On 03.08.21 09:43, Fabian Stelzer wrote:
On 29.07.21 15:52, Fabian Stelzer wrote:
On 29.07.21 11:48, Fabian Stelzer wrote:
On 29.07.21 01:04, Jonathan Tan wrote:
to verify a ssh signature we first call ssh-keygen -Y
find-principal to
look up the signing principal by their public key from the
allowedSignersFile. If the key is found then we do a verify. Otherwise
we only validate the signature but can not verify the signers
identity.
Is this the same behavior as GPG signing in Git?
Not quite. GPG requires every signers public key to be in the
keyring. But even then, the "UNDEFINED" Trust level is enough to be
valid for commits (but not for merges).
For SSH i did set the unknown keys to UNDEFINED as well and they will
show up as valid but not have a principal to identify them.
This way a project can decide wether to accept unknown keys by
setting the gpg.mintrustlevel. So the default behaviour is different.
The alternative would be to treat unknown keys always as invalid.
I thought a bit more about this and my approach is indeed problematic
especially when a repo has both gpg and ssh signatures. The trust
level setting can then not behave differently for both.
My intention of still showing valid but unknown signatures in the log
as ok (but unknown) was to encourage users to always sign their work
even if they are not (yet) trusted in the allowedSignersFile.
I think the way forward should be to treat unknown singing keys as not
verified like gpg does.
If a ssh key is verified and in the allowedSignersFile i would still
set its trust level to "FULLY".
i dug a bit deeper into the gpg code/tests and it actually already
behaves the same. untrusted signatures still return successfull on a
verify-commit/tag even if the key is completely untrusted. my patch does
the same thing for ssh signatures. i'll send a new revision later today
with all the other fixes.
oh boy... sorry for all the emails. the gpg stuff can be really
confusing. especially since there's different meanings of "untrusted",
"unknown" and "undefined" depending on which docs/codebase you look
into. Especially "untrusted" is not really a gpg term but used in the
codebase in tests like 'verify-commit exits success on untrusted
signature' which tests for a key already in the keyring but not with any
specified trust level. I could not actually find any gpg test for a
signature that is completely unknown. (i will add one)
GPG does a successful verify-commit/tag on keys that are "known".
Meaning that to be marked as good signatures all you need is to have the
public key in your keyring. This key can still have an unknown/undefined
trust level (meaning its in the keyring but no decision on trust has
been made). A key thats not in the keyring has no trustlevel or anything
but fails hard with "no public key".
SSH signing does not really make this distinction. A key is either in
the allowedSigners file (and therefore trusted), completely unknown, or
revoked via the revokedSigners file.
To make this behave like gpg does i will make verification fail on
completely unknown keys. There is no use of the undefined trust level
for ssh then and i will set keys in the allowedSigners file to fully
trusted so they will be accepted for merges as well. I don't see any way
to have keys that are valid for commits but not merge with ssh then but
that should be the only difference to gpg.
