Re: [PATCH v7 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07.09.21 19:35, Junio C Hamano wrote:

> Fabian Stelzer <fs@xxxxxxxxxxxx> writes:
>
>> I have this prepared but not ready for submission. I wanted to wait
>> until openssh 8.7 is released (which happened recently) to make sure
>> their api for this newly added feature does not change.
>> I will be on vacation for the next 2 weeks but can submit it afterwards.
>> I have a few additional features in mind but wanted to wait for the
>> basic functionality to settle before piling stuff on top.
> Reasonable.
>
> In the meantime, people seem to be finding issues with OpenSSH 8.7's
> keygen, so before doing any *new* things, we'd like to see an update
> to make the stuff already posted and reviewed to work with the newer
> OpenSSH.  Hoping that the fix for the incompatibility with 8.7 is
> small enough, I am planning to keep the version we already have in
> our tree (in 'next' but not in 'master'), so that an incremental
> patch will be able to highlight what the differences are when the
> bug is fixed.

It it not so much an incompatibility but a hard bug in ssh-keygen of my
own making :/
There is nothing we can do on the git side to fix this since the
find-principal call will always segfault no matter what.
I added an optional parameter some time ago for printing the public key
on verify to make "trust on first use" easier when we get to it.
Unfortunately this bug made it into 8.7 but is already fixed in master.
Thanks to Carlo for spotting it and sending a patch.
I guess i owe openssh writing a test for it since the command seems to
not have any at all.

I'm not sure how git wants to handle this since i don't know when a
fixed openssh release will be available and we certainly shouldn't
include the signing feature in a release until they do.
I can't really find a way of detecting the broken version since there's
no version or anything else i could find in the ssh-keygen tool.

I will continue writing some tests for the verify-time/key validity
feature. The tests will need some version/feature detection from
ssh-keygen as well so maybe i will still stumble on something that
allows us to detect and warn on this.






[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux