise
we only validate the signature but can not verify the signers identity.
Is this the same behavior as GPG signing in Git?
Not quite. GPG requires every signers public key to be in the keyring.
But even then, the "UNDEFINED" Trust level is enough to be valid for
commits (but not for merges).
For SSH i did set the unknown keys to UNDEFINED as well and they will
show up as valid but not have a principal to identify them.
This way a project can decide wether to accept unknown keys by setting
the gpg.mintrustlevel. So the default behaviour is different.
The alternative would be to treat unknown keys always as invalid.
I thought a bit more about this and my approach is indeed problematic
especially when a repo has both gpg and ssh signatures. The trust level
setting can then not behave differently for both.
My intention of still showing valid but unknown signatures in the log as
ok (but unknown) was to encourage users to always sign their work even
if they are not (yet) trusted in the allowedSignersFile.
I think the way forward should be to treat unknown singing keys as not
verified like gpg does.
If a ssh key is verified and in the allowedSignersFile i would still set
its trust level to "FULLY".