On 28.09.21 02:52, Junio C Hamano wrote > * fs/ssh-signing (2021-09-10) 9 commits > - ssh signing: test that gpg fails for unknown keys > - ssh signing: tests for logs, tags & push certs > - ssh signing: duplicate t7510 tests for commits > - ssh signing: verify signatures using ssh-keygen > - ssh signing: provide a textual signing_key_id > - ssh signing: retrieve a default key from ssh-agent > - ssh signing: add ssh key format and signing code > - ssh signing: add test prereqs > - ssh signing: preliminary refactoring and clean-up > > Use ssh public crypto for object and push-cert signing. > > On hold. > cf. <pull.1041.v8.git.git.1631304462.gitgitgadget@xxxxxxxxx> > cf. <532d97e7-8c91-df6a-6d90-70668256f513@xxxxxxxxxxxx> > > Openssh 8.8 has been released a few days ago and includes the needed fix for the find-principal segfault. I ran the full git testsuite against it without issues. Also, we (~30developers) have been running this patch with openssh-portable (2d678c5e3bdc2f5c99f7af5122e9d054925d560d / post 8.7 - pre 8.8) in our organization for the last 2 weeks without problems. The only issues we saw with our users are related to some misleading openssh error messages. For example if you configure a public key and the private key is not available via the ssh-agent the error message is: "invalid format". Or if the public key contains a typo (forgot a char in copy&pase) it will error with "no such file or directory". I will need to dig a bit deeper into openssh to see if we can make these more specific without breaking any compatibility. Both errors originate from some lower level lib functions which i don't want to change. But vverall i think this is ready for some broader usage/testing via next. I'd suggest to send the additional patches for valid-before/after functionality in a new patchset for review after. Best regards, Fabian
