Re: [PATCH v6 5/9] ssh signing: parse ssh-keygen output and verify signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 03.08.21 09:43, Fabian Stelzer wrote:


On 29.07.21 15:52, Fabian Stelzer wrote:
On 29.07.21 11:48, Fabian Stelzer wrote:
On 29.07.21 01:04, Jonathan Tan wrote:
to verify a ssh signature we first call ssh-keygen -Y find-principal to
look up the signing principal by their public key from the
allowedSignersFile. If the key is found then we do a verify. Otherwise
we only validate the signature but can not verify the signers identity.

Is this the same behavior as GPG signing in Git?

Not quite. GPG requires every signers public key to be in the keyring. But even then, the "UNDEFINED" Trust level is enough to be valid for commits (but not for merges). For SSH i did set the unknown keys to UNDEFINED as well and they will show up as valid but not have a principal to identify them. This way a project can decide wether to accept unknown keys by setting the gpg.mintrustlevel. So the default behaviour is different.
The alternative would be to treat unknown keys always as invalid.


I thought a bit more about this and my approach is indeed problematic especially when a repo has both gpg and ssh signatures. The trust level setting can then not behave differently for both.

My intention of still showing valid but unknown signatures in the log as ok (but unknown) was to encourage users to always sign their work even if they are not (yet) trusted in the allowedSignersFile.

I think the way forward should be to treat unknown singing keys as not verified like gpg does.

If a ssh key is verified and in the allowedSignersFile i would still set its trust level to "FULLY".

i dug a bit deeper into the gpg code/tests and it actually already behaves the same. untrusted signatures still return successfull on a verify-commit/tag even if the key is completely untrusted. my patch does the same thing for ssh signatures. i'll send a new revision later today with all the other fixes.

oh boy... sorry for all the emails. the gpg stuff can be really confusing. especially since there's different meanings of "untrusted", "unknown" and "undefined" depending on which docs/codebase you look into. Especially "untrusted" is not really a gpg term but used in the codebase in tests like 'verify-commit exits success on untrusted signature' which tests for a key already in the keyring but not with any specified trust level. I could not actually find any gpg test for a signature that is completely unknown. (i will add one)

GPG does a successful verify-commit/tag on keys that are "known". Meaning that to be marked as good signatures all you need is to have the public key in your keyring. This key can still have an unknown/undefined trust level (meaning its in the keyring but no decision on trust has been made). A key thats not in the keyring has no trustlevel or anything but fails hard with "no public key".

SSH signing does not really make this distinction. A key is either in the allowedSigners file (and therefore trusted), completely unknown, or revoked via the revokedSigners file. To make this behave like gpg does i will make verification fail on completely unknown keys. There is no use of the undefined trust level for ssh then and i will set keys in the allowedSigners file to fully trusted so they will be accepted for merges as well. I don't see any way to have keys that are valid for commits but not merge with ssh then but that should be the only difference to gpg.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux